Team: Huntress Managed Endpoint Detection and Response (EDR)
Environment: Huntress Portal
Summary: How to enable Tamper Protection for the Huntress Agent.
What is EDR Tamper Protection?
How does EDR Tamper Protection Work?
How does EDR Tamper Protection affect uninstallation of the agents?
How can I disable EDR Tamper Protection for my agents?
How do I know if it's working?
What is EDR Tamper Protection?
The EDR Tamper Protection feature prevents unauthorized users from stopping, uninstalling or otherwise manipulating the Huntress endpoint agents and files. The goal of this feature is to make sure local users are unable to disable local protection, as well as prevent a threat actor from disabling our security monitoring services.
How does EDR Tamper Protection work?
Windows
Tamper protection works by leveraging our Huntress kernel mode driver to prevent unauthorized access to the Huntress agent services, files, and registry keys. When tamper protection is turned on, local administrators will no longer have the ability to stop/restart/disable the agent services. The Huntress file directory (where the agent binaries are located) and the huntress registry keys (used for configuration and service settings) will become read-only as well.
When Tamper protection is disabled, Local Administrator on the system can modify the huntress files and registry keys, as well as uninstall the agent and manipulate the services.
macOS
When Tamper Protection is enabled, the Huntress system extension prevents attempts to delete or modify Huntress files, even by an admin user with root privileges. When Tamper protection is disabled, an admin user on the system can modify the items that are protected on each system, as well as uninstall the agent and manipulate the services.
How does EDR Tamper Protection affect uninstallation of the agents?
Recommended Process
When the EDR Tamper Protection feature is enabled, local uninstall will be difficult by design. However, you can simply use the portal to uninstall any agent. Guidance on the uninstall process can be located in our Uninstalling the Huntress Agent knowledgebase. We encourage you to uninstall via the Huntress portal for the smoothest experience.
Local Uninstall
If you need to perform the uninstall locally, you will need to disable Tamper Protection by adding a Tamper Protection exclusion(s).
What if the endpoint is completely offline (will never have internet connection) and can’t connect to the portal?
If the endpoint is completely offline and cannot connect to the Huntress portal, please reach out to Huntress support for assistance.
How can I disable EDR Tamper Protection for my agents?
This setting is found in the hamburger menu drop down > Settings > Tamper Protection > Tamper Protection Exclusions
Adding an exclusion will disable tamper protection for individual organizations or hosts. Note that Huntress will attempt to automatically re-enable tamper protection after four hours and remove the exclusion.
How do I know if it’s working?
Windows
Attempt to stop the service as Local Administrator using the command:
sc.exe stop huntressrio
The command should fail with an error message of “Access is denied”
macOS
The easiest test is to attempt to drag the Huntress app to the trash. This will result in a message indicating that removing the app will remove the system extension. If you click the Continue button, you will see an error saying that the operation can’t be completed.
You can also try removing via the Terminal, using the command:
sudo rm -rf /Applications/Huntress.app
This should result in a number of “operation not permitted” errors.
Troubleshooting
“What if I can still stop the services?”
If you are able to stop the service, verify the feature is enabled in the administrator console of the Huntress Portal for that account/organization.
“What if the feature is enabled, but it’s still not working?”
If the feature is enabled, verify that the Rio agent for Windows OS is at least version 0.6.7 or higher, or that the Huntress Agent for macOS agent version is 0.14.60 or higher.
“Why can(’t) my RMM start the agent services?”
If your RMM is running as NT\Local System, the RMM will still have the ability to start/stop or even uninstall the services. Once Huntress does additional filtering on the “Authorized Services,” RMMs can no longer modify the agents. You must turn off the Tamper Protection feature in the Huntress administration console.
Current Limitations
Windows
This feature is currently limited to Windows systems running the Huntress Huntmon kernel component, which became available with client OS Windows 8 and Windows Server 2012 and newer. Legacy Windows OS are not included in this feature
macOS
Tamper Protection will run on any hardware and macOS version that is supported by the Huntress agent.
For more information on supported versions, see our system requirements documentation.
Frequently Asked Questions.
Q: How long does it take for Tamper Protection to push down to an Endpoint once enabled?
A: It can take up to 30 minutes.
Q: If Tamper Protection is disabled in the Huntress dashboard, how long will remain turned off?
A: 4 hours.
Q: Are Tamper Protection status changes in the dashboard being logged?
A: Not at this time, but it's on the road map and possibly out by Q3 2025
Q: Does Huntress Tamper Protection prevent Defender modifications on the endpoint?
A: No. Huntress Tamper Protection only protects Huntress software from unauthorized removal. It does not impact AV functionality.
Q: Are uninstall scripts supported when Tamper Protection is enabled?
A: No. The preferred method for uninstallation is to use the Huntress dashboard for all uninstallations.
Windows
In the event of a need to uninstall from an offline Windows OS machine, Local System Admins and RMM with sysadmin can run the following command after the Rio service is stopped before it automatically restarts with our Watchdog service. This is subject to change in the near future.
"C:\Program Files\Huntress\Uninstall.exe" /S
macOS
In the event of a need to uninstall from an offline macOS machine, you can do the following steps:
- Boot into recovery mode
- Once in recovery mode, choose Terminal from the Utilities menu
- Enter the following command in the Terminal, then confirm by pressing Y:
csrutil disable
- Reboot into normal mode and log in to an admin user account
- Open the Terminal and enter the following command, providing the admin password when requested:
sudo systemextensionsctl uninstall 7W6HQ9J9XA com.huntress.sysext
- Reboot into recovery mode again
- Go back to the Terminal and enter:
csrutil enable
- Reboot into normal mode, and once again log in to an admin account
- Enter the following command in the Terminal to complete the Huntress uninstall:
sudo /Applications/Huntress.app/Contents/MacOS/Uninstall
Q: Can a service still be stopped in the task manager?
A: Yes, but with caveats.
Windows
Our built-in Watchdog functionality will re-enable the service within a few minutes. The watchdog service is built into the HuntressAgent, HuntressUpdater, and Rio services.
macOS
On macOS, the system will ensure Huntress processes stay running.
Q: Is there a script to disable Tamper Protection locally on an endpoint?
A: No, it is not possible to disable Tamper Protection with a command or script.
Q: What user-level permission in the Huntress Dashboard can disable Tamper Protection?
A: Administrators.
Q: Why doesn't Huntress offer a password-protected uninstall?
A: We strive to make our products easy to use and want to avoid requiring additional passwords or tokens. This is why uninstalling via the Dashboard is the preferred method.