ZeroLock® Endpoint Protection

To increase endpoint protection when running the ZeroLock Agent, consideration should be given to applying a lockdown rule to prevent attempts to stop the ZeroLock Agent from running and leaving the endpoint unprotected.

    We recommend applying the following lockdown rule:

    1. Name:  Anti-Tampering
    2. Number:  82
    3. Description:  Prevent Stopping or Disabling the ZeroLock service using systemctl or docker stop commands.
    4. Why:  We add this rule to prevent anyone from trying to stop the docker container from running on the protected system.  This same rule works for the native installed agent as well.
      1. On the Docker side we prevent the command docker stop zerolock from running.
      2. On a native agent we prevent the command sudo systemctl stop zerolock from running.