Use Sensor Tampering Protection
Sensor tampering protection provides enhanced protection to the Cybereason processes running on Windows endpoints. With sensor tampering protection, Cybereason protects its processes, files, services, and registries against unauthorized or malicious modifications or kill attempts. For example, sensor tampering protection prevents unauthorized access to the processes related to the sensor.
In addition, sensor tampering protection protects the sensor from unintentional end user actions that might compromise security. For example, an end user might kill a resource-intensive sensor process that is responsible for a number of protection capabilities, instead of contacting Technical Support to resolve the issue. This exposes the endpoint machine to potential attacks.
In this topic:
Enable sensor tampering protection
In version 23.2.148 and later, sensor tampering protection is generally available and is enabled by default.
In the sensor policy, navigate to the Sensor management & upgrades screen.
For sensors up to version 23.2.148: Switch the Sensor tampering protection [Legacy] toggle to On.
For sensors 23.2.148 and later: Switch the Sensor tampering protection toggle to On.
To prevent maintenance actions in addition to tampering protection, you can switch the Extended tampering protection with passkey toggle to On. If this option is set to On, maintenance actions such as upgrading the sensor will require the use of a passkey file (you can download this file from the Sensors screen > Actions menu and place it on the machine). Note that this will require a passkey for all local actions, and it will be harder to perform sensor maintenance/upgrade on the endpoint itself, including SCCM actions.
Additional sensor security
The Cybereason platform secures itself using the following methods:
All communication between the sensor and the Registration and Detection servers occurs over TLS.
Data in transit is transmitted over TLS, based on two-way authentication between server and client and based on certificate verification that employs a 2048-bit RSA key set, and SHA256 hashing algorithm.
Only machine administrators can install or uninstall sensors on endpoints across your organization.
AM-PPL Support (Windows)
From version 23.2.4x the sensor supports using Windows AM-PPL. This service provides self-protection for the Cybereason sensor. For example, it protects Cybereason processes against malicious actions such as terminating the application. Contact Support to enable this feature.