~106KB
The antivirus that can't be exploited — because it inherits nothing.
106KB bare-metal security agent with 5-layer detection, SHA-256 integrity, and active defense. Zero dependencies. Catches renamed malware. Kills threats in 0ms.
LinuxThe problem
Current endpoint security agents (CrowdStrike, SentinelOne) weigh 300-500MB, consume hundreds of MB of RAM, and inherit hundreds of CVEs from their dependency chains. In July 2024, a CrowdStrike update crashed 8.5 million machines worldwide — airlines, banks, hospitals — causing $5.4B in damages. Worse, attackers can bypass signature-based detection simply by renaming their malware binary. The tools meant to protect infrastructure have become the biggest risk.
The solution
OmniShield is a 106KB security agent compiled from a proprietary bare-metal language. It uses 5 detection layers: exe path signatures via kernel symlinks (immune to name spoofing), cmdline pattern matching, ELF binary SHA-256 hashing (catches renamed malware), LD_PRELOAD fileless attack detection, and behavioral CPU anomaly analysis. It monitors processes, network, outbound connections, filesystem (inotify), and auth logs in real-time — all via direct Linux syscalls. 41 expandable signatures, configurable authentication, persistent logging with rotation, Syslog UDP integration, self-integrity watchdog, and auto-update with cryptographic verification. An embedded web dashboard shows real-time threat events, defense actions, and system health.
Why Bare-Metal Matters
A 106KB binary with zero dependencies has a mathematically smaller attack surface than a 500MB agent with hundreds of libraries. There are no shared libraries to hook, no runtime to exploit, no supply chain to compromise. An attacker who compromises libc or LD_PRELOAD can blind CrowdStrike and Wazuh — but not OmniShield, because OmniShield doesn't use libc. It speaks directly to the kernel. There is no intermediary to intercept.
Technical Specifications
| Feature | Value |
|---|---|
| Binary Size | ~106KB (x86_64) / ~119KB (ARM64) |
| RAM Usage | <2MB |
| Dependencies | None — zero libraries, zero runtime |
| Architecture | x86_64 + ARM64, direct Linux syscalls |
| Detection Layers | 5 — exe path signatures, cmdline signatures, ELF hash analysis, LD_PRELOAD fileless, behavioral CPU |
| Signatures | 41 patterns (expandable via /etc/omnishield/signatures.conf) |
| API | HTTP on port 7070, configurable Basic Auth, CORS, rate limiting (5 req/s) |
| Dashboard | Embedded HTML/CSS/JS — served from the binary itself |
| Event Loop | epoll — multiplexed I/O, 2-second scan interval |
| Monitors | Processes, CPU behavior, Network, Outbound connections, Filesystem (inotify), Auth logs |
| Active Defense | Auto-kill malicious processes (SIGKILL, 0ms response) with kill verification |
| Integrity | SHA-256 binary self-hash (NIST-verified), periodic watchdog, tamper alerts |
| Logging | Persistent file logging with 10MB rotation + Syslog UDP (RFC 3164) |
| Auto-Update | HTTP download + SHA-256 verification + atomic binary swap |
Comparison
| OmniShield | CrowdStrike Falcon | SentinelOne | |
|---|---|---|---|
| Agent size | 106KB | ~500MB | ~300MB |
| RAM per endpoint | <2MB | 200-500MB | 150-400MB |
| Dependencies | 0 | Hundreds | Hundreds |
| Inherited CVEs | 0 | Hundreds | Hundreds |
| Detection layers | 5 (signatures + hash + behavioral + fileless) | Cloud ML | Cloud ML |
| Renamed malware detection | Yes (ELF hash analysis) | Partial | Partial |
| Active defense | Auto-kill (0ms) | Quarantine | Quarantine |
| Can crash the OS | No (no kernel hooks) | Yes (July 2024) | Possible |
| Supply chain risk | Zero | High | High |
| SIEM integration | Syslog UDP + file logs | Proprietary cloud | Proprietary cloud |
| Self-integrity check | SHA-256 watchdog (60s) | None | None |
| Embedded dashboard | Yes (in binary) | Cloud console | Cloud console |
Use Cases
Cloud Server Protection
Deploy a 106KB agent on every VPS, droplet, or EC2 instance. 5 detection layers monitor processes, CPU anomalies, open ports, outbound connections, and file integrity. SHA-256 binary hashing catches renamed malware that evades all signature-based tools. Uses less than 2MB of RAM.
Crypto Mining Detection
Detects mining via 41 signatures (xmrig, kinsing, ethminer...), ELF hash analysis (catches renamed miners), AND behavioral CPU analysis — no signature needed. Auto-kills threats in 0ms. Persistent logging and Syslog UDP for audit trail.
Intrusion Detection
Monitors /etc, /usr/bin, /etc/ssh via inotify for unauthorized modifications. Detects reverse shells, C2 callbacks, new listening ports, brute force SSH, and LD_PRELOAD fileless attacks. Tracks outbound connections to flag command-and-control traffic. Self-integrity watchdog re-hashes its own binary every 60 seconds.
Hosting / MSP Security
White-label solution for hosting providers and managed security providers. One agent per server, configurable credentials per customer, auto-update with SHA-256 verification. Embedded dashboard per endpoint — no cloud console needed. Syslog integration for centralized SIEM.
What's New
- + 5-layer detection engine: exe path signatures, cmdline signatures, ELF hash analysis, LD_PRELOAD fileless detection
- + ELF hash detection: SHA-256 hashes process binaries from /tmp, /dev/shm, /var/tmp — catches renamed malware that bypasses all signature-based tools
- + readlink(/proc/PID/exe): reads kernel-maintained symlink for the real executable path — immune to prctl name spoofing
- + LD_PRELOAD fileless attack detection: scans /proc/PID/environ for library injection, with smart filtering for /usr, /snap, /lib
- + 41 expandable signatures loaded from /etc/omnishield/signatures.conf (crypto miners, reverse shells, rootkits, exploit tools)
- + SHA-256 implementation in pure OmniOS, NIST-verified — binary self-hash at startup + periodic integrity watchdog
- + Configurable authentication: reads credentials from /etc/omnishield/config, base64 encodes at startup
- + HTTP rate limiting: 5 requests/second per endpoint, returns 429 Too Many Requests
- + Persistent logging to /var/log/omnishield/ with 10MB automatic log rotation
- + Syslog UDP output (RFC 3164) — integrates with any SIEM
- + Auto-update system: HTTP download + SHA-256 verification + atomic binary swap
- + Root privilege detection: warns if running without kill permissions, verifies kill() return codes
- + Self-protection watchdog: re-hashes own binary every 60 seconds, CRITICAL alert if tampered
- + Scan interval reduced from 5s to 2s — tighter detection window
- + ARM64 cross-compilation support (119KB binary, verified under QEMU)
- + ~106KB binary, zero dependencies, zero false positives in testing
Try Now — Free
Get your binary
Free forever for self-hosted. No credit card. Instant download.
Linux ELF x86_64 Install instructions
- 1.chmod +x ./omnishield-linux
- 2.sudo ./omnishield-linux
- 3.Open http://SERVER_IP:7070 (auth: admin / omnishield)
Coming soon
Coming soon