security
REMOTE PROCESS SCAN DEEP DIVE
Tamper resistance, sandboxing, remote scan policy, and security deep dives.
Context Rail
Tags and Themes
On This Page
Remote Process Scan Deep Dive
1. Scope
This document describes the current remote process scan architecture and integration points.
It covers:
- Config and mode gates.
- Verdict correlation model.
- Telemetry and runner enforcement behavior.
- Current implementation depth and next hardening steps.
Primary implementation anchors:
security/processscan_types.gosecurity/processscan_config.gosecurity/processscan_correlator.gosecurity/processscan_manager.gosecurity/processscan_windows.gorunner/runner.go
2. Control Surface
runtime configuration settings:
runtime setting
- Master gate for manager execution.
runtime setting
off: disabled path.observe: telemetry only.enforce: policy block on critical verdict.
runtime setting
- Positive integer, default
32.
runtime setting
- Positive integer, default
1000.
runtime setting
- Comma-separated process names that should be skipped.
Defaults:
- Scan is disabled when enable env is unset.
- Invalid mode falls back to
observe.
3. Data Model
Core types:
RemoteProcessTarget
PID,Name,Executable
RemoteProcessSignal
Name,Detected,Weight,Confidence,Detail,Evidence
ProcessRiskVerdict
PID,Name,FinalScore,RiskBand,Signals
RemoteScanConfig
- gate flags, thresholds, scope tuning, and allowlist
4. Correlation Logic
CorrelateProcessSignals rules:
- Sum only weights where
Detected=true. - Cap final score at
100. - Assign risk band from score:
<40->low40..69->medium70..84->high>=85->critical
Normalization behavior:
- If scanner returns verdicts with raw signals but no score, manager computes normalized score and band.
- If scanner already returns score-only verdicts, manager preserves score and backfills risk band.
5. Manager Execution Flow
RunRemoteProcessScan(stage) behavior:
- Resolve config from env.
- Exit with
enabled=falsewhen disabled or mode isoff. - Record invocation telemetry.
- Execute platform scanner (
scanRemoteProcesses). - On scanner error:
- Record
remote_process_scan_errortelemetry. - Return error with
enabled=true.
- Normalize verdicts and emit score-band telemetry.
Telemetry events emitted by manager:
remote_process_scan_invokedremote_process_scan_errorremote_process_suspiciousremote_process_critical
6. Runner Enforcement Semantics
Runner path:
- Called in anti-rev pipeline after local process protection probes.
- Executed at both
pre-decodeandpre-executionstages.
Decision behavior:
observemode:
- Never blocks execution.
- Keeps telemetry for visibility.
enforcemode:
- Blocks only when any verdict score is
>= CriticalScore. - High but non-critical verdicts are advisory.
- Scanner errors:
- Non-blocking.
- Still counted in telemetry.
7. Current Implementation Depth
Implemented:
- Types/config parsing with safe defaults.
- Correlator and risk-band mapping.
- Telemetry integration.
- Runner observe/enforce policy integration.
- Unit coverage for config, correlator, manager, and runner behavior.
Current limitation:
ScanRemoteProcessesWindowsis currently a safe no-op returningnil, nil.- This means manager and policy plumbing are production-wired, while detector signal depth is not yet implemented.
8. Hardening Backlog
Recommended next increments:
- Implement Windows process enumeration and target filtering.
- Add module/memory/thread/hook inspectors that emit weighted signals.
- Add score calibration fixtures to control false positives.
- Extend coverage with platform-specific integration tests.
- Add per-verdict evidence export path for incident workflows.