Tamper protection on macOS is now generally available

We are pleased to announce that Microsoft for Endpoint's tamper protection feature, previously available in Public Preview, is now generally available on macOS devices and will be rolling out over the next few days. 

Ensure that you are running Microsoft Defender for Endpoint for macOS version 101.75.90 or later, available through Microsoft AutoUpdate, to use the capability.

What is Tamper protection?

Tamper protection brings an additional layer of protection in Microsoft Defender for Endpoint to elevate the endpoint security posture of organizations. Reliably securing endpoints is crucial for any organization. Enhanced tamper resilience across prevalent platforms is a great advantage for organizations seeking to continuously enhance their endpoint security.

What does this mean for me?

This feature will be released with audit mode enabled by default, and you can decide whether to enforce (block) or turn off the capability.

In audit mode, you will notice the following events will be logged (audited):

  • Actions to uninstall Defender for Endpoint agent
  • Deletion/renaming/modification of Defender for Endpoint files
  • The creation of new files under Defender for Endpoint installation locations

While in Audit mode, TP signals can be viewed via Advanced Hunting and in local on-device logs. No tampering alerts are raised in the while in Audit mode. Alerts are raised in the portal only in block mode.

To observe tampering events in the portal, you can use the following query in Advanced Hunting:

| where OSPlatform == ‘macOS'
| join kind=rightsemi (
| where ActionType contains “TamperingAttempt”
) on DeviceId

Figure 1: The following screenshot demonstrates querying for Tampering events via advanced huntingFigure 1: The following screenshot demonstrates querying for Tampering events via advanced hunting

If you want to check the status of the feature on a single device, you can run the command “mdatp health”. Look for the tamper_protection field, it will display “audit”, “block” or “disabled” according to your configuration.

The logs can also be found locally on the device. Tampering events are logged in: “Library/Logs/Microsoft/mdatp/microsoft_defender_core*.log”

How can I start benefitting from this new capability?

You can leverage the audit mode (default mode) to get a sense of how the feature detects actions that are indicative of tampering attempts. Later this year, we will offer a gradual rollout mechanism that will automatically switch endpoints to block mode; note this will only apply if you have not specifically made a choice to either enable (block mode) or disable the capability.

If you decide to turn the feature on and move it to block mode, logging of each suspected tampering action will be complemented with its actual blocking and a corresponding alert in the portal. To turn the feature off entirely you can disable Tamper Protection.

Learn more about tamper protection and control it in your environment: Tamper Protection on macOS.


This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.