Frequently Asked Questions

Starter Plan ($1.99/month) includes:

• 1 device license
• Basic IDS protection (process monitoring, network analysis)
• Manual whitelist management
• Email support (48h response time)

Professional Plan ($3.99/month) includes:

• 3 device licenses
• Advanced protection (YARA rules, APT detection, PowerShell monitoring)
• Automatic whitelist learning
• Priority email support (24h response time)
• Advanced dashboard with threat analytics

The trial gives you full access to Professional features for 14 days without requiring a credit card. During the trial:

• No payment information required to start
• All Professional features unlocked (YARA, APT detection, PowerShell monitoring)
• No automatic charges at the end of the trial
• You choose your plan after the trial expires

After 14 days, you can subscribe to Starter or Professional to continue using MZGuard.

Yes, you can change your plan at any time from the Account Dashboard. Changes take effect immediately:

• Upgrading: Instant access to new features, prorated billing applies
• Downgrading: New limits apply at next billing cycle, credit issued for unused time

No cancellation fees or penalties for changing plans.

We accept all major payment methods via Stripe:

• Credit Cards (Visa, Mastercard, American Express)
• Debit Cards
• PayPal
• Apple Pay / Google Pay

All transactions are secured with 256-bit SSL encryption.

Minimum Requirements:

• Operating System: Windows 10/11 (64-bit)
• RAM: 4 GB (8 GB recommended for Professional)
• Disk Space: 500 MB for installation + 2 GB for logs
• Processor: Intel Core i3 or equivalent
• Administrator privileges required

Network Requirements:

• Internet connection for license activation
• Firewall exception for MZGuard processes (automatic setup)

No, MZGuard works alongside Windows Defender and other antivirus software. MZGuard is a Host-based Intrusion Detection System (HIDS), not a traditional antivirus:

• MZGuard monitors behavior and network activity, not file signatures
• Antivirus software scans files for malware signatures
• The two technologies complement each other for defense in depth

However, you may need to add MZGuard to your antivirus whitelist to prevent false positives during monitoring operations.

License activation is automatic and requires just your account credentials:

1. Launch MZGuard IDS.exe after installation
2. Click the "Activate License" button in the GUI
3. Log in with your account.mzguard.com credentials
4. Your active subscription is detected automatically

No manual license key entry required. The system validates your subscription online.

Yes, depending on your plan:

• Starter Plan: 1 device
• Professional Plan: 3 devices

You can manage all devices from the Account Dashboard. Each device requires activation with your account credentials. You can deactivate devices remotely to free up license slots.

The whitelist system is MZGuard's core mechanism for distinguishing legitimate software from potential threats:

• Trusted Applications: Programs on the whitelist can run without alerts
• Unknown Applications: New or modified programs trigger alerts for review
• Baseline: Whitelisted programs establish normal activity patterns

This approach improves coverage for unknown threats by detecting anomalies, not just known malware signatures.

There are three ways to whitelist programs:

1. Alert Popup (Recommended): When MZGuard detects a new program, click "Allow" or "Allow Permanently" in the alert popup
2. Manual Addition: Open the Dashboard → Whitelist Manager → Click "Add Program" → Browse to the executable file
3. Auto-Learning (Professional): Enable "Learning Mode" for 7 days to automatically whitelist all legitimate software you use

Always verify the program is legitimate before whitelisting.

This is normal during the first 24-48 hours after installation. MZGuard needs to learn your system's baseline:

• Windows Update components
• System maintenance tasks
• Scheduled tasks and services

Solution: Click "Allow" for legitimate Windows processes. After 2-3 days, alerts will decrease significantly. You can also use the "Whitelist System Processes" quick action in Settings to auto-approve common Windows components.

