Issue:
When Elements Endpoint Protection Tamper Protection (Resource Protection) feature is enabled, an application / software / process is blocked and Tamper Protection alerts logged in the Security Event -page in Elements Endpoint Protection portal.
Example of alert shown on the Security Events page:
Alert source: Tamper protection
Alert Description: Tamper protection protected "<process name>" from "<process name>"
Alert type: Process termination was blocked
Action Type: Process
Request type: Terminate process
Resolution:
This type of block is the function of the Tamper Protection functionality.
When the path shows a registry path, the Tamper protection functionality sees that some process tries to open a protected part of registry with write access rights. Even if the process would not try to modify the registry, the fact that it could it enough that is will be blocked by Tamper Protection.
When Tamper protection blocks an operation, the application gets an ACCESS_DENIED error. It should not affect the functionality of this application, but if it does - this is the problem in the 3rd party application.
If you do not want to see Tampering Protection alerting notifications in Elements Endpoint Protection portal Security Events -page, you may filter them out by following these steps:
- Login to WithSecure Elements Endpoint Protection portal
- Select Profiles
- Select your Profile
- Select General Settings
- Scroll down to Exclude tamper protection events
This option allows you to exclude specific applications from generating tamper protection events.
Note that unauthorized access is still blocked, but no event is sent. Use this option to reduce the amount of tamper protection events that you receive.
You can use wildcards (*) and system environment variables in the application path.
Article no: 000027391