Index / Tamper-Protection Bypass / FireEye
Bypass Record

Tamper-Protection Bypass × FireEye EDR Agent (HX Service)

A publicly-reported instance of Tamper-Protection Bypass bypassing FireEye EDR Agent (HX Service), recorded with its original source. Factual record; no assessment of any specific deployment.

Product
FireEye EDR Agent (HX Service)
Technique
Tamper-Protection Bypass
MITRE ATT&CK
T1562.001
Confidence
High
Severity
Critical
Status
unknown
Disclosed
2025-04-23
Config / version noted
Not stated

Provenance

Reported as

allows attackers to permanently disable tamper protection by sending a malformed event

Mechanism

Improper input validation in the HX service's tamper protection event handler allows crafted events to trigger an unhandled exception, causing the tamper protection subsystem to enter a permanently failed state that survives reboots.

Detection & mitigation

Monitor for unexpected termination or crash events of the EDR agent's tamper protection service (e.g., Windows Event ID 7031/7034 for the HX service) and alert on repeated failures across reboots. Apply vendor patches and ensure tamper protection status is continuously reported to the management console.

Tamper-Protection Bypass has also been recorded against

AppSealingArxanBeyondTrustBroadcom (Symantec)ByfronCrowdStrikeDANAElasticKemcoLoGiC.NETMcAfeeMicrosoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.