Tamper protection policy

Tamper protection enables you to prevent unauthorized users (local administrators and users with limited technical knowledge) and known malware from uninstalling Sophos security software or disabling it through the Sophos Endpoint Security and Control interface.

Note: Tamper protection is not designed to protect against users with extensive technical knowledge. Nor does it protect against malware which has been specifically designed to subvert the operating system to avoid detection. This type of malware is only detected by scanning for threats and suspicious behavior. (For more information, see Anti-virus and HIPS policy.)

After you enable tamper protection and create a tamper-protection password, a member of the SophosAdministrator group on the endpoint who does not know the password will not be able to:

If you want to enable SophosAdministrators to perform these tasks, you must provide them with the tamper protection password so that they can authenticate themselves with tamper protection first.

Tamper protection does not affect members of the SophosUser and SophosPowerUser groups. When tamper protection is enabled, they will be able to perform all tasks that they are usually authorized to perform, without the need to enter the tamper protection password.

Note: If you use role-based administration:

For more information, see Managing roles and sub-estates.

Tamper protection events

When a tamper protection event occurs, for example, an unauthorized attempt to uninstall Sophos Anti-Virus from an endpoint computer has been prevented, the event is written in the event log that can be viewed from Enterprise Console. For details, see View tamper protection events.

There are two types of tamper protection event: