In order to prevent attacks from encryption Trojans, Microsoft’s manipulation protection should now automatically protect security settings.
So far, security features under Windows in the context of Microsoft Defender for Endpoint (MDE) for corporate customers have not always been automatically protected against manipulation. That should change now.
Better protected from now on
As can be seen from an article, Microsoft now wants to activate its manipulation protection (tamper protection) for corporate customers by default for existing installations as well. Since last year, this has only been the case for new installations for customers with a Defender for Endpoint 2 or Microsoft 365 E5 license.
Admins should receive a corresponding message that the function will be activated automatically 30 days after receiving the notification. If you do not want this, you can opt-out of tamper protection in the advanced endpoint settings at security.microsoft.com.
That’s what tamper protection does
However, deactivation is not recommended, after all, the protection mechanism gets in the way, among other things, of malicious code that wants to deactivate security settings such as virus scanners in order to spread unhindered in systems. Microsoft does not explain in detail how this works in the article.
Tamper Protection should also ensure the operation of Defender components such as IOffceAntivirus (IOAV) for detecting documents contaminated with malicious code from the Internet. Such documents, usually sent by email, are still the most common way attackers use to spread ransomware.
Admins should therefore ensure that manipulation protection is ideally already activated and applies to the entire company.