MzGuard is engineered with a multi-layered defense strategy. Instead of relying on a single point of failure, it integrates five specialized modules that work in concert to protect your Windows environment. This modular architecture supports detection through a combination of local activity analysis, network monitoring, and proactive defense mechanisms. This document provides a technical overview of each core module.
The Activity Analysis Core is the intelligent heart of MzGuard. It complements signature-based detection by focusing on patterns of activity and process intent.
It continuously monitors critical system activities: process execution chains, system API calls, registry modifications, and the usage of legitimate system utilities (often referred to as **LOLBins - Living Off The Land Binaries**). By building a dynamic baseline of normal behavior, MzGuard can instantly identify deviations that signal malicious activity.
For instance, if a trusted application like Microsoft Word suddenly attempts to launch PowerShell to encrypt files or exfiltrate data—a common tactic in advanced attacks—the Activity Analysis Core flags this anomalous behavior. It focuses on the sequence of actions performed by otherwise legitimate tools to support faster triage.
This module acts as a vigilant gatekeeper for all network traffic. Functioning as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS), it inspects data packets in real-time. It uses a combination of signature-based rules to block known attack patterns (like reconnaissance scans or exploit kits) and anomaly detection to flag suspicious connections, such as a process attempting to communicate with a known command-and-control (C2) server. Upon detecting a threat, the IPS component immediately blocks the malicious traffic, preventing data exfiltration and lateral movement within the network.
Software vulnerabilities are a primary entry point for attackers. The Anti-Exploit Engine is a specialized shield designed to protect applications from being compromised. It doesn't need to know the specific malware; instead, it focuses on the techniques used in exploits. It guards against memory-based attacks like buffer overflows and heap spraying, and blocks the execution of malicious code in non-executable memory regions. By neutralizing the exploit technique itself, this module effectively protects against attacks targeting vulnerabilities in browsers, document readers, and other common applications, even before a patch is available.
This module is a dedicated sentinel against threats that aim to steal your information and invade your privacy. It actively monitors for activities characteristic of spyware, such as unauthorized webcam or microphone access, keylogging (recording your keystrokes), screen scraping, and clipboard hijacking. It also watches for patterns associated with data exfiltration, where sensitive files are bundled and prepared for upload. By focusing on these specific malicious behaviors, the Anti-Spyware Module safeguards your personal data and confidential information from prying eyes.
Your digital credentials are one of your most valuable assets. The Identity Protection Shield is a guardian dedicated to protecting them. It monitors for attempts to access or exfiltrate stored passwords from browsers, email clients, and system credential managers like the Local Security Authority Subsystem Service (LSASS). It also helps defend against credential-stuffing attacks and provides alerts on suspicious login activities, ensuring that your digital identity remains secure and under your control.
MzGuard's strength lies in this modular synergy. Each module is a specialist, but their combined intelligence provides a comprehensive defense that is both deep and wide. This transparent, layered approach is central to our philosophy of building a robust, community-driven security tool. We invite you to explore the code, contribute your expertise, and help us redefine proactive cyber defense.