Public v1 • Local-only by default • Black/Red build

SilentHelm

Local-first ransomware & bad-behavior guard for Windows.
Runs in your system tray, watches high-value folders, uses canary files for high-confidence alerts, and generates clean HTML reports with Security Status + Incident Cards (last 24h).

Download for Windows See what it does Downloaded 91 times

At a glance

Windows • Tray • Local-first

SilentHelm is not a full antivirus replacement. It’s an explainable, local-first “second set of eyes” that helps you spot suspicious behavior early.

Tray menu: Status, Run Report, Reload Config, Open Logs, Exit
Canary file protection (high-confidence alert)
Mass file-change detection (burst heuristics)
Local incident bundles + readable HTML report

Runs quietly

Tray-based monitoring

Always available, lightweight, and designed to be understandable.

Detection style

Behavioral + canaries

Focuses on patterns (bursts, suspicious process launches, and canary touches)—not signature matching.

Telemetry

Local-only

Logs, incidents, and reports are stored locally under your profile. No cloud by default.

Features

A small, realistic security tool for Windows that aims to be useful for normal users and power users.

Core capabilities

Tray UX: Status tooltip + one-click report generation.
Canary file protection: high-confidence alert when protected files are touched.
Folder monitoring: watches Desktop/Documents/Downloads by default.
File burst heuristics: mass change waves that can match ransomware patterns.
Process heuristics: suspicious launch patterns (script engines, encoded commands, abused tools).
Incident rate-limit: avoids spamming your disk during noisy periods.

Tray menu actions

Action	What it does
Status	Shows the current state (last 24h summary) in the tooltip.
Run report	Generates the HTML report and opens it in your default browser.
Reload	Reloads `SilentHelm.config.json` and applies changes.
Open log file	Opens `SilentHelm.log.jsonl` in your default editor.
Exit	Stops monitoring and exits cleanly.

Severity model (simple & explainable)

CRITICAL High-confidence or fast-destructive signals (treat as urgent).

HIGH Strong ransomware-like behavior or major risk indicators.

MEDIUM Suspicious behavior that deserves review.

LOW Low-signal events that help tell the story.

How it works

SilentHelm is designed to be practical: collect local signals, raise explainable alerts, and present them in a clean report.

1. Observe

Watches high-value folders and new process launches for behavior patterns commonly used in real attacks.

Desktop / Documents / Downloads monitoring
Process launch heuristics (e.g., encoded commands)

2. Detect

Detects file bursts and canary touches, then creates a local incident record (rate-limited).

Mass file changes (burst thresholds)
Canary file touch = high-confidence alert

3. Report

Generates a clean HTML report with Security Status + Incident Cards, including “what to do now” guidance.

Local HTML report (last 24h)
Incidents + collapsible technical details

Download & installation

SilentHelm runs on Windows 10 / 11 (64-bit). Admin rights are recommended for deeper visibility, but it can still run without elevation.

Download

Current release: Public v1
Release date: 2025-01-01

Download for Windows

SilentHelm has been downloaded 91 times.

After install, run the tray app and use the menu:

SilentHelmTray.exe — start tray monitoring
Right-click tray icon → Run report / Reload / Open log file
Config file: SilentHelm.config.json (Reload applies changes)

Where data is stored

By default, SilentHelm writes everything under your local profile:

%LOCALAPPDATA%\SilentHelm\SilentHelm.log.jsonl — event log
%LOCALAPPDATA%\SilentHelm\Incidents\* — incident bundles
%LOCALAPPDATA%\SilentHelm\report.html — HTML report
%LOCALAPPDATA%\SilentHelm\SilentHelm.config.json — configuration

No data is sent to any server unless you add an opt-in cloud feature in the future.

About SilentHelm

SilentHelm started as a practical “local-first” security companion: a tool focused on visibility and explainable alerts.

Design principles

Local-first. Your logs, incidents, and reports are files you control.
Explainable. Alerts say what happened and what you can do next.
Low-noise. Incidents are rate-limited to avoid spam.
Complementary. Works alongside Windows Defender or any AV—not a replacement.

Disclaimer & Privacy

SilentHelm is a best-effort defensive tool. No software can guarantee detection or protection.

Disclaimer

Provided “as is”, without warranties of any kind.
Use at your own risk; always keep backups of important data.
Complementary tool: keep Windows updated and use antivirus.
The authors are not responsible for any damage or data loss resulting from use or misuse.

Privacy & data handling

No telemetry is sent to a server by default.
Events are stored locally as JSONL you can inspect or delete.
Incident bundles and reports are plain local files.
If future cloud features are added, they should be opt-in and clearly documented.

Contact & support

For feedback, bug reports, or feature suggestions:

Email: support@silenthelm.com
Include: Windows version, SilentHelm version, and a small snippet of SilentHelm.log.jsonl (redact sensitive info).