Type something to search...
to navigateto selectESC to close
"Anti-Tampering" certification for Defender for Endpoint (2025)

"Anti-Tampering" certification for Defender for Endpoint (2025)

Introduction

Microsoft recently announced that Microsoft Defender for Endpoint has successfully passed the 2025 anti-tampering tests conducted by AV-Comparatives, a recognized independent organization for evaluating cybersecurity solutions. This recognition confirms the robustness of Defender for Endpoint’s protection mechanisms against attempts to disable or maliciously modify its security settings.

What is anti-tampering protection?

Anti-tampering protection refers to all the mechanisms designed to prevent unauthorized modifications to a system’s security settings. When an attacker compromises an environment, one of their first actions is often to disable or bypass security solutions (antivirus, EDR, updates, etc.) in order to remain undetected, install malicious tools, exfiltrate data, or launch attacks such as ransomware.

A very real threat

Microsoft has observed a significant increase in attacks involving attempts to disable security. In May 2024, Microsoft Defender XDR detected more than 176000 tampering incidents, affecting over 5600 organizations. On average, each targeted organization experienced more than 31 unauthorized tampering attempts.

Techniques used include :

  • Windows registry modifications
  • Malicious tools such as NSudo, Defender Control, Configure Defender, and ToggleDefender
  • Custom PowerShell or batch scripts
  • System driver tampering
How Microsoft Defender for Endpoint protects against these attacks

Microsoft Defender for Endpoint includes anti-tampering protection enabled by default for all customers. It prevents :

  • Unauthorized local or remote changes to security settings
  • Disabling real-time protection
  • Creating exclusions in antivirus or EDR tools
  • Suspending or terminating critical security processes
  • Modifications to system files, DLLs, agents, or security policies

Even local administrators or privileged users cannot bypass these protections without explicit authorization, significantly strengthening endpoint resilience.

AV-Comparatives 2025 Certification

During the 2025 Anti-Tampering Test in April 2025, AV-Comparatives subjected Microsoft Defender for Endpoint to a series of simulated attacks aimed at disabling or impairing its protections.

TestResult
User-space processes (terminate, suspend, etc.)Success ✅
User-space services (pause, stop, disable, uninstall, etc.)Success ✅
Registry keys (delete, remove, rename, add, etc.)Success ✅
DLLs (manipulation, modification, hijacking, etc.)Success ✅
Agent integrity (disable, modify, uninstall, etc.)Success ✅
File system (manipulation, modification, etc.)Success ✅
Kernel drivers (ELAM driver, Filter driver, Minifilter driver, etc.)Success ✅
Other components and functions (connection to update services, etc.)Success ✅

Result : All attempts were successfully blocked, demonstrating the effectiveness of the built-in defense mechanisms.

image

This certification places Microsoft Defender for Endpoint among the most reliable solutions on the market for protecting workstations and servers against malicious tampering.

Why it’s important for organizations :

  • Reduced risk of compromise : by preventing attackers from disabling defenses.
  • Strengthened compliance : by ensuring the integrity of security policies.
  • Less maintenance : Protections are active by default and do not require complex configuration.
  • Protection of critical environments : Ability to create specific rules for domain controllers or other sensitive systems.
Conclusion

The AV-Comparatives 2025 certification confirms that Microsoft Defender for Endpoint is a leading security solution, capable of withstanding even the most sophisticated evasion attempts. In a context where attacks targeting security tools are increasingly common, this ability to protect the protections themselves has become essential.

For organizations, this means greater resilience, reduced risk, and increased confidence in their cybersecurity posture.

Sources

Microsoft - Techcommunity

AV-Comparatives - Anti-Tampering Certification for Microsoft Defender for Endpoint

Microsoft Learn - Protect your organization against tampering

Gartner - Magic Quadrant Endpoint Protection

Did you enjoy this post ? If you have any questions, comments or suggestions, please feel free to send me a message from the contact form.

Don’t forget to follow us and share this post.

Tags :
Share :

Related Posts

Microsoft leads the 2024 UCaaS Magic Quadrant

Microsoft leads the 2024 UCaaS Magic Quadrant

Introduction The Gartner Magic Quadrant for Unified Communications as a Service (UCaaS) is an essential tool for organizations looking to evaluate cloud communications service provide

Read More
Microsoft leads the 2024 DaaS Magic Quadrant

Microsoft leads the 2024 DaaS Magic Quadrant

Introduction Microsoft has been recognized as a Leader in Gartner's 2024 Magic Quadrant for Desktop as a Service (DaaS) for the second year in a row. This recognition highlights Micro

Read More
Email verification of external Teams participants

Email verification of external Teams participants

Introduction Microsoft Teams Premium introduces a new feature to enhance the security and reliability of your meetings: email verification for external participants. This feature allows mee

Read More
How to activate Microsoft 365 Passkey in Entra ID

How to activate Microsoft 365 Passkey in Entra ID

Introduction Microsoft 365 Passkey is an authentication method that replaces passwords with more secure options like facial recognition, fingerprint, or a PIN.Prerequisites **<

Read More
How to sign in with Passkey to Microsoft 365

How to sign in with Passkey to Microsoft 365

Introduction Microsoft 365 Passkey is an authentication method that replaces passwords with more secure options like facial recognition, fingerprint, or a PIN.Prerequisites **<

Read More
How to enable LAPS on the MTR Admin account via Intune

How to enable LAPS on the MTR Admin account via Intune

Introduction Microsoft's LAPS (Local Administrator Password Solution) is a free tool designed to improve password security for local administrator accounts on workstations, servers and

Read More
Impact analysis of Entra conditional access policies

Impact analysis of Entra conditional access policies

Introduction Conditional access in Entra is a security policy that allows administrators to control access to applications and resources based on specific conditions. These conditions can i

Read More
How to create a Windows local admin account via Intune LAPS

How to create a Windows local admin account via Intune LAPS

Introduction I wrote an article last February on how to replace the password of your MTR's local account using LAPS (Local Administrator Password Solution) in Intune. I concluded my article

Read More
New security approach for non-compliant emails

New security approach for non-compliant emails

Introduction Microsoft has announced a major update to Defender for Office 365 that strengthens email security by improving the handling of non-RFC compliant emails. This initiative is

Read More
Blocking screenshots during Teams meetings

Blocking screenshots during Teams meetings

Introduction Microsoft Teams continues to strengthen the privacy and security of online meetings. Starting in July 2025, a new feature will be rolled out to prevent screenshots during meeti

Read More