To increase endpoint protection when running the ZeroLock Agent, consideration should be given to applying a lockdown rule to prevent attempts to stop the ZeroLock Agent from running and leaving the endpoint unprotected.
We recommend applying the following lockdown rule:
- Name: Anti-Tampering
- Number: 82
- Description: Prevent Stopping or Disabling the ZeroLock service using systemctl or docker stop commands.
- Why: We add this rule to prevent anyone from trying to stop the docker container from running on the protected system. This same rule works for the native installed agent as well.
- On the Docker side we prevent the command docker stop zerolock from running.
- On a native agent we prevent the command sudo systemctl stop zerolock from running.