Your store

🚀

Getting Started

Quick Start Guide

Follow these five steps to get SYSMarshal protecting your Windows Server within minutes.

Install SYSMarshal

Download and run the installer. SYSMarshal installs as a Windows Service and desktop application.

Enter Your API Key

Go to Settings → Licensing and enter your API Key. This connects SYSMarshal to the cloud reputation database.

Whitelist Your IPs

Before activating, add your office, VPN, and admin machine IPs in Settings → White Listing to avoid locking yourself out.

Configure Email Alerts

Set up your notification email address and choose Immediate, Daily, or Weekly alert mode.

Start the Service

Click Start Service. SYSMarshal begins monitoring Windows event logs and will block attackers automatically.

⚠️

Important Before You Start

Always whitelist your own IP addresses (office, VPN, development machine) before starting the service. This is the single most important pre-activation step — it prevents you from accidentally blocking your own access to the server.

📋

Reference

Feature Overview

SYSMarshal includes 17 integrated features. Click any card to jump to its full documentation.

🛡️

Auto-Block Engine

Continuously monitors logs and blocks attackers without human intervention.

🗂️

Event Log Monitoring

Reads Windows Security & Application logs for suspicious activity.

🌐

IP Reputation

Cross-checks every IP against a global threat intelligence database.

📍

Geo-Location & Maps

Visualises attacker locations on interactive and email-embedded maps.

🔐

Whitelist

Protects trusted IPs from ever being blocked.

📧

Email Alerts

Instant, daily, or weekly HTML reports sent automatically.

🔄

Firewall Capacity

Self-manages Windows Firewall rule capacity automatically.

🐕

Watchdog Service

Independent guardian that alerts you if SYSMarshal stops.

🌍

Global Baseline

Live community threat feed from all SYSMarshal installations worldwide.

🤖

AI Assistant

Ask plain-English security questions about your own data.

🔬

Diagnostics

Discovers which event logs contain suspicious IPs on your machine.

📊

Reports

Executive summaries, country rankings, and attack pattern reports.

🔌

Port Monitor

Live snapshot of all open TCP/UDP ports on your server.

🔑

Licensing

API key + hardware fingerprint licensing with a 12-hour grace period.

⬆️

Auto Updates

Checks for new versions on startup and applies them automatically.

📋

Audit Policy

Self-healing Windows audit policy enforcement every 24 hours.

🗄️

Data Explorer

Built-in SQL browser for your complete local security history.

🛡️

Core Engine

Auto-Block Engine

Feature 01 of 17

The beating heart of SYSMarshal. A continuous monitoring loop that reads Windows event logs, identifies IP addresses that have exceeded your attack threshold, checks them against a global reputation database, and instructs Windows Firewall to block them — all automatically, with no human involvement required.

Scan Cycle

The engine runs on a configurable interval (default every 5 minutes). On first start it runs every 2 seconds to establish a baseline immediately.

IP Extraction

For each monitored event, SYSMarshal reads matching Windows event records and extracts every IP address found in the event data.

Banning Decision

When an IP exceeds Max Wrong Tries, SYSMarshal checks: Is it whitelisted? Is it a private IP (if private blocking is off)? Is it trusted? Then it queries the Central API for a reputation score.

Firewall Block Rule

SYSMarshal writes the offending IP to the "SYSMarshal IP Jailhouse" rule in Windows Firewall — a single dedicated block rule that keeps the rest of your firewall configuration untouched.

Desktop Notification

A toast notification with a sound alert appears on the desktop the moment a new IP is blocked.

Full Logging

Every block is recorded: IP address, event ID, timestamp, geo-location, source/destination port, protocol, direction, and abuse confidence score.

Configurable Parameters — adjust these in Settings to match your environment's risk tolerance:

Setting	What It Controls	Default
Max Wrong Tries	How many times an IP must appear in event logs before it is blocked	3
Wrong Try Span	The time window (in minutes) in which attempts are counted	99999 (all-time)
Minutes to Pause	Gap between each scan cycle	5 minutes
Allow Private IPs	Whether local network IPs (192.168.x.x, 10.x.x.x) can be blocked	Off
4th Octet Attack Count	Threshold for blocking at the subnet level	25

ℹ️

IPv4 & IPv6 Support

SYSMarshal fully supports both IPv4 and IPv6 addresses throughout — IP validation, range checking, whitelist lookup, and firewall rule insertion all handle both address families transparently.

🗂️

Monitoring Layer

Windows Event Log Monitoring

Feature 02 of 17

SYSMarshal reads directly from Windows Security and Application event logs using the Windows Event Log API, monitoring specific Event IDs and extracting attacker IP addresses from those events.

Default monitored events — active from the moment you install SYSMarshal:

Event ID	Log	Description	What It Catches
`4625`	Security	Account failed to log on	Brute-force attacks on Windows login and RDP
`5152`	Security	WFP blocked a packet	IP-level intrusion attempts at the firewall layer
`5157`	Security	WFP blocked a connection	Active port scanning activity
`4723`	Security	Password change attempt	Unauthorised attempts to change account passwords
`1102`	Security	Audit log cleared	Classic attacker tactic to hide evidence
`4719`	Security	Audit policy changed	Attempts to disable logging or weaken Windows auditing
`18456`	Application	SQL Server login failure	Brute-force attacks on SQL Server
`5140`	Security	Network share accessed	Unauthorised access to shared folders
`5158`	Security	Outbound connection requested	Lateral movement or command-and-control beaconing

💡

Custom Event IDs

You can add any Windows Event ID from any log (Security, Application, System, etc.) through the monitored events configuration. Use the Diagnostics screen (Feature 11) to discover which event IDs on your specific machine contain suspicious IP activity.

🌐

Cloud Intelligence

Global IP Reputation

Feature 03 of 17

Before blocking any IP, SYSMarshal checks it against a central cloud reputation database shared across all SYSMarshal installations worldwide. This prevents false positives and enriches every block decision with a confidence score.

Reputation Query

SYSMarshal sends the IP to the Central API endpoint. The response is either Blacklisted;<score> or TrustedIp;<score>.

Blacklisted Response

The IP is added to the Windows Firewall block rule and logged with its abuse confidence score.

Trusted IP Response

The IP is recorded as "TrustedIP" and is not blocked — even if it appears repeatedly in event logs. This prevents legitimate services from being locked out.

Abuse Confidence Score — every blocked IP is tagged with a score from 0–100, colour-coded for instant threat assessment:

75–100🔴 Critical

50–74🔴 High Risk

25–49🟠 Medium-High

10–24🟠 Medium

5–9🟡 Low Risk

1–4🟢 Minimal

0✅ No Score

🔍

WhoIs Lookup

Every IP in the Baseline screen has a WhoIs button that opens a detailed report showing public registration, ownership, and abuse history for that IP.

📍

Threat Visualisation

Geo-Location & Map Visualisation

Feature 04 of 17

Every IP action is automatically geo-located and stored. This data is used in the desktop application for interactive maps, and embedded in your email reports to provide immediate geographic context on every threat.

Data Collected	Example
Country	United States
City	Los Angeles
Latitude / Longitude	34.0522 / -118.2437
Postal Code	90001
Google Maps URL	Direct link to the precise location

In-app map: Clicking any row in the Baseline or Recent Activity grid renders a live Google Maps panel directly inside SYSMarshal — no browser required.

Email maps: Reports include a static Google Maps image embedded in the email body, with red markers at each blocked IP's location, auto-centred on the average geographic position of all current threats.

🔐

Access Control

Whitelist & Trusted IPs

Feature 05 of 17

Two independent protection mechanisms ensure that legitimate IPs are never blocked: your Whitelist (manually defined) and Trusted IPs (automatically populated via the reputation API).

Mechanism	How It's Populated	Format Supported
Whitelist	Manually via Settings → White Listing	Single IP, IP Range (e.g. `192.168.1.10-192.168.1.100`), IPv4, IPv6
Trusted IPs	Automatically when the reputation API returns "TrustedIp"	Any single IP, IPv4 or IPv6
Remote Whitelist	Via the Central API — changes pulled every service cycle without opening the app	Single IPs

When you save a new whitelist entry, SYSMarshal automatically removes that IP from the firewall block rule if it was previously blocked. On every scan cycle, the whitelist is checked before any banning decision is made.

⚠️

Critical First Step

Always add your own office IP, VPN IP, and any remote admin machine IPs to the whitelist before starting the SYSMarshal service. Failure to do so may result in blocking your own access to the server.

📧

Notifications

Email Alert System

Feature 06 of 17

SYSMarshal sends professionally formatted HTML security reports to any number of recipients — delivered via the SYSMarshal Cloud Mail Service. No local SMTP server or email configuration is required.

