Team: Huntress Managed Endpoint Detection and Response (EDR)
Environment: Huntress Portal, Huntress Agent for Windows
Summary: How to enable Tamper Protection for the Huntress Agent.
What is EDR Tamper Protection?
How does EDR Tamper Protection Work?
How does EDR Tamper Protection affect uninstallation of the agents?
How can I disable EDR Tamper Protection for my agents?
How do I know if it's working?
What is EDR Tamper Protection?
The EDR Tamper Protection feature prevents unauthorized users from stopping, uninstalling or otherwise manipulating the Huntress endpoint agents and files. The goal of this feature is to make sure local users are unable to disable local protection, as well as prevent a threat actor from disabling our security monitoring services.
How does EDR Tamper Protection work?
Tamper protection works by leveraging our Huntress kernel mode driver to prevent unauthorized access to the Huntress agent services, files, and registry keys. When tamper protection is turned on, local administrators will no longer have the ability to stop/restart/disable the agent services. The Huntress file directory (where the agent binaries are located) and the huntress registry keys (used for configuration and service settings) will become read-only as well.
When Tamper protection is disabled, Local Administrator on the system can modify the huntress files and registry keys, as well as uninstall the agent and manipulate the services.
How does EDR Tamper Protection affect uninstallation of the agents?
When the EDR Tamper Protection feature is enabled, local uninstall will be difficult by design. However, you can simply use the portal to uninstall any agent. Guidance on the uninstall process can be located in our Uninstalling the Huntress Agent KB. If you need to perform the uninstall locally for whatever reason, simply toggling the slider in your agent control panel will turn off Tamper Protection for the agents and allow full serviceability via local System Administrators or RMM scripting. This can be accomplished by
navigating to the "Hamburger" 3-bar menu in the top right corner of the dashboard > Settings > Tamper Protection.
What if the endpoint is completely offline (will never have internet connection) and can’t connect to the portal?
If the endpoint is completely offline and cannot connect to the Huntress portal, please reach out to Huntress support for assistance.
How can I disable EDR Tamper Protection for my agents?
This setting is found in the hamburger menu drop down > Settings > Tamper Protection > Tamper Protection Exclusions
Adding an exclusion will disable tamper protection for individual organizations or hosts. Note that Huntress will attempt to automatically re-enable tamper protection after four hours and remove the exclusion.
How do I know if it’s working?
Attempt to stop the service as Local Administrator using the command:
sc.exe stop huntressrio
The command should fail with an error message of “Access is denied”
Troubleshooting
“What if I can still stop the services?”
If you are able to stop the service, verify the feature is enabled in the administrator console of the Huntress Portal for that account/organization.
“What if the feature is enabled, but it’s still not working?”
If the feature is enabled, verify that the rio agent is at least version 0.6.7 or higher.
“Why can’t my RMM start the agent services?”
If your RMM is running as NT\Local System, the RMM will still have the ability to start/stop or even uninstall the services. Once Huntress does additional filtering on the “Authorized Services,” RMMs can no longer modify the agents. You must turn off the Tamper Protection feature in the Huntress administration console.
Current Limitations
Some operating systems are not supported.
This feature is currently limited to Windows systems running the Huntress Huntmon kernel component, which became available with client OS Windows 8 and Windows Server 2012 and newer. Legacy Windows OS are not included in this feature. MacOS is also not included in this feature at this time.
Frequently Asked Questions.
Q: How long does it take for Tamper Protection to push down to an Endpoint once enabled?
A: It can take up to 30 minutes.
Q: If Tamper Protection is disabled in the Huntress dashboard, how long will remain turned off?
A: 4 hours.
Q: Are Tamper Protection status changes in the dashboard being logged?
A: Not at this time, but it's on the road map and possibly out by Q2 2025
Q: Does Huntress Tamper Protection prevent Defender modifications on the endpoint?
A: No. Huntress Tamper Protection only protects Huntress software from unauthorized removal. It does not impact AV functionality.
Q: Are uninstall scripts supported when Tamper Protection is enabled?
A: No. The preferred method for uninstallation is to use the Huntress dashboard for all uninstallations. However, Local System Admins and RMM with sysadmin can run the following command after the RIO service is stopped before it automatically restarts with our Watchdog service. This is subject to change in the near future.
"C:\Program Files\Huntress\Uninstall.exe" /S
Q: Can a service still be stopped in the task manager?
A: Yes, however, our built-in Watchdog functionality will re-enable the service within a few minutes. The watchdog service is built into the HuntressAgent, HuntressUpdater, and RIO services.
Q: Is there a script to disable Tamper Protection locally on an endpoint?
A: No, it is not possible to disable Tamper Protection with a command or script.
Q: What user-level permission in the Huntress Dashboard can disable Tamper Protection?
A: Administrators.
Q: Why doesn't Huntress password-protected uninstall?
A: We strive to make our products easy to use and want to avoid requiring additional passwords or tokens. This is why uninstalling via the Dashboard is the preferred method.