SilentHelm v1 — Local-first Windows Behavior Guard (Tray App)
============================================================

What it is
----------
SilentHelm is a lightweight, local-first Windows tray tool that watches for:
- Canary file changes (high-confidence alert)
- Mass file-change bursts (possible ransomware-like pattern)
- Suspicious process behavior (heuristics)
- Suspicious file pattern / extension heuristics
It generates a clean local HTML report and stores incident bundles on disk.

This tool complements antivirus. It is not a replacement for AV/EDR.

Requirements
------------
- Windows 10/11 (x64 recommended)
- Optional: Run as Administrator for better visibility/coverage

Quick start
-----------
1) Extract the ZIP to a folder you control (e.g. C:\Tools\SilentHelm\)
2) Run: SilentHelm.exe
3) You will see a tray icon (system tray / notification area)

First run behavior
------------------
- SilentHelm will create a default configuration file if missing:
  SilentHelm.config.json
- SilentHelm will create its local data directory if needed.

Tray menu
---------
- Status
  Shows current status (OK / Warnings / CRITICAL if high confidence alerts exist).
- Run report
  Generates the HTML report and opens it in your default browser.
- Reload
  Reloads SilentHelm.config.json (applies config changes live).
- Open Log file
  Opens the local JSONL log file.
- Exit
  Closes SilentHelm.

Where data is stored
--------------------
SilentHelm stores everything locally under:

  %LOCALAPPDATA%\SilentHelm\

Important files/folders:
- SilentHelm.config.json
  Configuration (created on first run if missing)
- SilentHelm.log.jsonl
  Append-only event log (JSON Lines)
- Report.html
  The latest local report
- Incidents\
  One folder per incident, each containing incident.json (and possibly additional context)

Configuration (SilentHelm.config.json)
--------------------------------------
Open the included PDF:
  SilentHelm_Config_Guide.pdf

Common settings you may edit:
- Thresholds (burst window / file burst threshold)
- Canary files (names, severity)
- incidentRateLimitSeconds (default 60)
- extraWatchDirs (additional directories to monitor)

IMPORTANT: JSON escaping for Windows paths
-----------------------------------------
In JSON strings, backslashes must be escaped.

Example:
  "extraWatchDirs": "C:\\SilentHelm_Test|D:\\Shares\\Watch"

Testing / safe QA scenarios
---------------------------
(These are safe simulations; do NOT use malware.)
1) Canary trigger (high confidence)
   - Edit/rename/delete a canary file in a monitored folder.
2) File burst
   - Rapidly create/copy/rename many files in a monitored folder.
3) File pattern heuristic
   - Create a file name matching a suspicious pattern (as configured).
4) extraWatchDirs add/remove
   - Add a folder in extraWatchDirs, Reload, create file changes there.
   - Remove it, Reload, verify changes are no longer monitored.

Recommended usage
-----------------
- Keep SilentHelm running in the tray.
- Review the report after alerts.
- If you see CRITICAL and didn’t expect it:
  1) Disconnect from the internet
  2) Close unfamiliar apps
  3) Run a full antivirus scan
  4) Review recent downloads/attachments
  5) Verify backups (avoid overwriting if ransomware suspected)

Support / notes
---------------
This is an early v1 release. If you share logs for troubleshooting, review them first
to ensure you are not exposing sensitive paths or filenames.

© 2026 SilentHelm.com
