GuardXCore

[NAC-Nuno]

Hi everyone,

I’d like to introduce GuardXcore, a Windows security app I’ve been building focused on local behavioral monitoring and process visibility.

GuardXcore is designed to help users understand suspicious activity in real time, especially around script execution, PowerShell abuse, LOLBin usage, suspicious parent-child process chains, and local threat intelligence matches.

Current features include:

- Real-time process monitoring
- Behavioral alerts for suspicious command lines and script activity
- Detection of PowerShell EncodedCommand usage, with decoded script visibility
- Local threat intelligence indicators
- Attack chain visualization
- Script control overview
- Quarantine/history area for contained or recorded events
- Manual review workflow for suspicious activity
- UAC elevation only when an action requires administrator rights
- Signed APPX build for Windows installation

The goal is not to replace a full antivirus product, but to provide an additional local visibility and behavior-analysis layer for users who want to see what is happening on their system and understand suspicious process activity more clearly.

I’m especially interested in feedback from security-minded users on:

- Detection clarity
- False positives
- UI/UX improvements
- Useful behavioral rules to add
- Real-world testing scenarios

GuardXcore is still evolving, so constructive feedback is very welcome.

This is still a project in partnership with Microsoft, available only in the Microsoft Store in its promotional context in order to offer affordable prices. Just like with the Network Monitor&Antivirus project, I will provide all necessary support with all updates. For anyone who wants to purchase this app with complete security, here is the link... GuardXCore - Download and install on Windows | Microsoft Store

All my applications are based on security and user data, and you can check them in the store published by NAC.

Thank you all for choosing secure software.

 

[Bot]

Hi everyone,
I’d like to introduce GuardXcore, a Windows security app I’ve been building focused on local behavioral monitoring and process visibility.
GuardXcore is designed to help users understand suspicious activity in real time, especially around script execution, PowerShell abuse, LOLBin usage, suspicious parent-child process chains, and local threat intelligence matches.
Current features include:
- Real-time process monitoring
- Behavioral alerts for suspicious command lines and script activity
- Detection of PowerShell EncodedCommand usage, with decoded script visibility
- Local threat intelligence indicators
- Attack chain visualization
- Script control overview
- Quarantine/history area for contained or recorded events
- Manual review workflow for suspicious activity
- UAC elevation only when an action requires administrator rights
- Signed APPX build for Windows installation
The goal is not to replace a full antivirus product, but to provide an additional local visibility and behavior-analysis layer for users who want to see what is happening on their system and understand suspicious process activity more clearly.
I’m especially interested in feedback from security-minded users on:
- Detection clarity
- False positives
- UI/UX improvements
- Useful behavioral rules to add
- Real-world testing scenarios
GuardXcore is still evolving, so constructive feedback is very welcome.

This is still a project in partnership with Microsoft, available only in the Microsoft Store in its promotional context in order to offer affordable prices. Just like with the Network Monitor&Antivirus project, I will provide all necessary support with all updates. For anyone who wants to purchase this app with complete security, here is the link... GuardXCore - Download and install on Windows | Microsoft Store
All my applications are based on security and user data, and you can check them in the store published by NAC.
Thank you all for choosing secure software.

View attachment 298139

Thanks for sharing GuardXcore’s goals and feature set. A local “visibility + behavior” layer can be genuinely useful on top of a traditional AV/EDR, as long as the alerts are understandable, low-noise, and privacy-safe.

Important clarification (trust/claims)
I can’t verify statements like “partnership with Microsoft” or any implied endorsement based only on a Store listing. To avoid misunderstandings, it helps to word this very carefully and provide verifiable context (e.g., Microsoft for Startups program, co-sell, Store promotion program name, etc.), or avoid the word “partnership” if it’s simply distribution via the Microsoft Store.

Detection clarity: what typically works best
For behavioral alerts, clarity usually improves a lot when each alert includes:

• A plain-language “why this is suspicious” line (1–2 reasons, not a wall of text)
• The exact process tree context (parent, grandparent, integrity level, signer, user, session)
• The specific rule that fired (rule name + category + confidence score)
• A “what to do next” suggestion (review, allowlist, contain, submit for analysis)
• A safe redaction option for sensitive command lines (tokens, paths, user names)

For things like LOLBins and suspicious chains, users benefit from seeing both:

• The “technique” (e.g., mshta/wscript/rundll32 misuse patterns)
• The “evidence” (command line fragments, unusual parent, unusual network follow-up, dropped file path)

False positives: common pain points to design around
In real-world Windows environments, these are frequent FP sources:

• IT management tools (Intune, SCCM/ConfigMgr, PDQ, RMM agents) that use PowerShell heavily
• Enterprise software updaters and installers (encoded commands, scheduled tasks, service creation)
• Browsers and Electron apps spawning helper processes with odd parameters
• Developer tooling (VS Code, Python/Node, build chains) that resembles “living off the land”

Practical controls that reduce frustration:

• Allowlisting by signer (Microsoft, Google, etc.) plus product name/version (not only file path)
• Allowlisting by specific rule + scoped to a parent process (e.g., allow “powershell encoded” only when launched by a known admin tool)
• “Learning mode” that only records events for a period, then suggests allowlists (careful with security implications)
• Per-alert confidence and “needs attention” thresholds

PowerShell EncodedCommand + decoded visibility: privacy and safety
Decoded script visibility is powerful, but it’s also a privacy and data-handling risk because scripts may contain:

• Credentials, API tokens, tenant IDs
• Internal server names and paths
• Personal data in automation scripts

Best-practice expectations from security-minded users typically include:

• Clear statement of whether decoded content ever leaves the device
• If anything is uploaded/telemetry: explicit opt-in and a detailed, readable privacy policy
• Redaction options (mask common secret patterns) and “do not store decoded content” mode
• Secure local storage (at-rest protection) for history/quarantine records

Quarantine/history/workflow: set expectations clearly
If “quarantine” is meant as containment rather than true remediation, it helps to define what happens technically:

• Is a process terminated? Is execution blocked next time?
• Are files moved, ACL-restricted, or just recorded?
• Are scheduled tasks/services/registry autoruns captured and reversible?

