Advanced, modular malware detection and defense framework for Windows
MalwareDefense Framework is a security-focused Windows application and service built with C#/.NET that provides real-time malware detection, behavioral analysis, memory inspection, and automated threat response. It is designed with performance, extensibility, and secure-by-design principles.
- Real-time file, memory, registry, and process monitoring
- Behavioral and heuristic malware detection
- YARA-based signature scanning (APT, rootkit, webshell, exploit detection)
- Secure quarantine and alert management
- Windows Service + WPF UI architecture
- Performance-aware, modular, and extensible design
MalwareDefenseFramework/
├── MalwareDefense.Common/ # Shared utilities, logging, configuration, security, IPC
├── MalwareDefense.Core/ # Analysis engines and detection logic
├── MalwareDefense.Service/ # Windows Service for background protection (runs as SYSTEM)
├── MalwareDefense.UI/ # WPF desktop application (MVVM, runs as normal user)
└── MalwareDefense.Tests/ # Unit and integration tests (NUnit 4)
-
PE Analysis Header parsing, entropy analysis, section inspection, import/export analysis, packer detection, and signature validation.
-
Memory Analysis Shellcode detection, injected memory inspection, suspicious memory pattern scanning.
-
Behavioral Analysis API usage tracking, file system activity, registry persistence detection, process lifecycle monitoring.
-
Guardian Service Real-time file system and registry monitoring.
MalwareDefense integrates YARA scanning using the dnYara library and curated rules from Florian Roth (@Neo23x0).
Detection Coverage:
- Advanced Persistent Threats (APT28, APT29, Lazarus, SolarWinds, etc.)
- Rootkits and kernel-level techniques
- Webshells (PHP, ASPX, China Chopper, ReGeorg)
- Known exploits and offensive frameworks
Configuration Options:
- Max file size (default: 500 MB)
- Scan timeout (default: 120 seconds)
- Category toggles (APT / Rootkit / Webshell / Exploit)
- Compiled rule caching for performance
- Automatic fallback to legacy signature engine
See MalwareDefense.Core/Analysis/Signatures/Rules/README.md for rule documentation.
- Real-time dashboard with system status
- Manual and automated scan management
- Threat alert lifecycle management
- Secure quarantine browser
- Persistent alerts across restarts
- Dark / Light theme support
UI follows strict MVVM architecture with no business logic in code-behind.
-
Secure file quarantine (encrypted at rest)
-
Process termination and execution blocking
-
Registry and persistence mitigation
-
Real-time alerts with status tracking:
- Active
- Resolved
- Quarantined
- Ignored
- False Positive
Configuration is managed via appsettings.json files:
{
"Security": {
"EnableRealTimeProtection": true,
"EnableHeuristicAnalysis": true,
"ScanSensitivity": "Medium",
"AutoQuarantine": false
},
"Performance": {
"MaxConcurrentScans": 4,
"ScanTimeoutSeconds": 30
},
"PEAnalysis": {
"YaraConfiguration": {
"UseYaraEngine": false
}
}
}System-level exclusions are centrally managed in SystemProcessWhitelist.cs.
- Windows 10 / 11 (64-bit)
- .NET 9.0
- 4 GB RAM
- Administrator privileges
- Windows 11
- 8 GB RAM or more
- Multi-core CPU
git clone <repository-url>
cd MalwareDefenseFramework
dotnet restore
dotnet buildRun from Visual Studio (Recommended):
- Open
MalwareDefenseFramework.slnin Visual Studio - Set
MalwareDefense.UIas the startup project - Press F5 to run (NO admin privileges required)
- The service process will auto-start in development mode
Run from Command Line:
# UI process (NO admin required in development mode)
dotnet run --project MalwareDefense.UI
# Service process (auto-started by UI in development mode)
# Manual start only needed if debugging service:
dotnet run --project MalwareDefense.Servicedotnet publish -c Release -r win-x64 --self-containedInstall the Windows Service:
sc create MalwareDefenseService binPath="<path>\\MalwareDefense.Service.exe"
sc start MalwareDefenseService- Adaptive scan throttling
- Incremental file scanning
- Result caching
- Smart exclusions
- Optimized async/thread usage
Designed to minimize system impact during continuous protection.
- Modular, event-driven architecture
- XML documentation for all public APIs
- Structured logging (Serilog)
- Secure cryptography (OWASP 2023: 600,000 PBKDF2 iterations)
- Defensive coding against injection and privilege abuse
- Proper async disposal and memory safety
- Comprehensive unit and integration test suite
Unit Tests (11 passing, 13 integration):
MalwareDefense.Tests- NUnit 4 framework- Core service testing (AnomalyDetector, RealTimeProtectionOrchestrator)
- ViewModel testing with UI thread support
- Mocking with Moq and FluentAssertions
Integration Tests (available for manual execution):
- Full quarantine workflow (encryption/decryption validation)
- Threat detection end-to-end testing
- Firewall rule management workflows
Run tests:
dotnet testContributions are welcome. Please ensure:
- MVVM compliance (UI)
- Dependency injection (no direct instantiation)
- XML documentation on public members
- Secure coding practices
- No breaking architectural patterns
Open a pull request with a clear description of changes.
Licensed under the AGPLv3 License. See LICENSE for details.
- Review application alerts
- Check logs in:
%LocalAppData%\\MalwareDefenseFramework\\Logs - Open an issue for bugs or feature requests
MalwareDefense Framework — Modern, defensive malware protection for Windows.