Runs beside Defender · fully local

Stops the attack,
not the file's signature.

A behavioral antivirus & EDR for Windows 11 that catches what malware does — so zero-day threats with no signature still get caught and killed.

Download for Windows View ATT&CK coverage

~360 KB engine · near-zero idle CPU · no account · no telemetry

FlewHaul — live feed

CRITReverse shell — terminated

powershell.exe held outbound C2 socket · T1059 · CVSS 9.0

CRITRansomware — process killed

stopped after 6 files · 54 recovered · T1486 · CVSS 9.4

HIGHPersistence — removed

malicious Run-key auto-deleted · T1547.001

HIGHLSASS dump — blocked

credential theft attempt · T1003.001 · CVSS 9.1

OKAll sentinels patrolling

Detection and response, in one agent

Seven behavioral sentinels watch processes, the network, files, the registry and DNS — and act the moment something turns hostile.

Behavioral, signature-free

Catches techniques, not hashes. Novel and zero-day malware with no known signature still trips the sentinels.

Active response

Suspends or kills the culprit, deletes persistence, and freezes ransomware mid-encryption — automatically.

ATT&CK + CVSS

Every finding maps to a MITRE technique and carries a CVSS score — ready for triage and reporting.

Invisible footprint

Event-driven sentinels sleep until something fires. You will not hear the fans or feel the lag.

Quarantine & self-heal

Killed files go to a locked vault. The engine restarts itself if an attacker tries to shut it down.

Game aware

Throttles while a full-screen game runs, then snaps back to full protection the second you exit.

Real techniques, mapped and scored

A selection of the techniques FlewHaul detects, each tested with real tooling — not a generic feature list.

Technique	ATT&CK ID	Severity
Reverse shell / C2	T1059	CVSS 9.0
Ransomware encryption	T1486	CVSS 9.4
LSASS credential dump	T1003.001	CVSS 9.1
Shadow-copy deletion (recovery inhibition)	T1490	CVSS 8.6
Disable Defender / UAC via registry	T1562.001	CVSS 8.4
Process injection (RWX / hollowing)	T1055	CVSS 8.4
UAC bypass	T1548.002	CVSS 8.2
PsExec / WMI lateral movement	T1021 · T1047	CVSS 8.0
Rundll32 / Regsvr32 proxy execution	T1218	CVSS 7.7
Tunnels & RATs (ngrok, cloudflared…)	T1572	CVSS 7.5
Run-key / scheduled-task persistence	T1547 · T1053	CVSS 7.2
Event-log clearing (anti-forensics)	T1070.001	CVSS 6.5

+ DNS C2 / DGA · BITS jobs · certutil staging · WMI subscriptions · account creation · BYOVD driver blocking

No open ports. No cloud. No way in.

A security tool should never become the hole in your defenses. The FlewHaul agent never opens a listening port and never sends your data anywhere — so it cannot be reached, hijacked, or turned against you.

Zero attack surfaceno inbound socket, no local web server, no agent API to exploit

Fully local by defaultfindings stay on the machine; optional cloud sync is opt-in only

Runs beside Windows Defendera behavioral second layer, not a replacement

Engine size~360 KB

Idle CPU~0%

PlatformWindows 11 x64

Sentinels7

Network ports0

Telemetrynone

Account requiredno

Download FlewHaul

Free. Windows 11. Installs in seconds and runs alongside Defender.

recommended

Installer

One-click setup with Start-menu and desktop shortcuts. Starts protecting at boot.

Download Installer

FlewHaul-Setup.exe · ~11 MB

no install

Portable

A self-contained folder — unzip and run. Ideal for a USB stick or a locked-down PC.

Download Portable

FlewHaul-Portable.zip · ~13 MB

Needs Administrator on first run for full real-time detection. Unsigned build — accept SmartScreen to continue.

Stops the attack,not the file's signature.