Security users will look for:

• Reversible actions with an audit log (who/when/what changed)
• Tamper-resistance considerations (at least basic protection against simple disable/kill)
• Clear separation between “alerted,” “blocked,” “contained,” and “user allowed”

Real-world testing scenarios (useful, repeatable)
Without making any malware claims, you can test detection logic safely using:

• Atomic Red Team (MITRE-mapped tests) for PowerShell/LOLBin technique simulation
• Microsoft Sysmon + your app side-by-side to compare event completeness and noise
• Common “benign but suspicious-looking” admin scripts (encoded commands, scheduled tasks, WMI queries)
• Office macro-like chains in a controlled lab (document app -> script host -> LOLBin), using harmless payloads (e.g., calc/notepad)

If you publish a small “test pack” of benign simulations (clearly labeled), it makes community feedback much more actionable and consistent.

Performance and stability signals people will ask about
Behavior monitoring apps often get judged on:

• CPU/RAM impact under normal browsing and during software installs
• Boot impact and stability (no hangs, no explorer slowdowns)
• How it behaves with other security software (compatibility, duplicate hooking, event storms)

If you can share measured numbers (methodology included) and a known-issues list, that usually builds confidence.

Next step that will get you higher-quality feedback on MalwareTips
To help members evaluate constructively (without anyone guessing), it’s useful to post:

• A short documentation page: what is monitored, what is not, and how rules work at a high level
• Privacy/telemetry details (what data is collected, stored, or transmitted)
• Screenshots of a few representative alerts (including the process tree view)
• A small set of benign test scenarios you recommend and what alerts should appear

That will let security-minded users focus feedback on detection clarity, noise control, and usability—exactly the areas that determine whether a visibility tool is practical day-to-day.

 

[LinuxFan58]

@NAC-Nuno

Nuno, what is the license structure, one time/annual and how much?

 

[NAC-Nuno]

It's a promotional offer and currently is available for 9.99 euros one-time purchase.

 

[Zero Knowledge]

WOW lots of new security applications lately, A.I. vibe coded? Anyway good luck with your software, hope it gets some tests.

 

[Mops21]

Hi @NAC-Nuno

I have some questions for you

1. On which Windows plattforms did it work any Windows Versions

2. Will you add the scan Engines to virustotal.com

3. And which Scan Engines did you use

4. How can I submuit samples to you for checking

5. Any plans for the multilanguage support of the new version available

6. When you release Beta RC Alpha Version for it how can i get them

7. Did you have Full Costum and Quick scans

Mops21

 

[NAC-Nuno]

Hi @NAC-Nuno

I have some questions for you

1. On which Windows plattforms did it work any Windows Versions

2. Will you add the scan Engines to virustotal.com

3. And which Scan Engines did you use

4. How can I submuit samples to you for checking

5. Any plans for the multilanguage support of the new version available

6. When you release Beta RC Alpha Version for it how can i get them

7. Did you have Full Costum and Quick scans

Mops21

Hi, thanks for the questions.

1. Windows support
GuardXcore is currently focused on Windows 10 and Windows 11, 64-bit. The APPX package targets Windows 10 build 19041 or newer. Most testing has been done on recent Windows 11 builds, but Windows 10 support is also intended.

2. VirusTotal integration
GuardXcore does not currently upload files, hashes, or telemetry to VirusTotal. I may consider optional hash lookup in the future, but only with clear user consent.

3. Scan engines used
GuardXcore does not use third-party antivirus scan engines. It uses its own local behavior-based logic, process monitoring, command-line inspection, PowerShell/script detection, LOLBin rules, attack-chain analysis, and offline/local threat intelligence indicators.

4. Sample submission
There is no public sample submission portal at the moment. For now, users can share hashes, suspicious command lines, screenshots, logs, or safe reproduction steps. I do not recommend posting live malware samples publicly in the forum thread.

5. Multilanguage support
Yes. GuardXcore already includes multilanguage support in the app. The current language selector includes:
English, Portuguese, Spanish, French, German, Italian, Dutch, Simplified Chinese, Traditional Chinese / Taiwan, Japanese, Korean, Polish, and Turkish.
Some translations may still be improved over time as new features are added.

6. Alpha/Beta/RC releases
No public Alpha, Beta, or RC testing is planned for now. I prefer to publish stable builds only. Updates will be announced when available.

7. Full, custom, and quick scans
GuardXcore is currently not a traditional file scanner. The main focus is real-time behavior monitoring, process visibility, suspicious command-line detection, script activity, LOLBin usage, and attack-chain visibility.

Full, custom, and quick file scans are not included in the current release. They may be considered later, but the current version is focused on live behavioral protection and local analysis.

 

[Bruno Eduardo]

Dear @NAC-Nuno,

Could you elaborate or provide a screenshot about what is covered under "system hardening"?

Best regards,

Bruno Eduardo

 

[Mops21]

Hi @NAC-Nuno

Thank you very much for your infos

Mops21