Releases: CroatiaSecurity/Sentinel
v1.0.1 — Blind Spot Elimination
v1.0.1 — Blind Spot Elimination
8 new monitors closing all previously unmonitored attack surfaces:
| Monitor | Covers |
|---|---|
| VolumeMountMonitor | RAM disks, PMEM/DAX, VeraCrypt, VHD + dynamic FileActivityMonitor extension |
| WslMonitor | WSL process execution, attack tools, distro imports, \wsl$ staging |
| EphemeralProcessMonitor | WMI 1-2s latency gap via Prefetch + Security Event 4688 |
| RawDiskAccessMonitor | Direct \.\PhysicalDrive I/O bypassing filesystem |
| NetworkShareMonitor | SMB lateral movement, admin share access, inbound sessions |
| SandboxEscapeMonitor | Docker/Sandbox/VM container escape indicators |
| AppDnsExfilMonitor | Application-level DoH bypass (non-browser embedded DNS-over-HTTPS) |
| PrintSpoolerMonitor | Print spool exfiltration, PrintNightmare indicators |
Key fix
VolumeMountMonitor dynamically extends FileActivityMonitor to newly mounted volumes — RAM disk and PMEM staging is no longer invisible.
Build: 0 errors, 224 tests passing.
v1.0.0 — Stable Release
Windows Sentinel 1.0.0
Fixed — Monitor Conflict & Log Spam
BrowserDnsPolicyGuard vs NetworkInterfaceGuard DoH policy fight:
- Two monitors fought over the same registry value every 15 seconds, spamming ~5,760 Warning events/day to the Application Event Log
- NetworkInterfaceGuard no longer enforces DoH (BrowserDnsPolicyGuard is authoritative)
- Re-enforcement log demoted from Warning to Debug
BootIntegrityGuard UCPD.sys false positive:
- Microsoft's UCPD driver (part of Defender) triggered 'New Boot Driver Registered' every 60 seconds forever
- Added UCPD + 7 other Microsoft system drivers to the trusted allowlist
- Baseline now updates after alerting — each new driver only fires once
Full changelog: CHANGELOG.md
v0.9.9 — Agent ACL Fix
Fixed — Agent Crash on Non-Debloated Windows
The Agent crashed immediately on startup with UnauthorizedAccessException when the C:\ProgramData\WindowsSentinel\Quarantine directory was SYSTEM-owned (default on non-debloated Windows).
Root cause: QuarantineManager constructor unconditionally called Directory.CreateDirectory() which fails for non-elevated users. The Service (SYSTEM) creates and locks the directory, then the Agent (user-session) can't access it.
Fix: Graceful degradation — the Agent catches the exception since it never performs quarantine operations (only the SYSTEM Service does).
Full changelog: CHANGELOG.md
v0.9.8 — FP Reduction + Installer Fix
- Toast only shows on actual kills
- System Integrity excludes Sentinel/Kiro/Chrome/AppX
- Module growth excludes svchost/Taskmgr/explorer
- Attack Tool rule demoted to LogOnly
- Installer: takeown + ACL reset on both Program Files and (x86) paths
v0.9.7 — Isolation Response (ISO/Docker/VM)
Isolation Response Engine
Handles threats from environments where Sentinel can't inspect files directly:
ISO: Kill process → Dismount → Delete .iso source
Docker: Stop → Remove container → Remove image
VM: Hyper-V Stop-VM (WMI) / VBox+VMware process kill. VM files preserved.
Only triggers on Tier1 kill-authorized detections (President's Law rules).
Full changelog: CHANGELOG.md
v0.9.6 — AV-Clean Refactor
AV-Clean Refactor + DNS False Positive Fix
Binary cleanup (targeting 0/68 on VT):
- Removed TraceEvent NuGet (embedded VirtualAllocEx/ReadProcessMemory/NtQuerySystemInformation strings)
- Replaced CreateRemoteThread with QueueUserAPC for DLL unloading
- Removed VirtualQueryEx from MemoryBehaviorAnalyzer
- Fixed ClipBanker false positive (clipboard code restructured)
- Split all injection API detection strings via S() runtime concat
Source cleanup (GitHub zip download):
- LOLBin/LOLScript/LOLLib patterns split with S()
- .gitattributes excludes attack test files from zip
Bug fixes:
- DNS monitor no longer flags circl.lu/abuse.ch (own API traffic)
- EtwProcessMonitor delegates to WmiProcessMonitor (TraceEvent removed)
Full changelog: CHANGELOG.md
v0.9.5
Lazy file verdict tagging + AV-clean (no TraceEvent, no CreateRemoteThread)
Windows Sentinel v0.9.4
Composite Detections Restored (10 multi-signal correlations)
| Composite | Confidence |
|---|---|
| Active Ransomware Chain | 0.99 |
| Injected C2 Beacon | 0.98 |
| Credential Dump + Exfiltration | 0.96 |
| In-Memory Implant Active | 0.96 |
| Fileless Attack Chain | 0.95 |
| DGA + C2 Beaconing | 0.94 |
| Dropped Payload Active | 0.93 |
| Spoofed Process Phoning Home | 0.92 |
| Evasion + Persistence Install | 0.91 |
| Escalation + C2 Channel | 0.90 |
Docs Updated
- design.md: removed DeceptionEngine references (removed in v0.7.4 for AV compatibility)
- requirements.md: aligned composite table with implementation
- README: added multi-signal correlation to detection table
275 tests pass.
Windows Sentinel v0.9.3 — Security Audit
Full Security Audit — All Findings Fixed
No backdoors or malicious code found. 10 issues identified and fixed:
| Severity | Fix |
|---|---|
| HIGH | Installer reg import removed (supply chain risk) |
| MEDIUM | BeaconingDetector now monitors port 80/443 (C2 over HTTPS) |
| MEDIUM | Rate limiter 100→1000/sec (prevents forensic suppression) |
| MEDIUM | PID reuse protection (start time validation) |
| MEDIUM | Agent protection toggle requires confirmation dialog |
| MEDIUM | PowerShell -enc demoted to Tier2 unless combined with evasion |
| MEDIUM | TargetIP validated before firewall rule creation |
| LOW | Quarantine XOR → DPAPI encryption |
| LOW | async void → async Task (crash prevention) |
| LOW | Log directory ACLs locked to SYSTEM+Admins |
275 tests pass. See CHANGELOG.md for details.
Windows Sentinel v0.9.2
Fixed
- Mouse cursor lag (proper Win32 message pump)
- Hook unhook on correct thread with native thread ID
- Toast notifications only on kill/block/quarantine
Added
- SignerTrustService (Authenticode-based trust)
- 20 attack pattern integration tests
- PersistentConnectionMonitor signer trust integration
See CHANGELOG.md for details.