Issue:
When Elements Endpoint Protection Tamper Protection (Resource Protection) feature is enabled, an application / software / process is blocked and Tamper Protection alerts logged in the Security Event -page in Elements Endpoint Protection portal.
Example of alert shown on the Security Events page:
Alert source: Tamper protection
Alert Description: Tamper protection protected "<process name>" from "<process name>"
Alert type: Process termination was blocked
Action Type: Process
Request type: Terminate process
Resolution:
This type of block is the function of the Tamper Protection functionality.
When the path shows a registry path, the Tamper protection functionality sees that some process tries to open a protected part of registry with write access rights. Even if the process would not try to modify the registry, the fact that it could it enough that is will be blocked by Tamper Protection.
When Tamper protection blocks an operation, the application gets an ACCESS_DENIED error. It should not affect the functionality of this application, but if it does - this is the problem in the 3rd party application.
If you do not want to see Tampering Protection alerting notifications in Elements Endpoint Protection portal Security Events -page, you may filter them out by following these steps:
- Go to Security Configurations > Profiles.
- Select either For Windows Computers or For Windows Servers, depending on your environment.
- Choose the profile you want to edit.
- In the left-hand menu, click on Scanning settings.
- Scroll down to the Tamper Protection section.
- Click the Add exclusion button.
- Enter the application path to exclude it from Tamper Protection.
Note: You can use wildcards (*) and system environment variables in the application path.
The unauthorized access is still blocked with the exclusion in place, but no event is sent. Use this option to reduce the amount of tamper protection events that you receive.