Tamper Protection, a feature in WithSecure Elements Endpoint Protection for Windows, protects the most important parts of the product from malicious tampering. For example, with Tamper Protection enabled, it’s not possible to stop the background services needed to protect the device.
Until now, Tamper Protection has been disabled by default, meaning that the security administrator has needed to enable this functionality to increase the protection against the bad actors.
We are seeing an increase in attacks that try to uninstall our product or kill our processes, before infecting the device.
Starting from 19th October 2022 we will be changing the default setting of this feature, so it is turned on for all new profiles. This change means that, out of the box, customers have increased protection. Different regions will get the change at different dates.
Please consider disabling the “allow user to uninstall the product” option to be even better protected against these attacks.
What does this mean to existing profiles?
If you’ve never changed the Tamper Protection setting in the profiles you use, the functionality will be automatically enabled on your devices.
If you have changed the setting in the profile before we enable it by default, the current setting is honored. We will not change these automatically, because we have no idea why you’ve chosen your current setting.
If you wish to ensure that your “Tamper Protection” is disabled , you can do this in the following way:
- Clone current profile to a new one (the new profile will have identical settings but is not assigned to any devices)
- In the new profile turn Tamper Protection on and publish
- In the new profile turn Tamper Protection off and publish
- Click the number of assigned devices next to the old profile (it will open device listing filtered to devices with the old profile assigned)
- Assign the new profile to all of them
But I need to be able to turn off the services, as some of my tooling depends on this!
This is no problem. There is no change in the underlying functionality of Tamper Protection, merely the default state. If you need to be able to turn off the services, simply disable Tamper Protection in your profiles.