Mode	When It Sends	Best For
⚡ Immediate	Within seconds of an action being taken	High-security environments requiring instant escalation
📅 Daily Summary	Once per day at a configured time	Teams reviewing security during daily standups
📆 Weekly Summary	Every Saturday, covering the full prior week	Low-noise environments or executive-level reporting

What's included in every email report:

Element	Description
Subject Line	Report type, date/period, and action taken
Activity Table	IP address, country, city, timestamp, action, and hostname
Geographic Map	Static Google Maps image with red markers at each threat IP's location
Interactive Map Link	Clickable link to explore the threat map in Google Maps
Branded Footer	Professional SYSMarshal Dynamic Firewall Security sign-off

🐕

Watchdog Alerts

A separate alert is triggered if the SYSMarshal service stops unexpectedly. The Watchdog sends a maximum of one alert per hour to prevent inbox flooding.

🔄

Self-Management

Firewall Capacity Management

Feature 07 of 17

Windows Firewall block rules have a practical limit of around 10,000 IP entries. SYSMarshal monitors this capacity and automatically manages it so there is always room to block new threats — without requiring any manual intervention.

Capacity Monitoring

SYSMarshal tracks the entry count in the "SYSMarshal IP Jailhouse" rule and displays live usage in the status bar as FireWall bytes: X (Y%).

90% Threshold Triggered

When the rule reaches 90% capacity, automatic relief begins.

Archive Oldest 20%

The oldest 20% of blocked IPs are removed from the active firewall rule and marked as "Archived" in the database. No data is deleted — history is fully preserved.

Headroom Restored

The firewall rule now has ~20% free capacity again. The most recently active threats remain actively blocked.

💡

Data Is Never Lost

Archived IPs remain fully searchable in the Data Explorer. Only the active firewall rule entry is removed — the oldest, least-recently-active offenders are retired first, while current active threats stay protected.

🐕

Reliability

Watchdog Service

Feature 08 of 17

A separate, lightweight Windows service (SYSMarshal.Watchdog) that runs independently from the main SYSMarshal service. Its job is to monitor whether SYSMarshal itself is running — and to alert you immediately if it stops.

State	Watchdog Behaviour
Service Running	Watchdog logs the status and does nothing — all is well.
Service Stopped	Watchdog sends an email alert immediately. Check interval: every 50 seconds.
Continued Stopped State	Watchdog sends a maximum of one alert per hour — no inbox flooding.

Secondary function: The Watchdog also restores the required Windows Audit Policy settings once every 24 hours using AuditPol /restore — ensuring SYSMarshal always has the correct events flowing from Windows even if another tool or user has changed the policy.

🌍

Community Intelligence

Global Baseline

Feature 09 of 17

The Baseline screen shows a live feed from the SYSMarshal Central Database — a globally shared list of IP addresses flagged as malicious by SYSMarshal installations around the world. This gives you proactive intelligence about threats that haven't attacked you yet.

What You Can See	Detail
Blacklisted IPs	Contributed by other SYSMarshal users globally
Confidence Score	Colour-coded from Green (minimal) to Dark Red (critical)
Location	Country, city, latitude, longitude of each threat IP
Reported Date	When the IP was added to the global database
WhoIs Lookup	One click to open a detailed IP ownership report
Embedded Map	Click any row to show that IP's location on an in-app Google Map

Proactive blocking: Select one or more IPs from the Baseline grid and immediately add them to your local Windows Firewall block rule — even if those IPs haven't yet attacked your server. Protect yourself based on the global community's experience.

License Tier	Baseline Access
Individual	Full global data visible; reporter hostnames anonymised
All-Data (Business)	Same as Individual — global data with anonymised hostnames
Site-License	Full hostnames, plus "View All Data" toggle for the complete global dataset

🔍

Search & Navigation

The Baseline view supports full-text search across all columns, paginated results (up to 10,000 records per page), column sorting, and multi-row selection for bulk operations.

🤖

AI-Powered Analysis

AI Security Assistant

Feature 10 of 17

An integrated chat interface backed by a large language model hosted on the SYSMarshal cloud. Ask security questions in plain English — no SQL knowledge or Windows expertise required. The AI uses your actual local security data as context.

Mode	What It Does	Example
💬 General Chat	Ask questions about your security data in plain English	"How many IPs were blocked yesterday?" / "Which country attacked me most?"
⚡ DEFCON 1	One-click full vulnerability scan of your machine, analysed by AI automatically	Runs a PowerShell scan, sends output to AI, returns a plain-language security assessment

🔑

Setup Required

The AI Assistant requires an AI API Key, configured in Settings → Licensing → AI API Key. Your available credit balance is shown in the chat interface and updated after each conversation. You can purchase AI credits at sysmarshal.com/ai-topup.

🔬

Investigation Tool

Diagnostics & Event Discovery

Feature 11 of 17

An investigation tool that helps you understand exactly what is happening in your Windows event logs — especially useful when setting up SYSMarshal for the first time, or when tuning it for your specific environment.

Full Log Scan

SYSMarshal scans all Windows event logs in parallel, using regex matching to find any log entry containing an IP address.

Ranked Results

Events containing IPs are grouped by Event ID and sorted by total IP count (highest first). Already-monitored events are flagged.

IP Drilldown

Click the IP count for any event to see every individual IP found, with geo-location and appearance count for each.

Add to Monitoring

Check any event ID and click Save. SYSMarshal adds it to your monitored events list immediately — no manual event ID lookup needed.

📊

Reporting Engine

Security Reports & Dashboards

Feature 12 of 17

SYSMarshal includes a built-in report engine and a live status bar dashboard that updates every 10 seconds.

Report Type	What's Included
📋 Executive Summary	Total threats blocked, top attacking countries, most targeted ports, and attack frequency trend lines
🌍 Top Attack Countries	Ranked breakdown of countries generating the most blocked IP traffic, with counts and percentages
🔍 Attack Pattern Analysis	Detailed attack vectors, unique attacking IPs, patterns grouped by source characteristics, full blocked IP grid with geo-location and network detail

All reports can be exported to PDF, XLS, DOCX, HTML, or printed directly from the built-in report viewer.

Live Status Bar — updates every 10 seconds, visible at the bottom of the SYSMarshal application at all times:

SYSMarshal SVC

Running / Stopped / Not Installed

IPv4 / IPv6

Local machine IP addresses

FireWall bytes

X (Y%) — current rule capacity

Hostname

Machine name

License

License type in use

RDP Port

Auto-detected configured RDP port

Blacklisted IPs

Live count of currently blocked IPs

Whitelisted IPs

Count of whitelisted entries

CentralDBstatus

Running / Not Running / Bad API key

LocalDBstatus

Online / Offline

Chk Open Ports

Clickable — opens the Port Monitor

SYSMarshal V.

Current installed version

🔌

Network Visibility

Port Connection Monitor

Feature 13 of 17

A live snapshot of all open TCP and UDP ports on your server — similar to running netstat, but presented in a clean, filterable grid for quick network exposure assessment.

What it shows: TCP listeners, UDP listeners, the local IP each port is bound to, and the port number and protocol. Access it via the "Chk Open Ports" shortcut in the status bar.

Use cases: Identify unexpected open services, confirm which port RDP is listening on, and discover ports that may be unnecessarily exposing your server.

🔑

Licensing & Control

Service & Licensing

Feature 14 of 17

SYSMarshal uses an API key combined with your machine's hardware fingerprint (BIOS serial number) to validate and enforce its subscription. The desktop application manages the service lifecycle directly.

License State	What Happens
✅ Running (Valid)	Full functionality active — all features available
⚠️ Bad API Key	Invalid key — reputation lookups fail; service continues with local monitoring only
⚠️ Not Running	API unreachable — service continues without cloud intelligence
❌ Expired	Core monitoring tabs disabled; renewal is required

ℹ️

12-Hour Grace Period

If your license becomes invalid (e.g. during a brief API outage), SYSMarshal continues to operate normally for 12 hours. After 12 hours, the service stops to enforce the license. This prevents disruption from temporary connectivity issues.

Choose the tier that fits your needs:

Individual

$99 / year

Full local IP blocking

Global Baseline (anonymised)

All 17 core features

Email alerts

AI Assistant (with credits)

Get Individual

All-Data

$119 / year

Everything in Individual

Multi-machine visibility

Business-grade monitoring

Global Baseline (anonymised)

Priority support

Get All-Data

Site-License

From $90 / year

Everything in All-Data

Full hostnames in Baseline

"View All Data" global toggle

Cross-site data visibility

Volume pricing available

Get Site-License

⬆️

Maintenance

Automatic Updates

Feature 15 of 17

SYSMarshal includes a lightweight Patcher (Patcher.exe) that checks for new versions on every startup and applies them automatically — keeping you protected with the latest threat intelligence and feature improvements.

