CrowdStrike Falcon Platform Achieves Certification in AV-Comparatives’ First Anti-Tampering Test

After completing extensive tests designed to evaluate the tampering resistance of enterprise security solutions, the CrowdStrike Falcon® platform has achieved certification in the AV-Comparatives Anti-Tampering Certification Test 2023 for the Windows 10 operating system.

AV-Comparatives is an independent organization focused on evaluating the effectiveness of leading security products and a leader in the cybersecurity testing space. This year marked its first Anti-Tampering test, where security products were subjected to advanced techniques and tools in an effort to disable or modify AV/EPP/EDR components or capabilities through tampering. The CrowdStrike Falcon platform and other enterprise cybersecurity solutions were evaluated based on their ability to withstand these attempts.

CrowdStrike Falcon successfully protected against all tampering attacks during testing, achieving AV-Comparatives Anti-Tampering certification.

Why Focus on Tampering?

When targeting organizations with endpoint protection deployed, adversaries will often try to avoid detection by exploiting zero-days or other critical vulnerabilities. In addition, sophisticated adversaries also attempt to impair endpoint protection by disabling, modifying or manipulating AV/EPP/EDR components.

Tampering is a strategy for compromising a system or network by compromising the security solution itself, thus evading detection. A successful tampering attack could cause a permanent, temporary, partial or even complete loss of functionality for the security system — leading to a costly breach.

Part of our operational mission with the CrowdStrike Falcon platform is to continually enhance our anti-tamper protection capabilities, anticipating and countering attempts at bypassing our robust security measures.

For the purposes of this testing initiative, AV-Comparatives defines tamper protection as follows:

“Tamper protection protects the product against end-user and third-party changes, and the services, processes, files, registry entries, etc. against any controlling attempts, even in context of a privileged user (high- or system integrity).”

AV-Comparatives recognizes the potential severity of tampering attacks should they succeed, which is why the organization launched its Anti-Tampering certification testing.

AV-Comparatives Ran Comprehensive Anti-Tampering Tests

The suite of tests run by AV-Comparatives is designed to evaluate a cybersecurity product’s ability to resist a wide range of tampering attacks. Systems were running Windows 10 and testers were high-integrity or system-integrity privileged users, equipped with advanced tools. From this position, with Falcon’s “Sensor Tampering Protection” enabled, they ran a series of tests to determine whether they could achieve any of the following:

  • Disable or modify configuration files or registry keys
  • Shut down services or processes
  • Disable or modify components in kernel space
  • Uninstall the security product or change its configuration
  • Disable the product (including by using the product itself)
  • Modify or set up exclusion or allowlisting
  • Partially or completely disable a product (for example, disabling a user space component) 

If testers were able to achieve any of these objectives, a cybersecurity product would fail to achieve certification for tamper resistance.

CrowdStrike Falcon Successfully Protected Against Tampering Attacks, Achieved Certification

The results speak for themselves. Testers were unable to successfully tamper with the Falcon platform, failing to modify or disable the platform or  any of its components. In awarding its 2023 Anti-Tampering certification, AV-Comparatives noted that CrowdStrike Falcon:

“Successfully protected against tampering attack, i.e. manipulation or termination, which could lead to temporary or permanently and partial or complete disabling of the EDR’s functionality, was not possible.” 

Transparency: CrowdStrike Is Committed to Third-Party Testing

CrowdStrike is committed to independent, third-party testing and transparency about our participation in these efforts. Taking part in testing initiatives by organizations including AV-Comparatives helps CrowdStrike to continually improve our products, while also providing our customers (and future customers) with unbiased information showing the advantages of Falcon’s advanced technology.

The AV-Comparatives 2023 Anti-Tampering certification is the latest in an extensive list of awards, certifications and industry recognitions for Falcon — the world’s most tested next-generation security platform. 

CrowdStrike continues to show its market leadership through third-party certifications like this one, publicly demonstrating Falcon’s performance as a generational platform that delivers comprehensive protection and positive outcomes for our customers. 

Additional Resources

Related Content