Configuring the anti-tamper protection and password

Anti-tamper protection

Many advanced threats use techniques for disabling the security software installed on computers. The anti-tamper protection prevents unauthorized modification of the way the protection works, protecting the software from being stopped, paused, or removed, with a password.

The Advanced EDR anti-tamper protection works as follows:

The default Per-computer settings profile provided by the solution include a unique, predefined password for each customer. This password cannot be changed as all default settings profiles are read-only.
The Per-computer settings profiles generated by users allow the anti-tamper protection to be enabled or disabled according to the organization needs.

The password you set when creating a security settings profile must be between 6 and 15 characters long.

Enabling/disabling the anti-tamper protection

From the top menu, select Settings. From the side menu, select Per-computer settings.
Select an existing settings profile or click Add to create a new one.
Select Security against unauthorized protection tampering:
- Enable Anti-Tamper protection: Prevents users and certain types of malware from stopping the protections. Enabling this option requires setting up a password which will be required if, for example, the administrator or a support team member needs to temporarily disable the protection from a computer’s local console to diagnose a problem. Use the toggle at the right to enable and disable this feature in the settings profiles you create.

If you disable the Enable Anti-Tamper protection or Request password to uninstall the protection from computers toggles, a security warning appears when saving the settings. We do not recommend that you disable these security options.

Password-protection of the agent

You can set up a local password to prevent users from modifying the protection features or completely uninstalling the Advanced EDR software from their computers.

Setting up the local password

From the top menu, select Settings. From the side menu, select Per-computer settings.
Select an existing settings profile or click Add to create a new one.
Select Security against unauthorized protection tampering:
- Request password to uninstall Cytomic from computers: Prevents users from uninstalling the Advanced EDR software, protecting it with a password.
- Allow the protections to be temporarily enabled/disabled from a computer’s local console: Enables administrators to manage a computer’s security parameters from its local console. Enabling this option requires setting up a password.

If a computer loses its license because it is manually removed or because it expires or is canceled, the anti-tamper protection and password-based uninstallation protection are disabled.

Enabling Two-Factor Authentication (2FA)

Set two-factor authentication for the agent installed on devices to prevent unauthorized actions by third parties.

You can generate a single second authentication factor for the entire account or multiple factors, depending on the number of administrators that work with the console. As such, you can share a single authentication factor across various Per-computer settings profiles, or assign a separate factor to each Per-computer settings profile.

To assign a single authentication factor for the entire account (all Per-computer settings profiles share the same QR code):

From the top menu, select Settings. From the side menu, select Per-computer settings.
Select an existing settings profile or click Add to create a new one.
Select Security against unauthorized protection tampering.
Enable the Enable Two-Factor Authentication toggle.
Select Use a QR code shared across the entire account.
Click Show QR code. A dialog box opens that shows the QR code generated for all the Per-computer settings profiles in the account.
Scan the account QR code with the WatchGuard AuthPoint app (or similar).
Click Close.
Click Save.

To assign an authentication factor to a specific Per-computer settings profile:

From the top menu, select Settings. From the side menu, select Per-computer settings.
Select an existing settings profile or click Add to create a new one.
Select Security against unauthorized protection tampering.
Enable the Enable Two-Factor Authentication toggle.
Select Generate a QR code for this configuration.
Click GENERATE CODE.
Type a passphrase that contains a 6- to 20-character combination of letters and numbers. This passphrase is linked to the QR code generated by the console. You can reuse it in other Per-computer settings profiles.
Click SAVE CODE.
Click Close.
Click Save.

To assign an authentication factor to various Per-computer settings profiles.

From the top menu, select Settings. From the side menu, select Per-computer settings.
Select an existing settings profile or click Add to create a new one.
Select Security against unauthorized protection tampering.
Enable the Enable Two-Factor Authentication toggle.
Select Generate a QR code for this configuration.
Click GENERATE CODE.
Type a passphrase that you have already used in other Per-computer settings profiles. The same QR code is generated.
Click SAVE CODE.
Click Close.
Click Save.

Enabling protection when the computer starts in Safe Mode with networking

Some types of malware force Windows computers to restart in Safe Mode with networking enabled. In this mode, antivirus is automatically disabled and computers are vulnerable.

You can configure Advanced EDR to protect computers when they start in Safe Mode with networking enabled, so that all configured protections remain active and working normally.

To protect Windows computers that start in Safe Mode with networking:

From the top menu, select Settings. From the side menu, select Per-computer settings.
Select an existing settings profile or click Add to create a new one.
Select Security against unauthorized protection tampering.
Enable the Enable protection when Windows computers start in Safe Mode toggle.