Remote Settings: Configuring Anti-Tamper, Risk Engine & VM Detection
Home/Blog/Remote Settings: Configuring Anti-Tamper, Risk Engine & VM Detection
Developer GuideApril 16, 202615 min read

Remote Settings: Configuring Anti-Tamper, Risk Engine & VM Detection

PapelShip TeamPapelShip Team
qPapel Licence ManagementSecurityAnti-TamperRemote Config

Remote Settings Overview

The Remote Settings panel at /dashboard/api-integrations/remote-settings is the control center for client-side security policies. Each product gets its own independent configuration, managed through a 6-step wizard. Your C++ client imports these settings at runtime via auth.ImportRemoteSettingsJson().

Step 1: Security Policy

This step defines your core security stance:

Hardware Identification (HWID Method)

Choose how the client fingerprints the user's machine. Options:

MethodPropertyUse Case
CPUcpuid serialStandard protection
MAC AddressNIC MACLess reliable with VPNs
Disk SerialHDD/SSD serialHigh security
Windows GUIDMachineGUID registryConvenience-first

Detection Response — What happens when a blacklisted process or window is detected:

  • close_app — Gracefully closes the client
  • log_only — Silently logs the detection without disrupting the user
  • bsod — Forces a system crash (aggressive, use with caution)

Integrity Check — When enabled, the client calculates the SHA-256 hash of its own executable on startup and compares it against the hash you uploaded via the dashboard. If the hashes don't match, the binary has been patched or modified. You can update the reference hash by uploading your latest build directly from the wizard.

Ban on Debugger — Automatically bans the license key if a debugger (like x64dbg, OllyDbg, or IDA) is attached to the client process. Marked as "Aggressive" because legitimate developers debugging their own integrations could trigger this.

Version Check — Enforce a minimum client version. If the connecting client reports a version lower than required_version, the server rejects the connection. Keep this in sync with your loader's clientVersion string.

Step 2: Blacklists

Two categories of blacklists:

Blacklisted Windows — Detect by window title. Supports partial matching (is_partial_match) so you don't need the exact title. Each entry has a severity:

  • suspicious — Logs and potentially triggers risk score
  • ban — Immediately bans the license key

Blacklisted Processes — Detect by process name (e.g., cheatengine-x86_64.exe). Same severity options. The dashboard supports bulk import: paste one entry per line with an optional |ban suffix to set severity.

Step 3: Risk Engine

The Risk Engine is a sophisticated, point-based scoring system that unifies multiple security signals into a single risk score per session.

Core Parameters:

  • Score Cap — Maximum risk score (default: 100)
  • Decay / Minute — Points subtracted per minute of clean behavior (default: 5)
  • Cooldown — Seconds between score evaluations (default: 15)

Threshold Ladder:

Each threshold triggers a different action when the accumulated score reaches it:

ThresholdDefaultAction
Warn30Log only
Restrict60Silent flag
Close80Close application
Ban95Permanent ban

Point Sources:

Every security signal contributes points to the risk score:

  • Debugger detected: +80 points
  • VM environment: +25 points
  • Integrity check failure: +100 points (instant ban)
  • Blacklisted window/process: +50 points
  • Proxy detected: +25 points
  • Clock skew: +15 points
  • Replay attack suspect: +60 points
  • Multi-login attempt: +40 points
  • Failed login burst: +25 points (configurable window and max attempts)

Restrict Mode — When the score enters the "Restrict" zone, you can configure per-endpoint behavior:

  • allow — Let the request through normally
  • delay_fail — Introduce artificial delay then fail
  • mask_network_error — Return a fake network error
  • mask_update_required — Pretend an update is needed
  • return_empty_ok — Return 200 with empty data
  • close_app — Force close
  • bsod — System crash

This per-endpoint configuration applies to: license validation, server string fetching, server file delivery, heartbeat, and file start.

Step 4: Network Guard

Network Guard detects clients connecting through proxies, VPNs, or with manipulated system clocks:

  • Allow Proxy / VPN — Toggle whether proxy/VPN connections are permitted
  • Clock Skew Threshold — Maximum allowed difference (in seconds) between client and server time (default: 120s)
  • Hosts File Check — Detect if the Windows hosts file has been modified (potential DNS hijacking)
  • Network Guard Action — What to do when violations are detected (same options as risk actions)

Step 5: VM Detection

A point-based virtual machine detection system with granular scoring:

  • CPUID Hypervisor Bit — +25 points
  • VMware Vendor String — +60 points
  • VirtualBox Vendor — +60 points
  • QEMU / Bochs — +60 points each
  • Microsoft Hyper-V — +10 points (often legitimate)
  • Registry keys (VMware Tools, VBox Additions) — +80 points each
  • File signatures — +70 points
  • MAC address prefixes — +30 points

When the combined VM score exceeds the vmachine_threshold (default: 80), the configured action triggers. The "Allow Hyper-V" toggle lets you whitelist Microsoft's built-in virtualization since many developers and enterprise users run Hyper-V legitimately.

Step 6: Review & Deploy

The final step shows a summary of your configuration. Click Save & Deploy to push the settings live. Your C++ client fetches the latest config on each session start via the ImportRemoteSettingsJson call.

Export as C++ — The wizard includes an "Export C++" button that copies the entire configuration as a ready-to-paste C++ string literal wrapped in auth.ImportRemoteSettingsJson(R"(...)");​ — perfect for hardcoding a fallback configuration in your loader.

Session Tokens

Remote Settings also controls the Session Token system. When enabled (session_token_enabled: true), the server issues a cryptographic session token after license validation. Subsequent API calls (string fetches, file downloads, heartbeats) must include this token.

Configuration options:

  • Require for Get Server String — Token required to fetch strings
  • Require for Get Server File — Token required to download files
  • Require IP Match — Token is bound to the IP address that created it
  • TTL (Time-to-Live) — How long the token remains valid (configurable per-product)

Configure your product's security →

More from the blog