Skip to content

[Internal]: Soften Tamper Protection Wording #2571

New issue
New issue
Open
Open
[Internal]: Soften Tamper Protection Wording#2571
Assignees
natasha-moore-elastic
Labels
Team:ExperienceIssues owned by the Experience Docs Team
@gabriellandau

Description

@gabriellandau
gabriellandau
opened on Aug 13, 2025

Description

We need to soften the claims we're making about Tamper Protection. They are confusing users and leading to well-intentioned but misguided vulnerability reports.

Tamper Protection is a defense-in-depth feature that raises the bar a bit by blocking some approaches that a casual user with admin rights might use to disable Defend, such as running the uninstall command (plus a few other things). Uninstalling Agent and/or Defend requires admin rights, so effectively Tamper Protection only applies to users with admin rights. Tamper Protection does not provide comprehensive protection against all admin attacks. It will not prevent a skilled malicious admin (or one using a tool written by a skilled developer) from disabling the Agent/Endpoint.

By OS design, admins are very powerful with the ability to to modify/sabotage core OS files and settings, uninstall security patches, change critical network settings, or even replace the OS with a different one. Tamper Protection cannot (and will not) interfere with many types of legitimate administrative actions; such interference risks compromising system stability.

Please update this page to soften the wording. Consider replacing claims like:

For hosts enrolled in {{elastic-defend}}, you can prevent unauthorized attempts to uninstall {{agent}} and {{elastic-endpoint}} by enabling Agent tamper protection on the Agent policy. This offers an additional layer of security by preventing users from bypassing or disabling {{elastic-defend}}'s endpoint protections.

When enabled, {{agent}} and {{elastic-endpoint}} can only be uninstalled on the host by including an uninstall token in the uninstall CLI command. One unique uninstall token is generated per Agent policy, and you can retrieve uninstall tokens in an Agent policy’s settings or in the {{fleet}} UI.

With something like:

For hosts enrolled in {{elastic-defend}}, you can add a layer of security against disablement by casual users by enabling Agent tamper protection on the Agent policy.

When enabled, the uninstall CLI command for {{agent}} and {{elastic-endpoint}} require a unique uninstall token. One unique uninstall token is generated per Agent policy, and you can retrieve uninstall tokens in an Agent policy’s settings or in the {{fleet}} UI.

[!NOTE]
Tamper Protection is a defense-in-depth capability which does not provide comprehensive protection against all administrative attacks. Administrators are in control of the security of a device and can change core OS settings, alter key system files, uninstall security patches, or even replace the OS entirely. To prevent users from uninstalling or sabotaging Elastic Defend, refrain from them administrative rights.

Resources

https://www.elastic.co/docs/solutions/security/configure-elastic-defend/prevent-elastic-agent-uninstallation

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

No differences.

What release is this request related to?

N/A

Serverless release

It's an existing feature.

Collaboration model

The documentation team

Point of contact.

Main contact: @gabriellandau

Stakeholders: @roxana-gheorghe @nfritts

Metadata

Metadata

Assignees

Labels

Team:ExperienceIssues owned by the Experience Docs Team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions