Stealth AntiVirus
Stealth AntiVirus is Stealth's own malware scanner. It ships a multi-engine detection pipeline (pattern rules, signature database, local threat-intel hashes, and optional cloud lookups) and runs alongside Windows Defender. It does not replace Defender, register as a Microsoft antivirus product, or install a kernel minifilter. You get a second opinion, user-mode real-time monitoring, a behavior shield Defender does not provide, and an encrypted quarantine vault under Stealth's control.
This is separate from the Windows Defender panel, which is a front-end for Microsoft's built-in antivirus settings and scans.
Opening Stealth AntiVirus
- Settings → Tools → Stealth AntiVirus
- Dashboard → Tools section → Stealth AntiVirus
The window opens at 1080×760 by default (minimum 880×640), is resizable, and remembers its position between sessions.
Tabs
| Status | Engine health, definition freshness, intel counts, real-time state, quarantine count, recent detections |
| Scan | Quick, Full, Custom, and USB scans with live progress and threat results |
| Real-Time | Master toggle plus File System Monitor, Scan-on-Execute, USB Auto-Scan, and custom watched folders |
| Behavior | Behavior Shield for ransomware mass-write detection and LOLBin command-line abuse |
| Quarantine | Encrypted vault of isolated threats with restore and delete actions |
| Definitions | Installed signature pack versions, manual update, and auto-check interval |
| Exclusions | Paths skipped during scans and real-time monitoring |
| Intel | Optional API keys for VirusTotal and abuse.ch feeds |
| Advanced | Worker count, archive depth, scan cache, data folder, Defender coexistence |
How scanning works
Every file goes through a layered pipeline before a verdict is returned:
- Extension filter. Plain media, documents, and logs (for example
.png,.mp4,.txt) are skipped unless they are inside a scannable archive. - Trusted whitelist. Files on the NSRL-based whitelist (
whitelist.swl) short-circuit as clean before hitting the deep engine. - Local threat intel. SHA-256, URL, and domain entries from
intel.stiare checked first. - Pattern engine. The primary engine (
stealth-av-engine.exe) matches againstrules.savpattern rules. - Signature engine (optional). When Enable deep signature pass is checked, the signature engine (
stealth-av-scan.exe) runs againstmain.sdb,daily.sdb, andbytecode.sdb. - Archive recursion. ZIP, RAR, 7z, MSI, ISO, and other archive types are unpacked up to the configured depth (default 6) and each inner file is scanned.
- Clean-file cache. Files verified clean are cached by path, size, and modification time in
%ProgramData%\Stealth\AntiVirus\cache.json. Re-scanning an unchanged tree completes in seconds. - Optional cloud lookup. If enabled on the Intel tab and keys are saved, unknown hashes can be looked up via your own VirusTotal or abuse.ch credentials.
Scans run in parallel across multiple worker processes. Default worker count is logical CPU cores minus one (capped at 8). You can override this on the Advanced tab (1 to 16).
Scan types
| Quick Scan | High-risk user locations only: Downloads, Desktop, %TEMP%, %APPDATA%, %LOCALAPPDATA%, and %PUBLIC%\Downloads. Focuses on executable and archive extensions. Typical runtime is a few minutes. |
| Full Scan | Every fixed drive letter that exists on the machine (C: through Z:). On repeat runs, NTFS USN journal data limits re-scanning to files changed since the last full scan. |
| Custom Scan | You pick a folder or single file through the file picker. |
| USB / Removable | Scans non-system drive letters (any letter that exists and is not the Program Files drive). |
During a scan the progress panel shows enumeration phase, current file path, files scanned, cache hits, active worker count, elapsed time, and threat count. Click the cancel button to stop an in-flight scan.
When a threat is found during any scan, the file is quarantined automatically and listed in the results panel.
Real-Time Protection
Real-time protection is fully user-mode (no kernel driver). Three independent monitors run when the master toggle is on:
File System Monitor
Uses fs.watch (ReadDirectoryChangesW on Windows) on these default roots:
%USERPROFILE%\Downloads%USERPROFILE%\Desktop%TEMP%%APPDATA%%LOCALAPPDATA%%PUBLIC%\Downloads(when present)
New or modified files are debounced and scanned after a short settle delay (~250 ms). Malicious verdicts trigger immediate quarantine and a tray notification.
Scan-on-Execute
Subscribes to WMI Win32_ProcessStartTrace. Every new process has its executable image hashed, checked against the intel cache, and scanned if unknown. If a malicious verdict arrives after the process already started, Stealth kills the process, quarantines the binary, and notifies you.
