You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: microsoft-365/security/defender-endpoint/tamper-resiliency.md
+20-2Lines changed: 20 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ manager: dansimp
7
7
ms.reviewer: joshbregman
8
8
ms.service: microsoft-365-security
9
9
ms.subservice: mde
10
-
ms.date: 06/01/2023
10
+
ms.date: 07/04/2023
11
11
ms.topic: overview
12
12
ms.collection:
13
13
- tier1
@@ -104,11 +104,29 @@ Attackers can be preventing from discovering existing antivirus exclusions by en
104
104
105
105
When tampering is detected, an alert is raised. Some of the alert titles for tampering are:
106
106
107
+
- Attempt to bypass Microsoft Defender for Endpoint client protection
108
+
- Attempt to stop Microsoft Defender for Endpoint sensor
109
+
- Attempt to tamper with Microsoft Defender on multiple devices
110
+
- Attempt to turn off Microsoft Defender Antivirus protection
111
+
- Defender detection bypass
112
+
- Driver-based tampering attempt blocked
113
+
- Image file execution options set for tampering purposes
114
+
- Microsoft Defender Antivirus protection turned off
115
+
- Microsoft Defender Antivirus tampering
116
+
- Modification attempt in Microsoft Defender Antivirus exclusion list
117
+
- Pending file operations mechanism abused for tampering purposes
107
118
- Possible Antimalware Scan Interface (AMSI) tampering
119
+
- Possible remote tampering
120
+
- Possible sensor tampering in memory
108
121
- Potential attempt to tamper with MDE via drivers
122
+
- Security software tampering
123
+
- Suspicious Microsoft Defender Antivirus exclusion
109
124
- Tamper protection bypass
125
+
- Tampering activity typical to ransomware attacks
126
+
- Tampering with Microsoft Defender for Endpoint sensor communication
127
+
- Tampering with Microsoft Defender for Endpoint sensor settings
110
128
- Tampering with the Microsoft Defender for Endpoint sensor
111
-
- Possible tampering with protected processes
129
+
112
130
113
131
If the [Block abuse of exploited vulnerable signed drivers](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) attack surface reduction (ASR) rule is triggered, the event is viewable in the [ASR Report](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report) and in [Advanced Hunting](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize#asr-rules-advanced-hunting)
0 commit comments