Windows security: Microsoft Defender AV can now stop malware from disabling it

Microsoft adds new tamper-protection feature that stops malware from switching off key security features.
Written by Liam Tung, Contributing Writer

Microsoft has added tamper protection to its antivirus product Microsoft Defender Advanced Threat Protection (ATP) to prevent the common malware tactic of disabling antivirus on infected PCs. 

The new feature can be enabled from within the Windows Security app under a new toggle simply called 'Tamper Protection'. 

The feature stops malware from changing core settings such as real-time protection, a feature that Microsoft says "should rarely, if ever, be disabled". 

There are numerous examples of malware attempting to evade detection by neutralizing a computer's security guard, such as the DoubleAgent malware that exploited a Windows developer feature to turn off Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, and Norton. 

More recently, a Linux crypto-miner was found to disable Linux-based anti-malware products, while a newly discovered macOS trojan disables Apple's built-in Gatekeeper security feature.    

The Defender ATP tamper protection also stops malware from disabling Microsoft's cloud-based malware detection and preventing services that help block zero-day malware, as well as a feature to detect dodgy files from the internet. And malware will not be able to delete security intelligence updates once the setting has been enabled. 

While Microsoft Defender ATP is an enterprise product, tamper protection will be available to Windows home users and it will be enabled by default.

SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)    

Enterprise customers meanwhile will need to opt in to tamper protection, and admins can manage the feature through the Intune management console. To prevent malware and malicious insiders from disabling the setting, end users in the enterprise will not be able to change the setting. 

Microsoft actually introduced tamper protection via the Windows Insider preview program in December, shortly after rolling out a feature that allows the antivirus system to run inside a sandbox to prevent attackers using vulnerabilities in Defender to compromise the operating system. 

Microsoft says that users can test the new tamper-protection feature by installing Windows Insider builds released during March 2019 or later.   

Originally called Windows Defender ATP, Microsoft last week decided to rename it Microsoft Defender ATP after announcing support for macOS computers


Microsoft say enabling tamper protection stops malicious apps from changing important Windows protection.

Image: Microsoft

More on Microsoft, Windows and security

Editorial standards