This topic describes how to view status of tamper protection for your assets.

Background information

The tamper protection feature monitors changes of directories and files in real time and blocks suspicious file changes. To view the status and details of tamper protection in the Security Center console, choose Defense > Tamper Protection > Protection.
  • OverviewStatistics

    In the statistics overview module, you can view the total number of changed files on the current day and in the last 15 days, the number of protected servers and directories, the number of suspicious processes blocked by tamper protection, the number of processes in the whitelist, the total number of tamper protection licenses purchased for your current account.

  • Distribution of protected file types

    Protected file types include .txt, .png, .msi, and .zip files. You can also manually add more types of files for protection.

    Note All types of files can be added for tamper protection.
  • Top five files with the largest number of changes

    This module shows the names and paths of the five files with the largest number of changes in the last 15 days.

  • Top five blocked processes

    This module displays the five suspicious processes that are most frequently blocked by tamper protection in the last 15 days.

  • Details of tamper protection alerts Alert details

    The tamper protection feature helps you block all suspicious changes to directories and files on your assets. On the alert details page, you can view the alerts of these changes, including the severity, alert name, affected assets, changed directories, suspicious process name, and protection status.

    • If the number of alerts exceeds 100, we recommend that you process these alerts at your earliest opportunity.
    • Only the alerts at Moderate level are displayed in the console.
    • Only alerts in the Defended state are displayed. This indicates that the tamper protection feature has blocked the suspicious processes that attempted to make unauthorized file changes. If the blocked process is required in your workloads, you can add the process to a whitelist of tamper protection to enable it. For more information, see Add blocked processes to the whitelist.