Team: Huntress EDR
Environment: Huntress Portal, Huntress Agent for Windows
Summary: How to enable Tamper Protection for the Huntress Agent.
What is EDR Tamper Protection?
How does EDR Tamper Protection Work?
How does EDR Tamper Protection affect uninstallation of the agents?
How can I enable EDR Tamper Protection for my agents?
How do I know if it's working?
What is EDR Tamper Protection?
The EDR Tamper Protection feature prevents unauthorized users from stopping, uninstalling or otherwise manipulating the Huntress endpoint agents and files. The goal of this feature is to make sure local users are unable to disable local protection, as well as prevent a threat actor from disabling our security monitoring services.
How does EDR Tamper Protection work?
Tamper protection works by leveraging our Huntress kernel mode driver to prevent unauthorized access to the Huntress agent services, files, and registry keys. When tamper protection is turned on, local administrators will no longer have the ability to stop/restart/disable the agent services. The Huntress file directory (where the agent binaries are located) and the huntress registry keys (used for configuration and service settings) will become read-only as well.
When Tamper protection is disabled, Local Administrator on the system can modify the huntress files and registry keys, as well as uninstall the agent and manipulate the services.
How does EDR Tamper Protection affect uninstallation of the agents?
When the EDR Tamper Protection feature is enabled, local uninstall will be difficult by design. However, you can simply use the portal to uninstall any agent. If you need to perform the uninstall locally for whatever reason, simply toggling the slider in your agent control panel will turn off Tamper Protection for the agents and allow full serviceability via local Administrator or RMM scripting.
“What if the host is completely offline and can’t connect to the portal?”
If the host is completely offline, Huntress will be providing a CLI tool that can be used with a password token found in your huntress account portal. This will allow for a totally offline uninstallation of the agents. Note that this tool is NOT yet available, but should be coming soon. We'll update this KB as soon as it is available.
How can I enable EDR Tamper Protection for my agents?
Simply use the toggle in the administration view for your account or organization. This is found in the hamburger menu drop down > Settings > Tamper Protection.
You can also set exclusions if you do not want specific endpoints or organizations to be enrolled in Tamper Protection.
How do I know if it’s working?
Attempt to stop the service as Local Administator using the command:
sc.exe stop huntressrio
The command should fail with an error message of “Access is denied”
Troubleshooting
“What if I can still stop the services?”
If you’re able to stop the service, verify the feature is enabled in the administrator console of the Huntress Portal for that account/organization.
“What if the feature is enabled, but it’s still not working?”
If the feature is enabled, verify that the rio agent is at least version 0.6.7 or higher.
“Why can’t my RMM start the agent services?”
If your RMM is running as NT\Local System, the RMM will still have the ability to start/stop or even uninstall the services. Once Huntress does additional filtering on the “Authorized Services” RMMs will no longer have the ability to modify the agents. You’ll need to turn off the Tamper Protection feature in the Huntress administration console.
Current Limitations
Some operating systems are not supported
This feature is currently limited to Windows systems running the Huntress Huntmon kernel component which became available with client OS Windows 8 and newer and Windows Server 2012 and newer. Legacy Windows OS are not included in this feature. Mac OS is also not included in this feature. However MacOS already has built-in functionality that provides this security by default.
Comments
0 comments
Article is closed for comments.