Defender for Endpoint successfully passes the AV-Comparatives 2025 Anti-Tampering Test

The rise of tampering attacks

In cybersecurity, anti-tampering protection refers to the defensive measures designed to prevent unauthorized modifications to security systems, policies, and settings. When threat actors compromise an organization, they often start by tampering with security solutions in an effort to further exploit and achieve persistence within the environment. Common tampering tactics include disabling or altering antivirus and endpoint detection and response (EDR) tools, turning off real-time protection and security intelligence updates, editing high-value device and access policies, and creating exclusions that allow malicious activities to go undetected. After having tampered successfully, attackers gain valuable time to install malicious tools, exfiltrate data, move laterally, and launch ransomware attacks. 

In recent years, Microsoft has observed a significant volume of attacks involving antivirus tampering. In May 2024 alone, Microsoft Defender XDR detected over 176,000 incidents involving tampering with security settings, impacting more than 5,600 organizations ¹. On average, during that time frame, organizations that encountered tampering activity saw over 31 attempts. Techniques observed by Microsoft include Windows Registry modifications, use of malicious tooling such as NSudo (Defeat Defender), Defender Control, Configure Defender, ToggleDefender, custom malicious PowerShell or batch scripts, and driver tampering. 

Defender for Endpoint effectively thwarts tampering attacks 

Microsoft Defender for Endpoint offers robust anti-tampering capabilities that protect against end-user and third-party security settings changes, even in the context of a privileged user. These built-in controls can prevent local and non-authorized remote administrators from altering critical settings at the organizational, platform, and device levels – you can even create specific rules for high-value device types such as domain controllers. This means that you are automatically protected against common tampering tactics used by attackers including the modification of registry settings, DLLs, file systems, and agents. On top of that, any attempt to create exclusions in your antivirus and EDR tools or to terminate or suspend your system processes and services will be thwarted. These settings are on-by-default for all Defender for Endpoint customers, delivering comprehensive anti-tampering protection from day one. 

We are pleased to announce that AV-Comparatives has certified Microsoft Defender for Endpoint for successfully thwarting all tampering attempts levied during the 2025 Anti-Tampering Test.  The test involved rigorous evaluation of security solutions to defend against sophisticated attack techniques aimed at disabling or bypassing protection mechanisms. This includes attempts to disable or modify Windows kernel components and disable or terminate processes in the Windows user space. Even under sustained attack (various tests, tools, and procedures designed to penetrate our anti-tampering controls), Defender for Endpoint demonstrated its ability to maintain protection. This evaluation not only validates the effectiveness of our advanced tampering and defense evasion controls but also reinforces Defender for Endpoint’s position as a leader in endpoint detection and response.  

Defender for Endpoint successfully thwarted 100% of the tampering attacks made against the categories shown above in AV-Comparatives 2025 Anti-Tampering Test 

Learn more

Explore the following resources to learn more about how Defender for Endpoint defends against tampering attacks: 

• Protect security settings with tamper protection 

• Protect your organization from the effects of tampering

See additional evaluation results for Defender for Endpoint, demonstrating the industry-leading effectiveness of our endpoint security solution:  

• Microsoft is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms 

• Microsoft Defender XDR demonstrates 100% detection coverage across all cyberattack stages in the 2024 MITRE ATT&CK® Evaluations: Enterprise 

• Forrester names Microsoft a Leader in the 2023 Endpoint Security Wave™ report 

• AV-Comparatives awards 2024 for Microsoft 

• AV-Comparatives antivirus tests performed on Microsoft Defender 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

¹ Microsoft Digital Defense Report 2024