Defendrix security

Security is the product.

Defendrix protects computers, so the security of Defendrix itself has to hold up. Here's what we ship, what our threat model actually is, and how to report a vulnerability if you find one.

Our threat model

Who we're defending against.

01

Commodity malware

Trojans, downloaders, PUAs, drive-by drops. Handled by real-time scanning + behavior heuristics + reputation checks. First line of defense; catches the noise so more sophisticated attacks stand out.

02

Ransomware

Explicit target for the Ransomware Correlator, the Honeypot engine, and the on-disk journal. Kill mid-encryption and revert. Every plan covers this from tier 1.

03

Post-compromise attackers

The interesting attackers. Fileless techniques, LOLBin abuse, inline hooking, credential theft, lateral movement. The Fileless engine, Live Patch Guard, and Behavior Profiler exist for these.

04

Insider mistakes

USB media plugged into the wrong machine. A stray script. An admin clicking a phishing link. Execution Gate, USB scanning, and the LAN protection wall together handle the accidental-attack surface.

05

MITM on the LAN

Rogue DHCP, ARP poisoning, DNS response spoofing. The LAN Protection engine + ARP watch cross-check with every other Defendrix device on the mesh so poisoning shows up within seconds.

!

Not in scope: nation-state 0-days

We're not going to catch a well-funded APT's custom 0-day chain in memory before it detonates. Nobody honestly does. What we can promise is that the surface area they'd attack is small, well-monitored, and self-healing.

Defendrix defending Defendrix

Attackers try to kill the AV. We planned for that.

Process shield

The Defendrix process cannot be terminated by any ring-3 attacker, even from an admin account, unless the operator explicitly asks Defendrix to shut down via the UI. This includes SYSTEM-level tools, EDR-killers, and PsExec-launched taskkill.

Self-healing binaries

If a rootkit deletes Defendrix binaries, quiets our scheduled tasks, or blocks our services, we detect it within seconds and restore ourselves from the signed on-disk archive. The healing process is monitored, so if the attacker tries to break the healer we notice that too.

Tamper-evident logs

Our event log is append-only with per-entry HMAC. If a compromised admin tries to delete events, the log detects the gap on next scan and surfaces it as a critical alert on the fleet mesh.

Encrypted quarantine vault

Quarantined samples are stored with a per-file DPAPI key, so even a stolen disk can't re-hydrate malicious files. The vault is only readable by the Defendrix service under machine-scope DPAPI.

What we collect

Nothing about your files. Ever.

The Defendrix license server sees only what it needs to enforce your seat count:

  • Your license key (obviously — that's how activation works)
  • A stable hardware ID (chassis-based; survives re-image so a refurbished PC gets its seat back)
  • Your device's hostname + OS version (for the dashboard's device list)
  • Timestamps of check-in for offline-grace math

Never: file names, file hashes of things you scan, network traffic, keyboard input, or anything an antivirus would normally hoover up for "telemetry." Defendrix catches threats locally and surfaces them locally. The mesh shares detection rules between your devices, not your files.

Vulnerability disclosure

Found a bug? Please tell us.

How to report

Email security@ravensoftworks.com with as much detail as you can share. If you want to encrypt, ask for our PGP key first.

Please include: the version of Defendrix you tested (Settings → About), the OS (Windows 10 vs 11, build number), and steps to reproduce. Working PoC not required but very appreciated.

What we do

Same-day acknowledgement. 72-hour first assessment. Fix ships within a normal release window (typically 2 weeks for medium-severity, faster for critical). We credit reporters in the release notes unless you prefer anonymity.

No bug bounty program yet — we're a small shop — but if you help us catch a real vulnerability we'll extend your Defendrix license by a year, or issue an equivalent refund.

See what's in each release.

The changelog lists every security fix, every new engine, and every configuration change we've pushed since the 1.0 launch.