Tamper protection is a control that helps prevent malware or unauthorized users from disabling or weakening endpoint security tools and settings.
Tamper protection is a control that helps prevent malware or unauthorized users from disabling or weakening endpoint security tools and settings. In plain language, it makes it harder for an attacker to turn off the very protections that are supposed to detect or stop them.
Tamper protection matters because many threats try to blind defenders before doing anything else. If an attacker can disable antivirus, EDR, logging, or security policies easily, later controls become less reliable.
It also matters because endpoint protection is only useful when it can resist casual or malicious interference.
This is especially important on user devices and shared administrative environments, where legitimate local access might otherwise be enough to weaken defenses. Tamper protection raises the effort required to disable critical safeguards and creates a cleaner signal when something unusual is happening.
Tamper protection appears in Anti-Malware, Endpoint Detection and Response, device management, privileged admin policy, and Device Hardening. Teams connect it to Secure Boot, Endpoint Isolation, and Patch Management.
It is a practical control for making endpoint defenses more resilient under active attack.
In real programs, tamper protection is often paired with role separation, change approval, and alerting so that security tools cannot be quietly disabled without visibility.
| Protected area | Example |
|---|---|
| Security services | Prevent stopping or uninstalling the agent |
| Policy settings | Prevent lowering protection without approval |
| Logging or telemetry | Reduce the chance of silent visibility loss |
A workstation security agent is configured so normal users and unapproved processes cannot stop the service, uninstall it, or change core protection settings without a stronger administrative control path.
Tamper protection is not the same as Secure Boot. Secure Boot protects trust early in startup, while tamper protection focuses on keeping active security controls from being disabled during normal system operation.
It is also not a substitute for monitoring. It reduces one kind of attack path, but defenders still need telemetry and response capability.
It is also not magic hardening that makes an endpoint invulnerable. A determined attacker may still look for ways around protections, which is why tamper resistance works best as one layer in a broader endpoint strategy.