Version Check

On startup, SYSMarshal queries the Central API for the latest available version number.

Comparison

The installed version is compared to the latest using semantic versioning.

Update Prompt

If a newer version is available, you are prompted: "There is a new version (X.Y.Z) available, do you want to update?"

Automatic Apply

If confirmed, the Patcher launches with elevated privileges and applies the update automatically.

📋

Self-Healing

Audit Policy Enforcement

Feature 16 of 17

SYSMarshal depends on Windows Security Auditing to generate the event log entries it monitors. If audit policies are disabled — accidentally or deliberately — key Event IDs stop appearing in the logs, and SYSMarshal cannot detect attacks.

To protect against this, SYSMarshal ships with a pre-configured Audit Policy file (POL_MMC\policy.csv). On every application launch and every 24 hours via the Watchdog, SYSMarshal runs:

⚙️

Automatic Policy Restore Command

AuditPol /restore /file:policy.csv — this restores the required audit policy to the correct configuration, even if another tool, administrator, or attacker has changed or disabled it.

🚨

Why This Is Critical

Attackers frequently disable Windows audit logging as one of their first steps — to hide their activity from security tools. SYSMarshal detects this through event ID 4719 (Audit Policy Changed) and reverses it automatically. Without this protection, SYSMarshal's data feed could be silently disabled.

🗄️

Data Access

Data Explorer

Feature 17 of 17

A full data browsing interface built into SYSMarshal. Gives administrators direct read access to all data in the local SQL Server database — without needing SQL Server Management Studio or any external tool.

Table	What It Contains
Recent Activities	Full history of every IP action: blacklisted, whitelisted, trusted, archived
Whitelist	Current whitelist entries with timestamps
Monitored Events	Configured event IDs, names, log names, and enabled/disabled status
Logs	Internal application activity and debug log
Settings	Current configuration values
Range List	Configured IP range entries
Firewall Backup	Snapshots of the firewall rule state

In-app actions available from the Recent Activities view:

Action	What It Does
View	Open the full detail record for any IP action
Mark as Whitelisted	Change a previously blacklisted IP to whitelisted status
Mark as Trusted	Promote an IP to trusted status
Open Google Maps	View the IP's geographic location in a browser

❓

Support

Frequently Asked Questions

Before activating the service, go to Settings → White Listing and add your own IP addresses — your office connection, VPN, and any remote admin machine IPs. This prevents SYSMarshal from accidentally blocking your own access to the server. This is the single most critical setup step.

No. SYSMarshal creates and manages a single dedicated firewall rule called "SYSMarshal IP Jailhouse". All blocked IPs are written exclusively to this rule. Your existing firewall rules, policies, and configurations are left completely untouched.

SYSMarshal includes a 12-hour grace period. If the license becomes invalid, the service continues operating normally for 12 hours — protecting against brief API outages. If the API is simply unreachable (but the key is valid), the service continues running using local data only, without cloud intelligence. After 12 hours of an invalid license, the service stops to enforce the subscription.

Go to the Data Explorer (Feature 17), open the Recent Activities table, find the IP address, and click "Mark as Whitelisted". SYSMarshal will remove it from the firewall block rule automatically and add it to the whitelist to prevent re-blocking. Alternatively, add the IP directly via Settings → White Listing.

Yes. SYSMarshal monitors Windows Application event log entry 18456 (SQL Server login failure) by default. Any IP triggering repeated SQL login failures will be automatically blocked according to your configured threshold. This protects on-premises SQL Server instances from brute-force attacks without any additional configuration.

Individual and All-Data licenses show the global Baseline threat feed with anonymised reporter hostnames. The Site-License additionally shows the full hostnames of machines reporting each IP globally, and includes a "View All Data" toggle for access to the complete global dataset. Site-License is designed for organisations managing multiple servers who need cross-site visibility.

Yes. SYSMarshal fully supports both IPv4 and IPv6 throughout the entire pipeline — event log extraction, whitelist checking, reputation lookup, and Windows Firewall rule insertion all handle both address families transparently and automatically.

Use the Diagnostics screen (Feature 11). It performs a parallel scan of all Windows event logs, groups results by Event ID sorted by IP count, and flags which events are already monitored. You can then check any Event ID in the results and click Save to add it directly to monitoring — no manual lookup required.