Microsoft has added tamper protection to its antivirus product Microsoft Defender Advanced Threat Protection (ATP) to prevent the common malware tactic of disabling antivirus on infected PCs.
The new feature can be enabled from within the Windows Security app under a new toggle simply called 'Tamper Protection'.
The feature stops malware from changing core settings such as real-time protection, a feature that Microsoft says "should rarely, if ever, be disabled".
There are numerous examples of malware attempting to evade detection by neutralizing a computer's security guard, such as the DoubleAgent malware that exploited a Windows developer feature to turn off Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, and Norton.
More recently, a Linux crypto-miner was found to disable Linux-based anti-malware products, while a newly discovered macOS trojan disables Apple's built-in Gatekeeper security feature.
The Defender ATP tamper protection also stops malware from disabling Microsoft's cloud-based malware detection and preventing services that help block zero-day malware, as well as a feature to detect dodgy files from the internet. And malware will not be able to delete security intelligence updates once the setting has been enabled.
While Microsoft Defender ATP is an enterprise product, tamper protection will be available to Windows home users and it will be enabled by default.
SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)
Enterprise customers meanwhile will need to opt in to tamper protection, and admins can manage the feature through the Intune management console. To prevent malware and malicious insiders from disabling the setting, end users in the enterprise will not be able to change the setting.
Microsoft actually introduced tamper protection via the Windows Insider preview program in December, shortly after rolling out a feature that allows the antivirus system to run inside a sandbox to prevent attackers using vulnerabilities in Defender to compromise the operating system.
Microsoft says that users can test the new tamper-protection feature by installing Windows Insider builds released during March 2019 or later.
Originally called Windows Defender ATP, Microsoft last week decided to rename it Microsoft Defender ATP after announcing support for macOS computers.
More on Microsoft, Windows and security
- Microsoft brings Windows 10 security to Apple Macs with Defender ATP
- Windows Defender becomes first antivirus to run inside a sandbox
- Microsoft's Windows Defender Advanced Threat Protection service now available for Windows 7, 8.1 clients
- Some Windows 7, 8.1 users reporting Security Essentials and Windows Defender problems
- MacOS Trojan disables Gatekeeper to deploy malicious payloads
- Windows 10: DoubleAgent zero-day hijacks Microsoft tool to turn antivirus into malware
- How virtualisation is changing Windows application security TechRepublic
- Microsoft brings Windows Defender to Chrome and Firefox CNET