Tamper protection policy

Tamper protection enables you to prevent unauthorized users (local administrators and users with limited technical knowledge) and known malware from uninstalling Sophos security software or disabling it through the Sophos Endpoint Security and Control interface.

Note Tamper protection is not designed to protect against users with extensive technical knowledge. Nor does it protect against malware which has been specifically designed to subvert the operating system to avoid detection. This type of malware is only detected by scanning for threats and suspicious behavior.

After you enable tamper protection and create a tamper-protection password, a member of the SophosAdministrator group on the endpoint who does not know the password will not be able to:

  • Re-configure on-access scanning or suspicious behavior detection settings in Sophos Endpoint Security and Control.
  • Disable tamper protection.
  • Uninstall the Sophos Endpoint Security and Control components (Sophos Anti-Virus, Sophos Client Firewall, Sophos AutoUpdate, or Sophos Remote Management System).

If you want to enable SophosAdministrators to perform these tasks, you must provide them with the tamper protection password so that they can authenticate themselves with tamper protection first.

Tamper protection does not affect members of the SophosUser and SophosPowerUser groups. When tamper protection is enabled, they will be able to perform all tasks that they are usually authorized to perform, without the need to enter the tamper protection password.

If you use role-based administration:

  • You must have the Policy setting - tamper protection right to configure a tamper protection policy.
  • You can't edit a policy if it is applied outside your active sub-estate.

Tamper protection events

When a tamper protection event occurs, for example, an unauthorized attempt to uninstall Sophos Anti-Virus from an endpoint computer has been prevented, the event is written in the event log that can be viewed from Sophos Enterprise Console.

There are two types of tamper protection event:

  • Successful tamper protection authentication events, showing the name of the authenticated user and the time of authentication.
  • Failed attempts to tamper, showing the name of the targeted Sophos product or component, the time of the attempt, and the details of the user responsible for the attempt.