This detection rule focuses on identifying attempts to tamper with Sophos Antivirus (AV) settings via Windows Registry key modifications. The rule specifically targets registry keys associated with the tamper protection feature of Sophos Endpoint Defense. It monitors for changes to specific registry paths, indicating a potential bypass of security measures intended to protect Sophos AV from unauthorized modifications. When changes are detected to the registry values indicating tamper protection is either disabled or improperly altered, it triggers an alert. This is particularly critical in the context of defending against malware or attacks that aim to disable security features, which often occurs as part of a larger attack strategy. Given the high level of potential false positives due to legitimate software operation conditions, organizations must implement procedures to investigate any alerts generated by this rule.