Create a Post
Showing results for 
Search instead for 
Did you mean: 

data tampering event in enpoint client


i am using Total endpoint Security and it shows me the tampering event. What does this means? is it my PC is not secure or its something t

0 Kudos
3 Replies

One of the ways SandBlast Agent monitors for suspicious activity is to track files that were modified (or deleted) by a process that is unusual or unexpected--files that might be tampered with.

On it's own, it's not necessarily an indicator of compromise.

If there are other indicators, compromise is far more likely.


sir, i cannot find any update regarding the tampering event in my endpoint server . Does these event occur in sandblast is update to server or not. Can i get the report of such event from the endpoint management server and how. 

Thank you

0 Kudos
Employee Alumnus
Employee Alumnus

The screen you are showing is part of a forensics report.

This report is triggered when we identify an attack and it is automatically analyzing the full scope of the attack.

One of the sections in the report is to identify what is the attack damage. This is listed under the “Business Impact” section. Both in the overview tab and as a separate tab. In this case the attack included the tempering of some files.

To see what triggered SBA to say there is an attack, you can look at the trigger data on the top of the overview tab. It will show the “Trigger:”,Triggered By:” & “Trigger Time:” information.


These reports are available both on the client, and on the server.

On the client it is on the Forensics tab of the client UI.

On the server, it can be opened by a link on the Forensics log line. You can see it either in SmartLog or in SmartEvent.

If you want to use SmartEvent you can use sk110894 to see how to connect R80.10 SmartEvent to an R77.30.03 management, and sk118525 to import SAB views to your SmartEvent.


Lior Arzi