Microsoft researchers regularly see popular, publicly-available tools being leveraged by attackers. Defender Control, a publicly available software program allows users to one-click disable/enable Microsoft Defender Antivirus.

Threat actors use malware and publicly available software to tamper with security solutions. To run these tampering tools successfully against a system with Tamper Protection enabled, an attacker must have access to sufficient privileges to run the program as Trusted Installer, NT Authority, or System. Beginning in 2022, Microsoft introduced a functionality in Defender Antivirus that further limits the effectiveness of malicious antivirus tampering tools by not allowing the use of a trusted installer for service change or registry modification.