Index / Tamper-Protection Bypass / Microsoft
Bypass Record

Tamper-Protection Bypass × Microsoft Defender

A publicly-reported instance of Tamper-Protection Bypass bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product
Microsoft Defender
Technique
Tamper-Protection Bypass
MITRE ATT&CK
T1562.001
Confidence
High
Severity
Critical
Status
in the wild
Disclosed
2026-04-17
Config / version noted
Not stated

Provenance

Reported as

Microsoft disclosed two zero-day vulnerabilities in Microsoft Defender that are actively being exploited. The flaws allow attackers to bypass detection or compromise the security agent.

Mechanism

The article does not detail the technical method, only stating that the vulnerabilities are in Microsoft Defender and are actively exploited.

Detection & mitigation

Monitor for unexpected changes to Microsoft Defender's tamper protection settings (e.g., registry modifications, policy changes) and correlate with security event logs for signs of service disruption or unauthorized configuration changes. Mitigate by enforcing tamper protection via Intune or Group Policy and ensuring Defender is updated to the latest version.

Tamper-Protection Bypass has also been recorded against

AppSealingArxanBeyondTrustBroadcom (Symantec)ByfronCrowdStrikeDANAElasticFireEyeKemcoLoGiC.NETMcAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.