verify:
Get-FileHash .\BASTION_0.2.0_x64-setup.exe -Algorithm SHA256Most antivirus is a black box that runs as SYSTEM, phones home, renews itself, and writes nothing you can verify. BASTION is the inverse: small, observable, offline. Side-by-side — every row backed by a verifiable mechanism in the source.
| trait | BASTION | McAfee | Norton | Defender | Bitdefender |
|---|---|---|---|---|---|
| Open source — code you can read Defender's engine is closed; some Win utils OSS. | |||||
| Zero telemetry / no cloud upload | |||||
| No account, no license server | |||||
| Free forever, no subscription | |||||
| Tamper-evident Merkle audit chain | |||||
| Cryptographic canary tokens | |||||
| Camera/mic open-event witness ledger | |||||
| Process lineage on every new proc | |||||
| One-click forensic export bundle | |||||
| Runs entirely on 127.0.0.1 (no inet) | |||||
| No SYSTEM kernel driver in your box Defender + the rest ship a kernel driver — itself an attack surface (CrowdStrike, 2024). | |||||
| Auditable in one afternoon (<10k LOC) | |||||
| No history of selling user data Avast/AVG sold browsing data via Jumpshot (FTC settlement 2024); McAfee + Norton bundle data-sharing 'partners'. | |||||
| Works fully air-gapped / offline | |||||
| Installer < 5 MB BASTION 0.1 ≈ 2 MB. McAfee/Norton bloat past 500 MB. | |||||
| Doesn't slow your machine to a crawl | |||||
| Receipts you can verify (every event hashed) | |||||
| No mandatory arbitration / EULA lock-in | |||||
| Local SOAR — define your own response rules |
| trait | BASTION | McAfee | Norton | Defender | Bitdefender |
|---|---|---|---|---|---|
| Threat-intel feed (URL / domain / IP blocklist) BASTION pulls abuse.ch URLhaus + OpenPhish hourly, merged into one DNS-layer block set. | |||||
| Signature scan-on-write (file hash database) BASTION pulls the abuse.ch MalwareBazaar SHA-256 feed and hashes every file written into Downloads / Desktop / Documents in real time. | |||||
| Real-time auto-block of malicious file write On a hash hit BASTION emits the alert AND auto-quarantines the file to the vault — hash-chained, not silent. | |||||
| Web / email phishing filter BASTION blocks at the DNS layer using the OpenPhish feed — protocol-agnostic, catches email + web + native-app C2. | |||||
| Real-time response to triggered indicator BASTION: canary touch → auto-quarantine + kill-PID rule fires in <1s. | |||||
| Pre-boot persistence integrity scan BASTION runs a full FIM + autoruns + services + scheduled-tasks sweep on agent start, before steady-state polling — drift surfaces in the first event the dashboard sees on this boot. | |||||
| Persistence / autorun integrity check FIM on Startup folder + registry-Run + scheduled tasks = where rootkits actually land. | |||||
| USB insertion + mass-storage logging | |||||
| Hosts-file integrity baseline | |||||
| Living-off-the-land binary (LOLBin) flagging |
- The dashboard has a
REMOVEDcounter at the top — every quarantined file and every killed process tallies here. - Click the counter to expand the vault panel listing every removed item with original path, size, SHA-256, and the reason it was quarantined. Files preserved as evidence under
%APPDATA%\bastion\bastion\data\vault\. - The
[response]filter chip on the event stream shows every removal as a chained audit entry — provable, not promised. - The
[run full scan]button forces an immediate sweep: URLhaus refresh, FIM poll, canary check, Defender + Firewall log poll.
Every outbound DNS lookup logged. Hits against the abuse.ch URLhaus list escalate to alerts.
New procs get a parent chain trace. Suspicious child-of-Word/Excel and rare living-off-the-land binaries flag.
SHA-256 baselines for hosts file + Startup folder. Any drift, deletion, or new entry surfaces immediately.
Five HMAC-tagged decoys (fake AWS creds, fake .env, fake wallet.dat) planted in your data dir. Touch = alert.
Hooks Windows process-access ledger. Tells you the moment any process opens cam or mic — even headless.
Every USB insert + every autorun.inf, scheduled task, or registry-Run change recorded. Persistence is loud.
High-signal events pulled from Windows event log. RTP-off, malware-detected, firewall-rule-changed all first-class.
Every event hash-chained (Merkle). The dashboard verifies on every refresh — edits surface as [tamper] in red.
Kill PID. Quarantine to soft-delete vault (file preserved as evidence). Forensic export bundles the chain.
Config wizard for Android's built-in Private DNS. Points your phone at a hosted DoT resolver that filters malware + phishing (default: AdGuard DNS; Cloudflare + Quad9 selectable). Self-hosted dns.bastion.cam coming soon. The OS does the resolution — bastion is just the wizard, so it can never break your internet.
Generates audio (swept tone, filtered noise, harmonic stack, or live mic-invert) designed to raise the noise floor in the speech band of nearby microphones. Useful for in-person privacy in a small bubble. Phone speakers cap ~85 dB SPL — not a force field.
Reads Android's built-in NetworkStatsManager (one-time grant of Usage Access) to show bytes-out + bytes-in per app over the last 24h. Catches apps quietly uploading while you're asleep. Bytes only — never destinations or content.
Rear-cam stream → on-device ML Kit face detection. Prop the phone with its back lens facing the space you want monitored (the room behind you, a hallway, a doorway). Alerts when 2+ faces persist for >2s. Frames never leave the phone — no recording, no upload, the ML model is bundled offline. Won't catch hidden mirrors, magnifiers, or long-lens cameras across a room.
verify:
sha256sum bastion-v0.4.2.apkBASTION is free. No key, no telemetry, no “activate your license” gate. If it earns its place on your machine, drop something to one of these addresses. Every contribution keeps the sensor list growing.
0x70B666c4e3EE5B2C9Ab92925F097330813D1848abc1qtf6fqllw7dny832ksw67p4a99txgvrct7u9e7d