Override Rules

Override rules resolve conflicting signals. When multiple signals fire but they all have the same root cause, ShieldLabs collapses them into a single, more accurate signal. This reduces false positives, particularly for legitimate VPN users.

Why override rules exist

Without override rules, an anti-detect browser user on a VPN would receive:

Is VPN:               +10
Fail by Mac OS detect: +30  (UA=macOS, TCP=Windows from the VPN server)
─────────────────────────────
Score: 40  ← elevated, triggers 2FA

But if STUN passes (browser is genuine), we know this is a real user with a VPN and anti-detect browser — not a bot. Override rules handle this nuance.

Rule 3: VPN + clean browser + OS mismatch

The most important rule for reducing false positives on legitimate VPN users.

Condition

is_vpn = true
AND stun_passed = true          (UDP/WebRTC works — real browser)
AND OS mismatch detected        (UA OS ≠ TCP fingerprint OS)
AND network_link = not_detected

Action

REMOVE:  Is VPN (+10)
REMOVE:  All OS mismatch signals (Fail by * os detect)
ADD:     "Is vpn by base ip" (+15)

Why

The user is using a VPN and an anti-detect browser profile, but their real browser works (STUN passed). This is a legitimate VPN user or a careful ADS user — not a headless bot. The OS mismatch is caused by the VPN, not device spoofing.

Example

Without Rule 3 (STUN failed):

Is VPN:                +10
Fail by windows detect: +30
Stun is not checked:   +30
─────────────────────────────
Score: 70  ← High risk

With Rule 3 (STUN passed):

Is vpn by base ip:     +15
─────────────────────────────
Score: 15  ← Low risk (VPN user, not a bot)

If STUN is not checked, Rule 3 does not apply. Without STUN confirmation, we cannot distinguish a legitimate VPN user from an automated tool.

Rule 1: VPN confirmed by network analysis

Condition

is_vpn = true
AND network_link IN (VPN, GIF)

Action

REMOVE: Is VPN, Is proxy, Is datacenter, Is abuser
ADD:    "Is vpn by network & by base ip" (+15)

When both the IP database and network analysis confirm a VPN tunnel, the datacenter/proxy flags are artifacts of the VPN — not independent threats.

Example

Before Rule 1:

Is VPN:        +10
Is datacenter: +20
Score: 30

After Rule 1:

Is vpn by network & by base ip: +15
Score: 15

Rule 2: False positive VPN

Condition

is_vpn = true
AND network analysis does NOT confirm a tunnel

Action

REMOVE: Is VPN
Score: 0 (if no other signals)

IP databases occasionally misclassify residential IPs as VPN. If network analysis doesn’t confirm a tunnel, the VPN flag is removed.

Practical implications

Scenario	STUN	Rule	Score
Clean user, residential IP	✅	—	0
VPN user, genuine browser	✅	Rule 1 or 3	15
Anti-detect + VPN + STUN OK	✅	Rule 3	15
Anti-detect + VPN + STUN failed	❌	None	70–80
Headless bot	❌	None	100+
Proxy, no VPN	❌	None	60+

Start here

Setup

SDK

Concepts

Cookbook

Dashboard

Operations

Override Rules

Override Rules

Why override rules exist

Rule 3: VPN + clean browser + OS mismatch

Condition

Action

Why

Example

Rule 1: VPN confirmed by network analysis

Condition

Action

Example

Rule 2: False positive VPN

Condition

Action

Practical implications

Start here

Setup

SDK

Concepts

Cookbook

Dashboard

Operations

​Override Rules

​Why override rules exist

​Rule 3: VPN + clean browser + OS mismatch

​Condition

​Action

​Why

​Example

​Rule 1: VPN confirmed by network analysis

​Condition

​Action

​Example

​Rule 2: False positive VPN

​Condition

​Action

​Practical implications

Override Rules

Why override rules exist

Rule 3: VPN + clean browser + OS mismatch

Condition

Action

Why

Example

Rule 1: VPN confirmed by network analysis

Condition

Action

Example

Rule 2: False positive VPN

Condition

Action

Practical implications