AV-Comparatives has recognized Microsoft Defender for Endpoint for successfully thwarting all tampering attempts levied during the 2025 Anti-Tampering Test.
The rise of tampering attacks
In cybersecurity, anti-tampering protection refers to the defensive measures designed to prevent unauthorized modifications to security systems, policies, and settings. When threat actors compromise an organization, they often start by tampering with security solutions in an effort to further exploit and achieve persistence within the environment. Common tampering tactics include disabling or altering antivirus and endpoint detection and response (EDR) tools, turning off real-time protection and security intelligence updates, editing high-value device and access policies, and creating exclusions that allow malicious activities to go undetected. After having tampered successfully, attackers gain valuable time to install malicious tools, exfiltrate data, move laterally, and launch ransomware attacks.
In recent years, Microsoft has observed a significant volume of attacks involving antivirus tampering. In May 2024 alone, Microsoft Defender XDR detected over 176,000 incidents involving tampering with security settings, impacting more than 5,600 organizations ¹. On average, during that time frame, organizations that encountered tampering activity saw over 31 attempts. Techniques observed by Microsoft include Windows Registry modifications, use of malicious tooling such as NSudo (Defeat Defender), Defender Control, Configure Defender, ToggleDefender, custom malicious PowerShell or batch scripts, and driver tampering.
Defender for Endpoint effectively thwarts tampering attacks
Microsoft Defender for Endpoint offers robust anti-tampering capabilities that protect against end-user and third-party security settings changes, even in the context of a privileged user. These built-in controls can prevent local and non-authorized remote administrators from altering critical settings at the organizational, platform, and device levels – you can even create specific rules for high-value device types such as domain controllers. This means that you are automatically protected against common tampering tactics used by attackers including the modification of registry settings, DLLs, file systems, and agents. On top of that, any attempt to create exclusions in your antivirus and EDR tools or to terminate or suspend your system processes and services will be thwarted. These settings are on-by-default for all Defender for Endpoint customers, delivering comprehensive anti-tampering protection from day one.
We are pleased to announce that AV-Comparatives has certified Microsoft Defender for Endpoint for successfully thwarting all tampering attempts levied during the 2025 Anti-Tampering Test. The test involved rigorous evaluation of security solutions to defend against sophisticated attack techniques aimed at disabling or bypassing protection mechanisms. This includes attempts to disable or modify Windows kernel components and disable or terminate processes in the Windows user space. Even under sustained attack (various tests, tools, and procedures designed to penetrate our anti-tampering controls), Defender for Endpoint demonstrated its ability to maintain protection. This evaluation not only validates the effectiveness of our advanced tampering and defense evasion controls but also reinforces Defender for Endpoint’s position as a leader in endpoint detection and response.
Defender for Endpoint successfully thwarted 100% of the tampering attacks made against the categories shown above in AV-Comparatives 2025 Anti-Tampering Test
Learn more
Explore the following resources to learn more about how Defender for Endpoint defends against tampering attacks:
See additional evaluation results for Defender for Endpoint, demonstrating the industry-leading effectiveness of our endpoint security solution:
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
Updated May 15, 2025
Version 1.0amibarayev
Microsoft
Joined November 20, 2024
Microsoft Defender for Endpoint Blog
Microsoft Defender for Endpoint disrupts ransomware with industry-leading endpoint security, providing comprehensive protection across all platforms and devices.
When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.