Tamper resistance
What this page is
The tamper-resistance module that hardens the EDR sensor against adversarial interference, including PPL configuration, service ACL hardening, watchdog process architecture, ETW/AMSI integrity checks, and filesystem ACL enforcement.
Why it exists this way
EDR sensors are high-value targets for kernel-mode malware and privileged threat actors. Without active tamper resistance, an adversary with SYSTEM privileges can stop the sensor service, unload the minifilter, patch the AMSI provider, or disable ETW trace sessions. The guard module implements defence-in-depth hardening that makes each of these attacks detectable and, in some cases, reversible within 60 seconds.
How it works
The edr_windows::guard module applies hardening in five layers
at sensor startup:
Layer 1: Protected Process Light (PPL)
The sensor process is registered as a PPL with signer type
PsProtectedSignerAntimalware and protection level
PsProtectedSignerAntimalware-Light. This prevents non-PPL
processes (even running as SYSTEM) from opening the sensor process
with PROCESS_VM_WRITE, PROCESS_TERMINATE, or
PROCESS_SUSPEND_RESUME. The PPL configuration is applied via
the ELAM (Early Launch Anti-Malware) registry key under
HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch.
If the sensor binary is signed with a certificate trusted by the Windows kernel, PPL is enforced by the kernel. If unsigned (dev builds), PPL is registered but not enforced; the watchdog logs a warning.
Layer 2: Service ACL hardening
The sensor's Windows service (AuroraEDR) is configured with a
custom SDDL security descriptor that grants only SYSTEM and
Administrators the SERVICE_START | SERVICE_STOP | SERVICE_QUERY_STATUS rights. SERVICE_CHANGE_CONFIG and
DELETE are revoked from all principals including
Administrators so even a domain admin cannot alter the service
binary path or delete the service without first changing
ownership.
Layer 3: Watchdog process
A lightweight watchdog process (aurora-guard.exe) runs as a
separate PPL process and monitors the main sensor process via a
named pipe heartbeat. If the main process misses 3 consecutive
heartbeats (15-second interval), the watchdog:
- Logs a critical event to the Windows Event Log (Application channel, Event ID 1000).
- Attempts to restart the main service via
StartServiceW. - If restart fails, sets a kernel-mode WFP filter that blocks all outbound traffic except the Collector management channel (fail-deadly network isolation).
- Writes a tamper-detection alert to the offline buffer.
Layer 4: ETW and AMSI integrity checks
At startup and every 30 minutes thereafter, the guard runs two integrity checks:
ETW integrity: verify_etw_integrity() checks that the
AuroraEDR trace session is running, all 13 provider GUIDs are
registered with the expected keyword masks, and no other process
has called ControlTrace(EVENT_TRACE_CONTROL_STOP). Returns
EtwIntegrityReport with per-provider status.
AMSI integrity: verify_amsi_integrity() verifies that
amsi.dll is loaded, its in-memory code section hash matches the
on-disk hash, and the COM server registration
IAntimalwareProvider is intact and pointing to the AuroraEDR
AMSI provider CLSID. Returns AmsiIntegrityReport.
Either check failure triggers a critical alert and, if the sensor
is in Hardened mode, initiates self-termination with a WFP
fail-deadly rule so the endpoint cannot be used for lateral
movement without telemetry.
Layer 5: Filesystem ACL
The sensor's data directory (%ProgramData%\AuroraEDR\) is
protected with an ACL that grants full control only to SYSTEM
and recursively inherits the restriction to all child objects
(buffer files, enrollment keys, triage packages). The PROTECTED
ACL flag prevents inheritance from the parent directory.
What goes wrong
HardeningError::PplConfigFailed, the ELAM registry key could not be written or the sensor binary is unsigned and running on a kernel that enforces PPL for antimalware signers. The sensor starts inPplDesiredmode and escalates this to the operator.HardeningError::WatchdogPipeFailed, the named pipe between the main process and the watchdog could not be created. This usually means another process consumed the pipe name. The sensor retries with a random suffix.HardeningError::IntegrityCheckFailed, AMSI or ETW integrity check failed. This is a high-confidence indicator of tampering. The sensor logs the full integrity report and enters aTamperDetectedstate that is visible in the operator console as a critical alert.- ACL enforcement fails on a filesystem that does not support Windows security descriptors (FAT32, exFAT). The sensor detects the filesystem type at startup and skips ACL hardening with a warning logged to the event log.