Microsoft releases 'tamper protection' for all Windows 10 users to stop malware turning off antivirus

Credit: ID 138400228 © Rauf Aliyev |

After testing tamper protection for months with Windows Insiders, Microsoft has releasing the feature to all Windows 10 users on version 1903. The security hardening feature can prevent malware from creating unwanted changes to security settings on devices. 

The feature is available to customers on Microsoft Defender ATP or Advanced Threat Protection, Microsoft’s more advanced security security capabilities on top of the Defender antivirus. It will also be rolled out to all Windows 10 Home users and will be on by default.

Tamper Protection should be able to prevent changes made by admins or malware, including to real-time protection, cloud-delivered protection, IOAV for detecting suspicious files from the internet, behavior monitoring, and security intelligence updates. 

The feature could be helpful for sophisticated attacks such as Nodersok and Trickbot, the banking trojan that recently surged back to life after a three month break over the 2019 Northern Hemisphere summer. Both malware try to switch off Microsoft Defender antivirus. 

Microsoft began testing tamper protection with Windows Insider testers in March, ahead of the general release of Windows 10 version 1903 or the May 2019 Update.    

According to Microsoft, Tamper Protection “essentially locks Microsoft Defender” by preventing changes to settings being made via Registry Editor on a Windows machine; PowerShell cmdlets; and group policies.

End users at an organization with Windows Enterprise E5 cannot change the Tamper Protection setting, which is managed by the organization’s security team. Admins can to turn Tamper Protection on or off using tools like Microsoft’s Intune for device management. However, users will see when a security setting is locked down by Tamper Protection. 

“When an administrator enables the policy in Microsoft Intune, the tamper protection policy is digitally signed in the backend before it’s sent to endpoints,” explains Microsoft’s Shweta Jha

“The endpoint verifies the validity and intent, establishing that it is a signed package that only security operations personnel with Microsoft Intune admin rights can control. With the right level of reporting, security operations teams are empowered to detect any irregularities.”

Security teams will also get an alert when there’s been attempts to tamper security settings, allowing them to investigate what’s happening and whether it’s a sign a bigger attack is underway.  

As mentioned, for Windows 10 Home users, tamper protection is turned on by default, however the feature is rolling out gradually, according to Microsoft.    

Home users can turn Tamper protection on or off manually through the Windows Security app. As Microsoft explains:

  1. Click Start, and start typing Defender. In the search results, select Windows Security.
  2. Select Virus & threat protection > Virus & threat protection settings.
  3. Set Tamper Protection to On or Off.

"We believe it’s critical for customers, across home users and commercial customers, to turn on tamper protection to ensure that essential security solutions are not circumvented," said Jha. 

Tags Microsoftwindows defenderWindows 10TrickbotMicrosoft Defender

Show Comments