IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Endpoint self-protection features
editEndpoint self-protection features
editElastic Endpoint protects itself against users and attackers that may try to interfere with its functionality. Protection features are consistently enhanced to prevent attackers who may attempt to use newer, more sophisticated tactics to interfere with the Elastic Endpoint. Self-protection is enabled by default when Elastic Endpoint installs on supported platforms, listed below.
Self-protection is enabled on the following 64-bit Windows versions:
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Self-protection is also enabled on the following macOS versions:
- macOS 10.15 (Catalina)
- macOS 11 (Big Sur)
- macOS 12 (Monterey)
Other Windows and macOS variants (and all Linux distributions) do not have self-protection.
For Elastic Stack version >= 7.11.0, self-protection defines the following permissions:
-
Users — even Administrator/root — cannot delete Elastic Endpoint files (located at
c:\Program Files\Elastic\Endpointon Windows, and/Library/Elastic/Endpointon macOS). - Users cannot terminate the Elastic Endpoint program or service.
-
Administrator/root users can read the Endpoint’s files. On Windows, the easiest way to read Endpoint files is to start an Administrator
cmd.exeprompt. On macOS, an Administrator can use thesudocommand. -
Administrator/root users can stop the Elastic Agent’s service. On Windows, run the
sc stop "Elastic Agent"command. On macOS, run thesudo launchctl stop elastic-agentcommand.