Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Tamper Protection

Training Camp • Cybersecurity Glossary

What is Tamper Protection?

A security feature that blocks unauthorized changes to security settings and software, stopping malware or attackers from disabling defenses.

Glossary > Threats, Malware & Attacks > Tamper Protection

Tamper Protection — A security feature that blocks unauthorized changes to security settings and software

Understanding Tamper Protection

Tamper protection is a security feature that prevents unauthorized changes to critical security settings, software, files, or configurations. Its core purpose is to stop malware, attackers, or even rogue local administrators from disabling or weakening defenses such as antivirus, firewalls, and security policies, preserving the integrity of the protection layer itself.

Tamper protection enforces restrictions below the level of normal administrative tools, so that registry edits, command-line tweaks, or process-kill attempts against security components are blocked even when run with elevated privileges. Implementations like Microsoft Defender Tamper Protection lock settings such as real-time protection and cloud-delivered protection so they can only be changed through trusted management channels (for example, Intune or the Defender service), not local PowerShell, registry, or Group Policy overrides. Endpoint protection agents commonly add self-protection that guards their own processes, services, and files from termination or modification.

Tamper protection matters because a standard step in modern attacks is to disable security tooling before deploying ransomware or exfiltrating data; if an attacker can simply turn off the antivirus, every downstream control fails. By making security configurations resistant to local tampering, this feature keeps detection and response capabilities alive during an intrusion, buying defenders time and preserving telemetry. It also defends against malicious or careless insiders who might weaken controls.

For example, ransomware lands on a workstation and attempts to stop the Defender service and set DisableRealtimeMonitoring in the registry to blind the host before encrypting files. With Tamper Protection enabled, these changes are rejected regardless of the malware's elevated privileges, real-time scanning keeps running, and Defender detects and quarantines the payload. To legitimately adjust the setting, an administrator must use the centrally managed console rather than touching the endpoint directly.

Learn More About Tamper Protection:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →