"Microsoft Rolls Out Tamper Protection for Macs"

Tamper protection in Microsoft Defender for Endpoint on macOS is now generally available, according to Microsoft. Tamper protection enables administrators who work with Apple hardware in their environment to prevent unauthorized removal of Microsoft Defender for Endpoint from macOS systems, as well as tampering with Microsoft Defender for Endpoint files, processes, and configuration settings. According to a Microsoft Tech Community post, the feature improves the organization's endpoint security posture. Tamper protection is a device-level setting, meaning it applies to all users on the device. The options are "disabled," "audit," and "block." Tamper protection is set to "audit" by default in Microsoft Defender for Endpoint on macOS, so actions such as uninstalling the agent, modifying Microsoft Defender files, or creating new files in the location where Microsoft Defender is installed will be automatically logged. Administrators, on the other hand, will not see any alerts in the Security Center; instead, they must check on-device logs or the Advanced Hunting feature. Tamper protection must be set to "block" for administrators to receive alerts and for tampering activities to be blocked. According to the company, a future rollout will automatically change the settings so that "block" becomes the default setting. This article continues to discuss Microsoft's tamper protection feature that detects attempts to modify files and processes for Microsoft Defender for Endpoint on macOS.

Dark Reading reports "Microsoft Rolls Out Tamper Protection for Macs"