Runs beside Defender · fully local

Stops the attack,
not the file's signature.

A behavioral antivirus & EDR for Windows 11 that catches what malware does — so zero-day threats with no signature still get caught and killed.

~360 KB engine · near-zero idle CPU · no account · no telemetry

FlewHaul — live feed
CRITReverse shell — terminated
powershell.exe held outbound C2 socket · T1059 · CVSS 9.0
CRITRansomware — process killed
stopped after 6 files · 54 recovered · T1486 · CVSS 9.4
HIGHPersistence — removed
malicious Run-key auto-deleted · T1547.001
CRITShadow-copy wipe — blocked at kernel
vssadmin denied before execution · T1490 · CVSS 8.6
HIGHLSASS dump — blocked
credential theft attempt · T1003.001 · CVSS 9.1
OK9 sentinels patrolling · kernel sensor active
100%
of mshta proxy-execution attacks blocked at the kernel (10/10)
16/16
rundll32 proxy-execution variants caught (13 blocked pre-exec)
0
credential dumpers got a usable LSASS handle (procdump · mimikatz · nanodump · pypykatz)
530 KB
engine · ~0% idle CPU · no cloud · no telemetry

Measured against Atomic Red Team on a clean Windows 11 VM. The attack tools report their own failure — “process failed to start”, “Failed to get process handle”. Prevention, not just alerts.

Detection and response, in one agent

Seven behavioral sentinels watch processes, the network, files, the registry and DNS — and act the moment something turns hostile.

Behavioral, signature-free

Catches techniques, not hashes. Novel and zero-day malware with no known signature still trips the sentinels.

Active response

Suspends or kills the culprit, deletes persistence, and freezes ransomware mid-encryption — automatically.

ATT&CK + CVSS

Every finding maps to a MITRE technique and carries a CVSS score — ready for triage and reporting.

Invisible footprint

Event-driven sentinels sleep until something fires. You will not hear the fans or feel the lag.

Quarantine & self-heal

Killed files go to a locked vault. The engine restarts itself if an attacker tries to shut it down.

Game aware

Throttles while a full-screen game runs, then snaps back to full protection the second you exit.

Real techniques, mapped and scored

A selection of the techniques FlewHaul detects, each tested with real tooling — not a generic feature list.

TechniqueATT&CK IDSeverity
Reverse shell / C2T1059CVSS 9.0
Ransomware encryptionT1486CVSS 9.4
LSASS credential dumpT1003.001CVSS 9.1
Shadow-copy deletion (recovery inhibition)T1490CVSS 8.6
Disable Defender / UAC via registryT1562.001CVSS 8.4
Process injection (RWX / hollowing)T1055CVSS 8.4
UAC bypassT1548.002CVSS 8.2
PsExec / WMI lateral movementT1021 · T1047CVSS 8.0
Rundll32 / Regsvr32 proxy executionT1218CVSS 7.7
Tunnels & RATs (ngrok, cloudflared…)T1572CVSS 7.5
Run-key / scheduled-task persistenceT1547 · T1053CVSS 7.2
Event-log clearing (anti-forensics)T1070.001CVSS 6.5
+ DNS C2 / DGA · BITS jobs · certutil staging · WMI subscriptions · account creation · BYOVD driver blocking
No open ports. No cloud. No way in.

A security tool should never become the hole in your defenses. The FlewHaul agent never opens a listening port and never sends your data anywhere — so it cannot be reached, hijacked, or turned against you.

Zero attack surfaceno inbound socket, no local web server, no agent API to exploit
Fully local by defaultfindings stay on the machine; optional cloud sync is opt-in only
Runs beside Windows Defendera behavioral second layer, not a replacement
Engine size~360 KB
Idle CPU~0%
PlatformWindows 11 x64
Sentinels7
Network ports0
Telemetrynone
Account requiredno
Download FlewHaul

Free. Windows 11. Installs in seconds and runs alongside Defender.

recommended

Installer

One-click setup with Start-menu and desktop shortcuts. Starts protecting at boot.

Download Installer
FlewHaul-Setup.exe · ~11 MB
no install

Portable

A self-contained folder — unzip and run. Ideal for a USB stick or a locked-down PC.

Download Portable
FlewHaul-Portable.zip · ~13 MB

Needs Administrator on first run for full real-time detection. Unsigned build — accept SmartScreen to continue.