Between 2023 and 2025, we’ve seen numerous cases where attackers have managed to bypass carefully built organizational defenses. Headlines have featured well-known EDR products (including Bitdefender, Fortinet, McAfee, Microsoft, SentinelOne, Sophos, Symantec, Kaspersky, WithSecure) that attack tools have been able to stop or disable. One example is EDRKillShifter, a tool capable of disabling multiple leading EDR solutions by exploiting signed driver vulnerabilities. In short: a hacker shuts down EDR.
This highlights a critical issue: an EDR agent is not automatically protected from attacks against itself. Without tamper protection, any process with local admin rights – including a malicious one – can attempt to stop, uninstall, or modify the security agent.
What Does Tamper Protection Mean?
Tamper Protection is a feature that prevents:
- Stopping an EDR or AV agent (service stop / taskkill).
- Uninstalling the agent without a special password or management console approval.
- Changing settings locally (e.g., disabling real-time protection).
- Properly implemented, this means that even if an attacker gains local admin-level access, they cannot turn protection off.
Why Isn’t It Enabled by Default in EDR Products?
- Manageability: Admins must be able to troubleshoot. If protection were always forced, the agent couldn’t be removed or changed even in error scenarios.
- Compatibility: In some organizations, EDR may conflict with business-critical apps → exceptions must be possible.
- Deployment Flexibility: In test or POC environments, admins want to remove the agent easily without extra hurdles.
- Different Use Cases: For example, FortiClient is often deployed only as a VPN agent, not as full EDR – so tamper protection isn’t enabled by default.
In Microsoft’s case, Tamper Protection is designed to protect against malware, not against the user. A PIN or Hello prompt wouldn’t help, since malware doesn’t use the UI – it attempts to stop the service directly at the kernel level.
In Practice – Centralized Management Is Required
In reality, the feature can only be reliably enforced through centralized management solutions. Unfortunately, many small and medium-sized Finnish companies take the path of least resistance. Examples:
- Microsoft Defender (Win11): Tamper Protection via Windows Security (manually) or forced via Intune
- FortiClient / FortiEDR: Password Protection / Agent Protection via FortiClient EMS or FortiEDR Management Console
- Palo Alto Cortex XDR: Agent Protection + Uninstall Password via Cortex XDR Management Console
- F-Secure / WithSecure: Password/Tamper Protection via Elements Security Center (cloud) or Policy Manager (on-prem)
Common to all: real tamper protection only works when centrally managed.
Vendors Don’t All Have the Same Transparency
Not all products have clear documentation about how tamper protection – i.e., protection against stopping or uninstalling the agent – is implemented. This doesn’t necessarily mean it doesn’t exist; some vendors may include it as part of broader self-protection, but without highlighting it as a separate feature.
From a company perspective, this is important: if a vendor doesn’t clearly explain how it works, it remains uncertain whether an attacker with admin rights could disable the agent. That’s why it’s wise to ask the vendor for clarification and test in practice that protection really stays on when it matters most.
Why Is the Risk High Without a Management Console?
If an organization doesn’t use Intune, FortiClient EMS, Cortex XDR Management, or WithSecure Policy Manager, the situation is problematic:
- A local admin can disable protection.
- Malware using privilege escalation can do the same.
- The IT team has no visibility if the agent is disabled.
This means that while EDR may be installed on the machine, it may not actually be running at the critical moment.
Known Attacks Highlighting the Lack of Tamper Protection
- Scattered Spider (UNC3944): bypassed MFA and moved laterally using “living off the land” techniques. In many cases, EDR was present but disabled early.
- Crypto24 ransomware: designed to bypass EDR monitoring.
- EDRKillShifter: able to shut down Sophos, SentinelOne, Defender, Bitdefender, and Fortinet agents via signed driver exploitation.
- IoT attacks (Mirai and variants): IoT devices lack EDR agents → no tamper protection → only segmentation and hardening help.
Recommendations for Organizations
Always use centralized management – any management model is better than none.
- Enable tamper protection and uninstall password.
- Prevent the agent from being stopped or removed without admin approval.
- Segment IoT and other agentless devices.
- Attacks like Mirai target exactly where tamper protection isn’t possible.
- Continuously monitor agent health.
- If an EDR stops reporting, that’s as critical a signal as detecting malware itself.
Conclusion
The attacks of 2025 have shown that simply installing an EDR is no longer enough. If tamper protection isn’t enabled, an attacker can turn the EDR into a “dummy” – appearing to be present but doing nothing. The hacker shuts down EDR.
Every organization should ask:
- Is our EDR agent protected with tamper protection?
- Is it centrally managed, or can a local admin disable it?
- Do we have visibility if the agent is turned off?
If the answer is unclear, the risk is high – and attackers know it.