Yes, Professional users can manage whitelist backups:

• Export: Dashboard → Whitelist Manager → "Export Configuration" (saves as JSON file)
• Import: Dashboard → Whitelist Manager → "Import Configuration" (restore from backup)

This is useful when:

• Deploying MZGuard on multiple similar systems
• Backing up trusted configurations before major changes
• Sharing approved software lists across teams

MZGuard provides multi-layered threat detection:

• Process Monitoring: Unauthorized executables, process injection, privilege escalation
• Network Analysis: Suspicious connections, C2 communication, data exfiltration
• PowerShell Protection (Pro): Script obfuscation, encoded commands, fileless malware
• YARA Rules (Pro): APT indicators, known exploit patterns, ransomware signatures
• Activity Analytics: Anomalous system calls, credential dumping, lateral movement

Professional Plan includes APT-grade detection using YARA rules and activity analysis:

• YARA Scanning: Pattern matching against 500+ APT indicators (updated weekly)
• Network Anomaly Detection: Identifies beaconing, DGA domains, Tor/proxy usage
• Persistence Mechanisms: Monitors registry keys, scheduled tasks, service installations
• Living-off-the-Land: Detects abuse of legitimate tools (PowerShell, WMI, certutil)

These techniques catch sophisticated threats that bypass traditional antivirus.

Follow this incident response workflow:

1. Read the Alert: Check the process name, path, and threat description
2. Assess Legitimacy: Is this a program you recognize and trust?
3. Choose Action:
   • Block: Terminates the process immediately (recommended for unknown threats)
   • Allow Once: Permits this execution but monitors future instances
   • Allow Permanently: Adds to whitelist (use only for verified legitimate software)
4. Review Logs: Check Dashboard for related activity and context
5. Escalate if Uncertain: Contact support with the alert details

MZGuard operates in Alert Mode by default, prompting you to make decisions:

• Alert Mode (Default): Shows popup for user action (Block/Allow)
• Automatic Mode (Settings): Blocks unknown processes automatically, logs allowed programs

Professional users can configure custom rules:

• Auto-block specific threat types (PowerShell obfuscation, network anomalies)
• Auto-allow whitelisted publishers (Microsoft, Adobe, trusted vendors)

We recommend Alert Mode for the first week to avoid blocking legitimate software.

High resource usage is usually temporary during initial learning. Optimization tips:

• Whitelist System Processes: Settings → "Quick Whitelist Windows Components" (reduces monitoring overhead)
• Adjust Scan Frequency: Dashboard → Settings → Reduce scan interval from 5s to 10s
• Disable Unused Modules: Turn off YARA/PowerShell monitoring if not needed (Professional only)
• Log Rotation: Enable automatic log cleanup (Settings → Logs → "Auto-delete logs older than 30 days")

Typical resource usage after optimization: 50-150 MB RAM, 1-3% CPU (idle), 5-10% CPU (active monitoring).

Common startup issues and fixes:

1. Administrator Rights: Right-click → "Run as Administrator"
2. Antivirus Conflict: Add C:\Program Files\MZGuard to your antivirus exclusions
3. Corrupted Config: Delete %APPDATA%\MZGuard\config.json and restart
4. Port Conflict: Check if port 9990 (GUI) is in use: netstat -ano | findstr 9990
5. Firewall Blocking: Ensure Windows Firewall allows MZGuard (automatic during installation)

If issues persist, check C:\Program Files\MZGuard\logs\crash.log and contact support.

Complete uninstallation procedure:

1. Settings → General → "Deactivate License" (frees device slot for reuse)
2. Windows Settings → Apps → "MZGuard IDS" → Uninstall
3. Manual Cleanup (if needed):
   • Delete: C:\Program Files\MZGuard
   • Delete: %APPDATA%\MZGuard
   • Registry: Remove HKLM\Software\MZGuard

Your subscription remains active and can be used on other devices.

Log storage details:

• Location: C:\Program Files\MZGuard\logs\
• Types:
  • threat_log.json - Detected threats and user actions
  • network_log.json - Network connections and anomalies
  • process_log.json - Process creation/termination events
  • system_log.txt - MZGuard system events and errors
• Retention: 90 days (configurable in Settings)
• Rotation: Auto-archived weekly, compressed with ZIP

Professional users can export logs to SIEM systems via /api/logs endpoint.

Support channels by urgency level:

• Critical Security Incident:
  • Email: [email protected] (subject: "URGENT - Security Incident")
  • Professional users: 24-hour response guaranteed
• General Technical Support:
  • Support Portal: https://account.mzguard.com/support/contact
  • Include: MZGuard version, OS version, log excerpts, screenshots
• Feature Requests:
  • Idea Portal: https://account.mzguard.com/idea/submit