USB Auto-Scan
Listens for Win32_VolumeChangeEvent via WMI. When removable media is inserted, a background scan of the volume root starts automatically.
You can add custom watched folders on the Real-Time tab. Each folder gets its own recursive watcher.
Behavior Shield
The behavior shield watches protected folders for ransomware-style activity that signature scanning may miss:
- Mass file rename or rewrite within a sliding time window (default: 25 events in 8000 ms, both configurable)
- High-entropy replacement of existing user documents
- Creation of known ransom-note filenames (for example
README.txt,HOW_TO_DECRYPT,!!!READ_ME!!!) - Suspicious Living-off-the-Land command lines (encoded PowerShell,
certutil -urlcache, remotemshta, and similar patterns)
When a threshold is tripped, Stealth attempts to kill the offending process, flags affected files, and records the event in Recent Behavior Detections.
Protected Folders define where mass-write detection is active. Allowed Apps exempt trusted backup utilities from the mass-write threshold so scheduled backups do not false-positive.
Quarantine
Quarantined files are handled as follows:
- The full file is read and encrypted with AES-256-GCM using a per-install key stored in the Stealth settings store (DPAPI-protected on Windows).
- The encrypted blob is written as a random
.qsavfile under%ProgramData%\Stealth\AntiVirus\quarantine\. - The original file is deleted from disk.
- Metadata (original path, SHA-256, threat name, timestamps) is saved in
quarantine.json.
Restore decrypts the blob, writes it back to the original path, removes the vault entry, and adds the path to scan exclusions so the next scan does not re-quarantine it. Delete All permanently removes every vault entry.
Definition pack
Definitions live under the bundled resources/stealth-av/defs/ directory and are refreshed by the built-in updater:
main.sdb | Core signature database |
daily.sdb | Daily signature deltas |
bytecode.sdb | Bytecode-assisted signatures |
rules.sav | Pattern rules for the primary engine |
intel.sti | Local hash, URL, and domain threat intelligence |
whitelist.swl | NSRL trusted-file whitelist |
On first launch (or if files are missing), the updater bootstraps the full engine and definition pack. Scheduled checks run every 1, 6, 12, or 24 hours (default 6 hours). Downloads use atomic temp-file-then-rename so a partial download never corrupts live definitions.
ThreatFox recent IOCs and the OpenPhish feed update automatically with no API key. Full ThreatFox export, MalwareBazaar, URLhaus, and VirusTotal require your own keys on the Intel tab.
Intel tab (optional)
Stealth AntiVirus works fully offline. Cloud sources are opt-in and use your API credentials (Stealth does not proxy or quota-limit lookups):
| VirusTotal | v3 file hash lookup (free tier: 4 requests/minute) |
| MalwareBazaar | Hash and family lookup via abuse.ch |
| URLhaus | URL reputation via abuse.ch |
| ThreatFox | Full IOC export (recent feed runs without a key) |
Enable Allow cloud lookup during scans to query these sources for hashes the local engines did not recognize.
Exclusions
Add folders or individual files that Stealth AntiVirus should skip during on-demand scans and real-time monitoring. Restored quarantine items are added here automatically.
Advanced
- Worker count. Parallel scan processes (default: CPU cores minus 1).
- Max archive depth. How many levels deep nested archives are unpacked (default 6).
- Cache trusted files. Persist clean-file cache to skip unchanged files on re-scan.
- Clear Scan Cache. Forces every file to be re-evaluated on the next scan.
- Open Data Folder. Opens
%ProgramData%\Stealth\AntiVirus\in Explorer.
Windows Defender coexistence
Because Stealth loads thousands of malware signatures into memory, Defender's behavioral engine can false-positive on Stealth's own engine binaries (names like Behavior:Win32/CobaltStrike.A!sms). Stealth registers its engine paths, process names, and definition extensions as Defender exclusions during install and re-applies them on startup.
The Advanced tab shows current Defender exclusion state. Use Re-apply Defender Exclusions if exclusions were removed manually. Applying exclusions requires administrator rights; if Stealth is not elevated, pending exclusions are queued to defender-pending.json for the next elevated run.
Data storage
All Stealth AntiVirus runtime data is stored locally under %ProgramData%\Stealth\AntiVirus\:
cache.json | Clean-file scan cache |
quarantine/ | Encrypted .qsav blobs |
quarantine.json | Quarantine index and metadata |
defender-applied.json | Record of Defender exclusions Stealth applied |
defender-pending.json | Exclusions waiting for an elevated run |
Engine binaries and definition files ship inside the Stealth install under resources/stealth-av/. Nothing is uploaded to Stealth servers during scanning unless you explicitly enable cloud intel with your own API keys.