Tamper protection enabled
Demonstrate that tamper protection mechanisms are enabled and enforced on all endpoints to prevent unauthorized modification or disabling of security software and associated configurations.
Description
What this control does
Tamper protection is a security feature that prevents unauthorized users, malware, or malicious processes from disabling or altering critical security software components such as antivirus engines, real-time scanning, behavior monitoring, and cloud-delivered protection services. This control enforces system-level or kernel-level restrictions that block attempts to stop security services, delete signature files, modify registry keys, or uninstall security agents without proper administrative authentication. Enabling tamper protection ensures that even if an attacker gains elevated privileges or deploys sophisticated malware, the endpoint security stack remains operational and continues to provide visibility and protection throughout the attack lifecycle.
Control objective
What auditing this proves
Demonstrate that tamper protection mechanisms are enabled and enforced on all endpoints to prevent unauthorized modification or disabling of security software and associated configurations.
Associated risks
Risks this control addresses
- Malware disables antivirus or EDR agents before executing payload, evading detection and response
- Ransomware operators terminate security processes and delete backup agents to maximize impact
- Insider threats with administrative access disable monitoring tools to perform unauthorized activities without logging
- Credential-stuffing or privilege-escalation attacks leverage compromised accounts to turn off endpoint protections
- Fileless malware or living-off-the-land techniques modify registry keys or group policies to weaken security posture
- Attackers leverage legitimate administrative tools (PowerShell, WMI, Task Scheduler) to persistently disable security services
- Unprotected endpoints become staging grounds for lateral movement after initial compromise
Testing procedure
How an auditor verifies this control
- Obtain a current inventory of all managed endpoints including operating systems, installed security agents, and management consoles or platforms.
- Review the security software vendor's documentation to identify tamper protection features, supported platforms, and configuration requirements.
- Access the central management console or cloud portal for the endpoint protection platform and navigate to tamper protection policy settings.
- Export or screenshot the global and group-level tamper protection configurations, noting enforcement state, exclusions, and any conditional policies.
- Select a representative sample of at least 10 endpoints across different operating systems, organizational units, and criticality tiers for hands-on validation.
- Connect to each sampled endpoint and verify tamper protection status using native agent commands, registry queries, or vendor-provided diagnostic tools.
- Simulate tamper attempts on a controlled test endpoint by attempting to stop security services, modify protected registry keys, or uninstall the agent using administrative credentials.
- Review security event logs, SIEM alerts, or management console dashboards for tamper attempt detection events and verify that tamper protection blocked the actions and generated alerts.
Where this control is tested