The 7.2.0-win sensor release includes a Tamper Protection feature that protects the Carbon Black EDR Windows sensor against external attempts to stop Carbon Black EDR services, or to modify the sensor's binaries, disk artifacts, or configuration.

While in a Tamper Protected state, the sensor only accepts actions that are requested through the Carbon Black EDR server console.

We encourage you to review the knowledge base article EDR: Which Sensor directories need exclusion from third-party anti-virus scans to make sure that the latest Carbon Black EDR Windows sensor exclusions are in place before enabling Tamper Protection.

Apply Tamper Protection to a Sensor Group

Follow this procedure to apply Tamper Protection to a sensor group.

Prerequisites

Requirements:

  • Minimum OS Versions of Windows 10 v1703 (Desktop) or Windows Server v1709 (Windows build 15163)

  • Minimum Carbon Black EDR versions of v7.2.0 Windows sensor and v7.4.0 Carbon Black EDR Server

  • You must be one of the following: a Global Administrator (Carbon Black EDR), an Administrator (Carbon Black Hosted EDR), or a user who is an Analyst for the applicable sensor group and who also has permission for Tamper Level.

Procedure

  1. On the navigation bar, click Sensors.
  2. Click the gear icon next to the sensor group for which to apply Tamper Protection.
  3. In the Edit Group panel, click Advanced.
  4. Change the Tamper Protection Level to Protection and create a Tamper Override Password.
    The tamper password
  5. Click Save Group.
    For more information about this setting, see Advanced Settings.

    • Any Windows sensor in a sensor group that has Tamper Protection applied and that does not meet the minimum OS requirements will default to Tamper Detection. Carbon Black App Control Tamper Protection is recommended in these cases. We recommend that you update the tamper rule settings for Carbon Black App Control to the latest Carbon Black EDR Tamper Protection Rapid Config.

    • Enabling Tamper Protection on both Carbon Black App Control and Carbon Black EDR does not provide extra protection. We recommend that you disable the Carbon Black App Control "Carbon Black EDR Tamper Protection" Rapid Config after Carbon Black EDR Tamper Protection enforcement is in place.

Use the Tamper Protection CLI Tool

In case of disrupted communication between the Carbon Black EDR server and the sensor, you can manage the sensor directly by using the CbEDRCLI tool.

Procedure

  1. Run CbEDRCLI.exe as an admin on the Windows endpoint.
  2. Enter the tamper override password. Note that three incorrect password attempts incur a lockout period of one minute.
    The CbEDRCLI tool will be effective for one hour.