security
ANTITAMPER PROBE ENABLEMENT LLD
Tamper resistance, sandboxing, remote scan policy, and security deep dives.
Context Rail
Tags and Themes
On This Page
Anti-Tamper Probe Enablement LLD
1. Purpose
This LLD defines how anti-tamper probe execution is enabled, how runner enforcement is gated, and how diagnostics differ from enforcement.
2. Problem Statement
Users often confuse:
- probe execution enablement
- process-protection enforcement enablement
- policy action after detection
This design separates these decisions clearly.
3. Inputs
3.1 Master Probe Gate
runtime setting
- Value
1means probes run. - Any other value means probes are skipped.
3.2 Process Protection Gate
runtime setting
- Evaluated by runner process-protection path.
- Default enabled when unset.
- Disabled by:
0,false,off,no.
3.3 Policy Inputs
runtime settingruntime setting- secure/compat/dev mode context
4. Decision Model
5. Caller Semantics
5.1 Runner
- Uses focused 5-probe enforcement set.
- Applies confidence threshold (
>= 80). - Triggers policy action on threshold hit.
5.2 Builtins
- Use broader probe sets for diagnostics.
- Return probe signals to scripts/users.
- Do not directly enforce runner blocking path.
6. Observability
Telemetry events:
anti_tamper_probe_invokedanti_tamper_probe_errorprocess_protection_detected
7. Risks and Mitigations
Risk:
- False negatives if probe gate is left disabled.
Mitigation:
- Document production recommended env posture.
- Add deployment checks for required security runtime settings.
Risk:
- False positives when a single heuristic is noisy.
Mitigation:
- Keep confidence thresholding and multi-probe context.
- Review
detailfield before escalation.
8. Student Takeaway
There are three separate questions:
- Did probes run?
- Was enforcement enabled?
- What did policy decide?
Keeping these separate prevents most operational confusion.