Every layer of the engine.
IronWall stacks four independent detection methods, then locks anything it finds inside an encrypted vault that can't re-execute.
Real protection. No marketing fluff.
Every feature below runs locally. Your files never leave your device.
Daily-updated MalwareBazaar feed, hashed and indexed locally for instant lookup.
Pattern-based detection from Reversinglabs, signature-base, and the IronWall starter pack.
20-feature PE classifier (EMBER-style) catches threats no signature has seen yet.
Watches Downloads, Desktop, and other risky paths and scans new files the moment they land.
Folder-protection sliding-window detector flags mass-encryption behavior before it spreads.
Detected threats are sealed with AES-256-GCM. They can't re-execute and they can't escape.
Block known malicious domains and phishing hosts at the resolver level.
Inspects autoruns, scheduled tasks, services, and the running process tree, not just files.
Built for paranoid users.
Every detection layer runs locally. Every quarantined file is AES-256-GCM encrypted with a per-install key. The cloud signature feed is the only network call — everything else stays on your disk.
AES-256-GCM per file. Metadata bound into the auth tag — DB tampering breaks decrypt. Per-install key, DPAPI-wrapped on Windows.
1.08M SHA-256 signatures + 506 YARA rules + EMBER-style ML on PE features + sliding-window anti-ransomware. Four chances to catch a sample.
No user accounts, no analytics SDKs, no fingerprinting, no cookies. The only outbound request is a signature manifest fetch over HTTPS.
MIT licensed. When the repo lands publicly you can audit every detection layer, every network call, every line of the updater.
Every release publishes its SHA-256 and an Ed25519 signature. The auto-updater refuses to install anything that doesn't match.
Pick how aggressive the engine is per severity: Off, High+Critical only, prompt on High, or aggressively quarantine anything suspicious.