Tamper protection enables you to prevent unauthorized users (local administrators and users with limited technical knowledge) and known malware from uninstalling Sophos security software or disabling it through the Sophos Endpoint Security and Control interface.
After you enable tamper protection and create a tamper-protection password, a member of the SophosAdministrator group on the endpoint who does not know the password will not be able to:
If you want to enable SophosAdministrators to perform these tasks, you must provide them with the tamper protection password so that they can authenticate themselves with tamper protection first.
Tamper protection does not affect members of the SophosUser and SophosPowerUser groups. When tamper protection is enabled, they will be able to perform all tasks that they are usually authorized to perform, without the need to enter the tamper protection password.
For more information, see Managing roles and sub-estates.
When a tamper protection event occurs, for example, an unauthorized attempt to uninstall Sophos Anti-Virus from an endpoint computer has been prevented, the event is written in the event log that can be viewed from Enterprise Console. For details, see View tamper protection events.
There are two types of tamper protection event: