FortiEDR Earns AV-Comparatives 2025 Anti-Tampering Certification

100% of Tampering Attempts Blocked in Independent Testing

Today’s attacks increasingly include disabling security tools before deploying malicious payloads, making tamper resistance an essential element of any endpoint security solution. Fortinet is proud to announce that FortiEDR has earned the 2025 Anti-Tampering Certification from AV-Comparatives, confirming its ability to withstand interference by threat actors and reinforcing its role as an essential element of your endpoint defense strategy.

Understanding the AV-Comparatives Anti-Tampering Certification

AV-Comparatives, an independent testing organization based in Austria, is globally recognized for its comprehensive and methodical evaluation of security solutions. Its certifications carry weight across the cybersecurity industry, offering organizations objective insight into how well products perform under real-world conditions.

Their Anti-Tampering Certification Test assesses a product’s ability to resist direct interference by attackers who have already compromised a system. Rather than focusing on initial access or exploit-based attacks, this test simulates post-compromise scenarios, where adversaries operate with elevated or system-level privileges on the endpoint.

In the 2025 assessment, the testing focused on defense evasion, a key tactic in modern attack chains. The test excluded kernel exploits, focusing instead on what attackers can accomplish from the user space—where most real-world tampering occurs. Techniques used included attempts to:

• Terminate or suspend processes: Attackers tried to forcibly stop security processes and services to blind or disable protection.
• Modify or delete registry keys: Malicious changes were made to Windows registry entries to corrupt configurations or prevent startup.
• Alter Dynamic Link Libraries (DLLs): Adversaries attempted to replace or hijack key DLLs used by the security software to impair functionality.
• Disable or remove kernel drivers: Tests simulated disabling low-level drivers that enforce or monitor protections.
• Interfere with update services: Attempts were made to block or corrupt the ability of FortiEDR to receive threat intelligence and software updates to freeze protections in an outdated or weakened state.

The Exemplary Performance of FortiEDR

FortiEDR passed the AV-Comparatives Anti-Tampering Test across all categories, with zero bypasses, and successfully blocked every tampering attempt across multiple vectors. AV-Comparatives confirmed that FortiEDR maintained its integrity when faced with efforts to interfere with:

• User-space processes and threads: FortiEDR actively protected its components from termination or suspension via the task manager, command line, or scripts.
• Services and DLLs: All core service components and dynamically loaded libraries were shielded from unauthorized modification or replacement.
• Windows registry entries: Critical registry keys related to startup, configuration, and agent stability remained locked against tampering.
• Kernel-level drivers: The product’s drivers remained intact, preventing attackers from disabling enforcement mechanisms or creating blind spots.
• Update services and software agents: FortiEDR ensured that both the update process and installed agents could not be uninstalled, interrupted, or redirected.

This comprehensive resistance ensured that FortiEDR met the strict criteria required for certification. AV-Comparatives only awards this certification to solutions that prevent all forms of tampering tested. The perfect results of FortiEDR affirms its ability to protect systems even when attackers have deep access.

The Architecture Behind FortiEDR Resilience

Unlike many traditional endpoint security tools that depend heavily on centralized enforcement or kernel hooks, FortiEDR operates through autonomous agents that can enforce prevention policies locally on the endpoint.

These agents are engineered to:

• Make real-time decisions on the device: Analysis and enforcement occur directly at the endpoint, reducing reliance on cloud lookups or centralized logic.
• Operate with minimal system impact: FortiEDR is optimized for efficiency, ensuring protection doesn’t degrade performance or disrupt legitimate user activity.
• Maintain protection while disconnected: Agents continue enforcing policy and preventing threats even if they are offline or isolated from the core management server.
• Resist manipulation with built-in safeguards: FortiEDR hardens its own components, making them highly resistant to process injection, driver tampering, or registry manipulation.

The result is a platform that is difficult to disable, harder to evade, and reliable during active compromise.

Tamper Resistance Is No Longer Optional

Today’s threat actors aren’t just looking for ways in; they’re looking for ways to neutralize defenses once inside. Whether it’s ransomware disabling protection before encryption or APTs attempting to erase their tracks, tampering is now a core part of the attack playbook.

Detection and response capabilities become meaningless if endpoint protection can be turned off, uninstalled, or manipulated after a breach. Resilience under attack is what separates effective endpoint protection from obsolete software.

By earning AV-Comparatives certification, FortiEDR provides third-party validation that it can withstand such tactics—meaning security teams can trust that their controls will stay intact and operational even under pressure.