🛡️ GuardFoxCopilot Documentation

EDR Agent Portal

Monitor all endpoints, view event telemetry, run forensics, and quarantine compromised hosts.

Route: /edr/agents

How the EDR works

Overview

How the EDR Works

GuardFoxCopilot's EDR consists of two parts: a lightweight agent running on each endpoint, and the Agent Portal in the web UI.

What the agent collects

CategoryWhat's captured
ETWProcess creation, injection, hollow shell detection via Windows ETW providers
FileSystemMass file rename (ransomware), new executables in temp paths
VSSShadow copy deletion attempts — blocked and alerted
PowerShellScript block logging — captures all commands including obfuscated ones
YARAIn-memory scan of suspicious processes against 50+ signatures
Win EventsAdvanced Windows Event Log analysis (4624, 4688, 4698…)
NetworkOutbound connections, DNS queries, C2 interval detection

Agent communication

  • Agent sends heartbeat to /api/edr/heartbeat every 30 seconds
  • Events stream to /api/edr/events in batches of 50
  • Commands (quarantine, scan, collect) are polled from /api/edr/commands
  • Tamper protection: the agent service cannot be stopped without the admin passphrase

Quarantining an endpoint

How to use

Quarantining an Endpoint

Quarantine isolates a compromised endpoint from the network using local firewall rules, while keeping the agent connection alive so you can still collect forensics.

How to quarantine

  1. Open EDR → Agent Portal
  2. Click any agent to open the detail drawer
  3. Click Quarantine in the top-right
  4. Confirm the action — a note is added to the audit log

What quarantine does

  • Adds iptables (Linux) or Windows Firewall rules blocking all inbound/outbound traffic
  • Exception: keeps ports 443 to the GuardFoxCopilot server open so the agent remains connected
  • The agent status changes to QUARANTINED (red pulsing dot)

Releasing quarantine

Click Release in the same location. The firewall rules are removed and normal connectivity resumes.

⚠️ Always collect a memory image via the Forensics tab before releasing a quarantined endpoint.

Remote forensics collection

How to use

Remote Forensics Collection

From the Agent detail drawer → Forensics tab, you can launch collection tasks without touching the endpoint.

Available tasks

TaskWhat it collectsTypical size
Process Memory DumpMemory of specified process50–500 MB
Artifact CollectionEvent logs, prefetch, MFT, shellbags20–100 MB
Full Memory ImageComplete RAM capture4–32 GB
File System TimelineMAC times across all drives10–50 MB
Prefetch / MFT AnalysisExecution history, file records5–20 MB

Running a collection

  1. Open the agent drawer → Forensics tab
  2. Click the task you want to run
  3. Status changes to Running with a live progress indicator
  4. When Complete, click Download to retrieve the artifact

Notes

  • Full Memory Image requires the agent to have local admin rights
  • Collections run in the background — you can navigate away and return
  • Results are stored on the GuardFoxCopilot server for 7 days then auto-deleted