Microsoft Defender 'Tamper Protection' reaches general availability

Tamper Protection prevents malware from disabling Windows Defender features.

top-windows-defender-expert-these-are-th-5d4d935d79f16e0001f923da-1-aug-13-2019-19-14-00-poster.jpg

Today, Microsoft announced the general availability of a new Microsoft Defender antivirus feature named Tamper Protection.

This new feature works by blocking malware from disabling Microsoft Defender (formerly Windows Defender) features behind the user's back.

According to Microsoft, with Tamper Protection, malicious apps won't be able to:

  • Disable virus and threat protection
  • Disable real-time protection
  • Turn off behavior monitoring
  • Disable Defender's antivirus components (such as IOfficeAntivirus (IOAV))
  • Disable cloud-delivered protection
  • Remove security intelligence updates

Microsoft says that Tamper Protection "essentially locks Microsoft Defender" and prevents security settings from being changed through third-party apps and methods like:

  • Configuring settings in Registry Editor on a Windows machine
  • Changing settings through PowerShell cmdlets
  • Editing or removing security settings through group policies

The feature will be available for both the free version of Microsoft Defender (the one that ships with all modern Windows OS versions) but also with Microsoft Defender Advanced Threat Protection (ATP) (the commercial version, primarily employed on enterprise networks).

Work on Tamper Protection began in December 2018, when it was first rolled out to Windows Insiders previews. In March this year, Microsoft rolled Tamper Protection for more tests to Microsoft Defender ATP versions.

Starting today, the feature will be available for all Microsoft Defender users. Microsoft told ZDNet in a phone call last week that the feature will be enabled by default for all users in the coming weeks, in a multi-stage rollout.

If users don't want to wait, Microsoft said they can also enable Tamper Protection right now.

A new option has been added to the Windows Security options page to control Tamper Protection's state. To enable or disable Tamper Protection, the steps are:

  1. Click Start, and start typing Defender. In the search results, select Windows Security.

  2. Select Virus & threat protection > Virus & threat protection settings.

  3. Set Tamper Protection to On or Off.

tamper-protection-wd.png

Image: ZDNet

But Microsoft emphasizes that Tamper Protection was specifically built for enterprise environments, where the protection level it provides is far superior to what a home user gets.

Here, when a system administrator enables the feature for a company's workstations, Tamper Protection locks out malware and end-users alike. Once enabled, only administrators will be able to change Defender settings across a company's computers.

The only catch is that administrators must use Microsoft Intune to manage their workstation fleet.

"When an administrator enables the policy in Microsoft Intune, the tamper protection policy is digitally signed in the backend before it's sent to endpoints," Microsoft says.

"The endpoint verifies the validity and intent, establishing that it is a signed package that only security operations personnel with Microsoft Intune admin rights can control."

tamper-protection-intune.png

Image: Microsoft

In enterprise setups, when malware or users try to modify Defender features, an alert is raised in Microsoft Defender ATP's Security
Center, which administrators can investigate further.

Tamper Protection is only available for Windows 10 1903 May release or later. Microsoft said it will work to port the feature to older versions.