Tamper-Protection Bypass × Microsoft Windows Defender

A publicly-reported instance of Tamper-Protection Bypass bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Medium

Status

poc

Disclosed

2026-02-19

Config / version noted

Not stated

Provenance

medium.com
disclosed 2026-02-19 · original source · via exa

Reported as

Defender cannot open the process with terminate or write rights, blocking remediation actions like process kill or file quarantine.

Mechanism

A kernel-mode driver sets the PS_PROTECTION field of a target process to WinTcb-Light (0x61). Because WinTcb signer level (6) is higher than Defender's Antimalware level (3), Defender cannot open the process with terminate or write rights, blocking remediation actions like process kill or file quarantine.

Detection & mitigation

Monitor for kernel driver loads (Sysmon Event ID 6) and process protection level changes (e.g., via ETW or custom kernel callbacks) where a non-system process is elevated to WinTcb-Light (0x61). Enforce driver signing policies, enable HVCI/VBS, and restrict SeLoadDriverPrivilege to prevent unauthorized kernel drivers.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.