Home - SpyGuard/spyguard GitHub Wiki

What is SpyGuard?

SpyGuard is a forked and enhanced version of TinyCheck, developed by the same author when he was working at Kaspersky. SpyGuard's main objective is to detect signs of compromise by monitoring network flows transmitted by a device.

As it uses WiFi, SpyGuard can be used against a wide range of devices, such as smartphones, laptops, IOTs or workstations. To do its job, the analysis engine of SpyGuard is using Indicators of Compromise (IOCs) and anomaly detection and is supported by Suricata.

Notable differences with TinyCheck

• Most of the code have been refactored in order to be more stable and fast;
• New design embedding a taskbar for tablet implementation;
• Better WiFi handling in the front-end;
• Full code review (deleting some stuff, adding other);
• Back-end access from the front-end (vice versa);
• All of the network operations are now using nmcli;
• Suricata is now the only engine used during the detection;
• TLSv1.3 and JARM ready by actively requesting the remote servers;
• New DOH and DUAL use IOCs tags;
• Reports now contain the activated detection methods;
• Displaying uncategorized hosts in the report;
• Possiblity to whitelist hosts from the front-end;
• Watchers management from the back-end;
• Selection of specific IOC type for detection in the back-end;
• Pre-compliled Javascript files for a quicker installation;
• Non connected detection (only on known IOCs such as Domains, IPs, CIDRs);
• Updated whitelist and IOCs list (need more updates);
• AZERTY / QUERTY keyboards;
• Errors logging during the analysis;
• Dozens of bugs hunted and corrected;
• ... and much more!