About the tamper protection policy

Tamper protection enables you to prevent users (local administrators with limited technical knowledge) from reconfiguring, disabling, or uninstalling Sophos security software. Users who do not know the tamper protection password cannot perform these operations.

Note Tamper protection is not designed to protect against users with extensive technical knowledge. It will not protect against malware which has been specifically designed to subvert the operation of the operating system to avoid detection. This type of malware will only be detected by scanning for threats and suspicious behavior.

After you enable tamper protection and create a tamper protection password, a user who does not know the password will not be able to reconfigure on-access scanning or suspicious behavior detections in Sophos Endpoint Security and Control, disable tamper protection, or uninstall Sophos Endpoint Security and Control components (such as Sophos Anti-Virus, Sophos Client Firewall, Sophos AutoUpdate, or Sophos Remote Management System) from Control Panel.

When setting up your tamper protection policy, consider the following:

  • Use the tamper protection Event Viewer to audit tamper protection password use and to monitor the rate of tamper attempts in your company. You can view both successful tamper protection authentication events (authorized users overriding tamper protection) and failed attempts to tamper with Sophos security software. You can access the Event Viewer by clicking Events > Tamper Protection Events.