Microsoft adds Tamper Protection to Microsoft Defender to protect against malware disabling it

Over the last few years, malware has really started targeting antivirus software, so Microsoft is releasing a new feature that aims to prevent that.

Microsoft continues to work on making Windows a locked-down experience, with the latest security feature coming the form of Tamper Protection to Microsoft Defender. It’s been available to Insiders for most of the year, but finally went GA in October.

More and more malware is being designed to quietly disable antivirus software without users or administrators noticing. One recent example is the Novter Trojan, which specifically goes after Microsoft Defender. Once installed on someone’s desktop, it executes a PowerShell script to add Windows policies that disable the AV application. Some of the policies Novter adds disable disable real-time protection, automatic updates, and peer-to-peer updates. Another example is the DoubleAgent malware that disabled some of the common AV software, like Avast, Bitdefender, and McAfee through the Windows developer feature Application Verifier.

It's not hard to see why malware and other attacks would want endpoint protection applications disabled. So, now Microsoft is attempting to prevent this when it comes to Defender by adding Tamper Protection.

What is Tamper Protection?

The newest Microsoft Defender feature prevents malware from disabling the AV application without users and organizations knowing. Tamper Protection prevents malware from killing features within Defender like virus and threat protection, real-time protection, behavior monitoring, cloud protection, and security intelligence updates. Essentially, with Tamper Protection turned on, Defender is locked down and no changes can be made to it.

Malware tries to disable Microsoft Defender a few different ways, from using Registry Editor to alter Windows settings, changing settings via PowerShell cmdlets, and using group policies to change or remove settings.

Tamper Protection is available on Microsoft Defender that ships as part of Windows 10 and the enterprise-focused Defender Advanced Threat Protection. While the feature is enabled by default on all devices, it’s currently still rolling out—though admins can opt to enable immediately.

While all Windows 10 users can take advantage of the protection of Tamper Protection, it’s mainly designed for Windows devices in the enterprise, with the ability to keep users and malware alike from making any changes. Unfortunately, to manage the latest feature, admins must use Intune.

"When an administrator enables the policy in Microsoft Intune, the tamper protection policy is digitally signed in the backend before it's sent to endpoints," Microsoft says. "The endpoint verifies the validity and intent, establishing that it is a signed package that only security operations personnel with Microsoft Intune admin rights can control." 

Microsoft Defender enterprise use

Defender, previously named Windows Defender (since renamed as Defender ATP is available for macOS), has been around since XP for download and became part of shipping versions of Windows Vista and newer Windows OSes. One question we had was how many people use Defender in the enterprise?

To get an idea, we turned back to the 2019 VDI Like a Pro survey for the third time because they asked respondents, “Which is the most used Antivirus solution in the VDI/SBC (on-premises and cloud) environment?” While this survey doesn’t necessarily reflect the entire EUC, it does provide some context. 

https://cdn.ttgtmedia.com/rms/onlineimages/microsoftdefender.png
VDI Like a Pro Survey chart

Respondents had Windows Defender as the second most used AV application below Symantec End Point Protection. Microsoft themselves, in 2018, proclaimed Microsoft Defender the most widely deployed

Wrap-up

Microsoft continues to work on improving the security of Windows right out of the box; one recent example we covered is their plan to eliminate passwords and the news around secured-core devices. Additionally, Microsoft released Automated Incident Response, which is part of Office 365 Advanced Threat Protection for all customers.

One aspect of Tamper Protection that I liked was how it aims solves two problems: preventing malware from disabling Microsoft Defender and preventing employees from doing that as well. We’ll keep an eye on it to see if the new feature does as is intended.

Dig Deeper on Windows OS and management