Prisma Access Agent
Anti-Tamper Protection for Prisma Access Agents
Table of Contents
Anti-Tamper Protection for Prisma Access Agents
Anti-tamper protection secures Prisma Access Agents from unauthorized
modifications, providing flexible controls through unique one-time passwords for different
privilege levels and operations.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Certain users, including those with administrative privileges, might attempt to
bypass security controls by tampering with secure access agents, creating
significant vulnerabilities in your security posture. Prisma Access Agent's
anti-tamper feature addresses this challenge by preventing unauthorized
modifications to your security infrastructure, ensuring that your Zero Trust
security controls remain continuously operational.
The feature prevents always-on security bypass attempts by blocking actions such as
stopping, killing, or uninstalling the agent, or modifying critical agent registries
and plists. You're also protected against agent spoofing, where insider threats or
compromised endpoints might attempt to modify agent files, folders, processes, or
HIP reports to circumvent security measures. By implementing this protection, you
ensure that your security controls remain intact and effective, regardless of user
privilege levels or sophisticated bypass attempts.
The anti-tamper feature can protect the following Prisma Access Agent
resources on your endpoints:
- Prisma Access Agent folders and files—Users can’t modify any Prisma Access Agent-related files and folders, including rewriting, renaming, or deleting the files and folders.
- Prisma Access Agent services and host information profile (HIP) processes—Users can’t spoof any Prisma Access Agent-related services and HIP processes. The HIP processes collect information about the host that the Prisma Access Agent is running on and submits the host information to Prisma Access for inspection. If a user tries to stop a process, they must supply the anti-tamper unlock password.
- Prisma Access Agent Registry keys (on Windows) or .plist file (on macOS)—Users can’t modify the Windows Registry keys or .plist file for Prisma Access Agent.
- The PACli command-line interface—Users can’t disable the Prisma Access Agent or the anti-tamper feature using the PACli command-line interface. Administrators and authorized users who need to perform certain actions for troubleshooting at the command line must provide an anti-tamper unlock password when prompted.
Anti-Tamper Enhancements
(Prisma Access Agent 25.4) Prisma Access Agent anti-tamper protection uses a
sophisticated password system with different types of one-time passwords (OTPs) for
various operations. The system generates unique passwords per device and per action,
enhancing security by ensuring that each password can be used only once for its
intended purpose. After use, the password is automatically refreshed to maintain
security. You can also control anti-tamper protection at a granular level, with the
ability to enable or disable protection for specific users and user groups.
The anti-tamper protection includes several components that you should understand
before configuration. The Privileged Access Token (PAT) serves as a primary
emergency password that administrators can configure for critical scenarios, such as
when a device loses network connectivity. This token works for any privileged
operation.
For everyday operations, the system uses three specialized OTPs. Each of these
passwords has a specific purpose and access level within the system:
- Privileged Access OTP (PA OTP)—Enables users to perform any privileged command
- Disable Agent OTP—Specifically permits users to disable the agent temporarily
- Uninstall OTP—Enables agent removal
When configuring anti-tamper protection, you can set a protection duration that
determines how long the privileged access remains available after authentication
with a Privileged Access Token or Privileged Access OTP. During this window, users
can perform multiple privileged operations without reentering the PAT or PA OTP,
streamlining maintenance tasks while maintaining security.
The system supports flexible deployment models, such as working hand-in-had with the
existing disable agent OTP, enabling you to configure whether agent disablement
requires authentication (Allow, Allow with
OTP, or Disallow) while maintaining
appropriate protection for your security requirements. This flexibility lets you
balance security with operational needs across your environment.
The enhance anti-tamper protection does not apply to Prisma
Access Agents deployed from Prisma Access (Managed by Panorama) or NGFW (Managed by Panorama).
Prisma Access Agents from these deployments can continue to use the anti-tamper settings in the Global Agent
Settings.
Migration from Previous Anti-Tamper Mechanism
The transition from the previous anti-tamper mechanism to the enhanced version is
designed to be seamless for administrators and end users. When your system is
upgraded to support the new anti-tamper protection, your existing configurations are
automatically migrated to the new framework.
For existing customers, the system will migrate your current Global Agent Settings
for anti-tamper to the Agent App Settings. Specifically, if you had anti-tamper
enabled, the system will preserve this setting when migrating to the
Privileged Access Protection in the enhanced system. Your
existing anti-tamper unlock password will be migrated to become your new Privileged
Access Token in the enhanced system.
The Privileged Access Protection field is disabled by default.
If enabled, you will need to configure the Auto Enable
Duration and Privileged Access Token. The
auto enable duration is a period when an end-user gains privileged access by
providing the Privileged Access OTP. The Privileged Access Token is an
administrator-defined password to gain privileged access in emergency
situations.
For new users implementing Prisma Access Agent after the enhancement, the anti-tamper
protection will be enabled by default with a 30-minute Privilege Access Duration.
However, you will need to configure a Privilege Access Token as this is a mandatory
input that requires administrator configuration.
During the migration process, there is no disruption to your security posture. If
currently enabled, the anti-tamper protection remains active throughout the
transition, ensuring continuous protection of your Prisma Access Agent services,
processes, files, and registries.
After migration, you will gain access to the enhanced capabilities of the new
anti-tamper system, including the ability to use specific or granular OTPs for
supported operations and the improved audit logging of privileged operations. The
migration preserves your security settings while enabling these new features.
Protection Behavior
When anti-tamper protection is active, the system enforces different levels of
privileged access based on the type of operation and initiator. Use the Privileged
Access Token only for administrator-initiated troubleshooting operations or batch
operations performed on mobile device management (MDM) systems or batch operation
tools. The Privileged Access OTP is a blanket OTP that supports all privileged
operations. As a best practice, restrict OTP distribution to match the intended
operation scope for the end user.
Operation-specific OTPs provide the most restrictive privileged access level where
users can only perform the specific action associated with that credential type. The
Disable Agent OTP permits only agent disabling operations, while the Uninstall Agent
OTP permits only agent removal procedures.
Endpoint User Experience
The enhanced anti-tamper protection creates a secure yet manageable experience for
users on protected endpoints. When users attempt to perform privileged operations on
their devices, the system responds according to your configured anti-tamper
settings.
When a user attempts to execute any privileged operation, such as uninstalling the
Prisma Access Agent on Windows or macOS systems, the system will prompt them to
enter a token or OTP if anti-tamper protection is enabled.
For IT administrators and support staff using the PACli command-line interface, the
system provides visibility into the current protection state. When executing the
pacli status command, users can see if privileged access
has been temporarily granted and when that access will expire. When executing the
pacli protect status command, users can see whether
anti-tamper protection is active. This visibility helps administrators plan
maintenance activities within the available time window.
When prompted for the password, users will see a consistent message asking them to
enter a token or OTP regardless of which operation they are attempting to perform.
The system then validates the entered credential, allowing the operation to proceed
if the valid credential is provided.
If a user gains privileged access with a Privileged Access Token or Privileged Access
OTP, the system starts an expiry timer (configurable from 30-480 minutes, with a
default of 30 minutes). During this period, the user can perform any privileged
operation without reentering the PAT or PA OTP.