As promised, OmniDefender Version 1.4 is finally being released with MAJOR changes focusing entirely on Real Time Protection! What's new in Real Time Protection: - Real Time Protection now blocks malware at the earliest possible layer in the kernel, replacing the suspension and block method from the previous versions. Blocked threats during Static Analysis will no longer be suspended but denied execution completely. - Real Time Protection's stability issues have now been fixed, it turns out the reason why the process was crashing wasn't within real time protection itself, but what it was calling, tlsh.dll. Looking at TLSH's open source code, under certain edge cases (empty reads, unexpected states, or concurrent calls), TLSH_Final/TLSH_GetHash could return an invalid state and crash. Our usage of TLSH wasn't optimal either so we’ve hardened this with strict guards (only finalize after data, null/length checks on the returned hash, defensive error handling) and made the code safe under heavy concurrency. This issue was already fixed since the 15th August, however we've decided to finish implementing and testing the new features below before release. - For long term stability and best practices, Real Time Protection's Engine has been separated into multiple different processes, OmniDocumentsEngine, OmniExternalRules, OmniGradientBoostedEngine, OmniReputationEngine, OmniSRPEngine and OmniStaticRulesEngine. Engine separation isolates any issues encountered when inferencing an unknown file to prevent any more cases with tlsh.dll. As processes are isolated from real time protection, unlike dynamic libraries which share the same memory as the host process calling it, meaning any issues within a dll could also take down the host process. - As a result of Engine separation, Real Time Protection will now continue to run entirely in the background even if the main application is closed. - Real Time Protection's generalization performance against unknown or variants of malware has been greatly improved by adding 3 new detection layers in OmniDefender for Malware Detection. 1. Policy Gate: Prohibits unknown or untrusted processes from high risk locations on the system 2. Static Rules: An always on rules engine that evaluates the PE feature set and extracted strings against a compact rule pack. Each rule expresses a clear condition. The engine flattens the features it needs, intersects tokens from the file with a curated dictionary, and counts combinations when several related atoms fire. 3. SRP Engine: A custom locality sensitive hashing (LSH) technique that turns high dimensional PE features into a few compact bit signatures so that similar files land close together (small Hamming distance) using Machine Learning which replaces TLSH. We've also implemented a completely new detection method in addition to Real Time Protection. OmniGuard is our Windows minifilter kernel mode behavior engine. It now continuously monitors processes, malicious commands ,and registry activity to block attacks and automatically backup files modified or deleted by an untrusted process. What's new in Behavioral Analysis: - Dynamic Ransomware Protection. Monitors the system for suspicious activity characteristic of ransomware; OmniGuard denies further writes and terminates the malicious offender. Events are raised for regular writes and even paging write flushes, so encryption runs can’t hide behind the cache. - Automatic Backups Before Change. Before any edits, deletes, or overwrites, originals are backed up to a secure restore area for one click recovery in the UI. - Boot MBR and GPT Safeguards. Blocks raw write attempts from untrusted processes to disks and volume roots, this prevents bootkits, MBR/GPT clobbers, and low-level tampers that could brick the system or erase recovery points. - Process Burst and LOLBin Controls. Droppers and wipers often spawn a storm of children or hide behind built in Windows tools. OmniGuard watches the parent child chain and stops these bursts at the source. If an unknown process rapidly fans out or invokes high-risk Windows utilities with suspicious arguments or user writable targets, execution is cut, the tree is terminated, and a clear reason is logged for the incident view. - Registry Protection: Registry Guard denies common malicious registry activity such as Run/RunOnce and legacy Load/Run, Explorer StartupApproved flips, Winlogon shell/userinit swaps, IFEO “Debugger” and SilentProcessExit chains, AeDebug redirection, AppInit_DLLs enable/set, protocol handler hijacks for http/https, per user COM InProcServer32 and PersistentHandler and much more. - Malicious Command Protection: A command line gate that inspects creation time arguments and parent chains before processes run, then monitors early behavior to catch a wide variety of LOLBin abuse. Real Time Protection UI features: - Real Time Protection now only displays the "Active" State when all the engines are running. If any engines are terminated while real time protection is ON, it'll immediately turn OFF. This ensures Real Time Protection is only active when all its dependencies are active. - New tab in Real Time Protection implemented named Incidents which displays all threats detected, date of detection, file name, full path, detection layer that was triggered and version information of the blocked threat. - Status Indicators: Now displays 3 dynamic indicators on the top right of Real Time Protection, Static, Behavioral and System. Static references Static Analysis, Behavioral references the behavioral kernel and System references the system watcher. A green status implies that they're active and running. A red status indicates they failed to activate or have been terminated. A grey status indicates that they're OFF. - OmniTray: Implements a tray for OmniDefender which allows you to check whether Real Time Protection is currently running without the main application. The tray also allows you to turn Real Time Protection ON or OFF directly. - Ransomware Rollback (Experimental): Implemented an Emergency Recovery button which recovers files that have been modified, encrypted or deleted by unknown processes from the Behavioral Analysis kernel. NOTE: Ransomware Rollback is an experimental feature and is still under development Further updates will be released once a month or bi-monthly but heavily tested to guarantee functionality, stability and performance, opposing the fast, rushed release. OmniDefender Version 1.5 will release on the 7th November 2025 and implement the following features but is not limited to: - Fundamentally change Smart Scan similarly to Real Time Protection, which will aim to now scan the registry for malicious keys, enhance scanning speed, more interactive UI and significantly enhance detection performance. - Analyze malicious non portable executable files heuristically such as documents, scripts and more - Network Kernel Driver: A new driver aimed at monitoring malicious network activity will be added and block threats behaviorally - Fixing CPU Performance page which fails to calculate the current CPU Temperature and Power in Real time, this feature is limited to Intel CPUs only for the time being. - Fix any arising issues from the release of OmniDefender Version 1.4 Verification: Installer SHA-256: d18326e4333151bea6ebbbba8e615d43328ec1fd59ba918c6324152eb69fd86d OmniDefender.exe SHA-256: fdd02119bb7f4d2d62e935b707948ff7a343601d7a69d95e1da49b88cf6c6baa Real Time Protection.dll SHA-256: 23019fdc486583518de2b613714b3acd57818ca6a4976248323640dfb5d08412 Drivers: OmniGuard SHA-256: bd8df1ce66887c3bff2945f30182e216ce11bebf70d7a8207f43768ef97a5944 OmniGuardProcessGate SHA-256: 7c165775caf5096e96c84784fcc97b1acbd36216de4d964826faae0465dd9d3b OmniWatcher SHA-256: 935738a534264ee5f81f694dc594b37e7acc4631cc49fc1c977a2bf15923e0a8