Anti-Tamper Protection

What Is Anti-Tamper Protection

Anti-tamper protection prevents unauthorized modification or removal of the Stairwell forwarder on macOS endpoints. When enabled, the forwarder resists attempts to stop, uninstall, or alter its files without proper authorization. This ensures continuous file collection even if an adversary gains access to the endpoint.

When to Disable Anti-Tamper

There are valid operational reasons to temporarily disable anti-tamper protection:

• Forwarder updates -- When updating the forwarder out-of-band (outside the Stairwell UI), anti-tamper must be disabled first.
• Forwarder removal -- Uninstalling the forwarder requires disabling anti-tamper to allow the removal process to proceed.
• Troubleshooting -- In rare cases, support may ask you to disable anti-tamper to diagnose forwarder issues.

Disable Anti-Tamper Protection

Disabling anti-tamper requires a valid maintenance token, which is environment-specific and rotates periodically.

1. Generate a Forwarder Maintenance Token from the Stairwell UI (see Asset Identifiers for steps).
2. Use the maintenance token to place the forwarder into maintenance mode.
3. Once in maintenance mode, the forwarder's anti-tamper protections are suspended and you can proceed with the update or uninstall.

Note: Stairwell provides detailed, platform-specific procedures for both Windows and macOS to verified customers on an as-needed basis. Contact your Stairwell representative or support for the full step-by-step process.

Re-enable Anti-Tamper Protection

Anti-tamper protection is automatically re-enabled when:

• A new version of the forwarder is installed and starts normally.
• The maintenance token expires (tokens are valid for 14 days).

If you disabled anti-tamper for troubleshooting, reinstalling or restarting the forwarder will restore protection. No manual re-enable step is required under normal circumstances.