ExfilGuardian
Getting started

Deployment

Deploy ExfilGuardian on Windows Server infrastructure

Infrastructure

ExfilGuardian requires two Windows Server machines (or VMs):

RolePurposeDefault Ports
ServerRuns exfil-server (gRPC + REST + analysis pipeline)50051 (gRPC), 8080 (REST)
ClientTarget endpoint with driver + agent installedN/A (outbound to server)

The server receives telemetry from all clients and runs the detection pipeline. Each client runs the kernel driver and agent.


Production (Dokploy + docker-compose)

In production the whole backend runs as a docker-compose stack on Dokploy (which manages Traefik and TLS):

ServiceRoleDomain
apiRust server — REST (:8080) + gRPC (:50051)api.exfilguardian.inkwei.com (REST) · <host>:50051 (gRPC, agents connect directly)
appNext.js dashboard, standalone server mode (auth runs in prod)exfilguardian.inkwei.com
docsThis documentation site (fumadocs, standalone)docs.exfilguardian.inkwei.com
postgres + db-initBetter Auth store + Drizzle schema push + demo-admin seedinternal only

mTLS is ON by default. Agent/driver binaries are pushed onto the server's /static via POST /api/v1/artifacts (guarded by EXFIL_DEPLOY_TOKEN) before enrolling. Every variable is documented in .env.deploy.example; Dokploy attaches each domain to its service + port in its Domains UI.

The steps below describe the manual / lab deployment (two Windows Server VMs), still valid for a self-hosted server without Dokploy.


Step 1: Build the Binaries

On a Windows machine with Rust stable + nightly + WDK installed:

Build the driver

cd driver
cargo make

This produces in driver/target/:

  • exfil_guardian.sys: the kernel driver
  • exfil_guardian.inf: driver install manifest
  • exfil_guardian.cat: driver catalog (signature)
  • driver.cer: test signing certificate

Build the server, agent, and certs generator

cargo build -p exfil-server -p exfil-agent -p exfil-certs-gen --release

Binaries are in target/release/:

  • exfil-server.exe
  • exfil-agent.exe
  • exfil-certs-gen.exe

Step 2: Prepare the Server

Copy files to server/static/

The server serves binaries to clients during enrollment. Copy the driver artifacts and agent binary into server/static/:

# From the repo root
Copy-Item driver/target/debug/driver.cer server/static/driver
Copy-Item driver/target/debug/exfil_guardian_package/exfil_guardian.sys server/static/
Copy-Item driver/target/debug/exfil_guardian_package/exfil_guardian.inf server/static/
Copy-Item driver/target/debug/exfil_guardian_package/exfil_guardian.cat server/static/
Copy-Item target/release/exfil-agent.exe server/static/

The naming matters: the enrollment script expects these exact filenames at /static/*.

Start the server

cargo run -p exfil-server

Or with the release binary:

.\target\release\exfil-server.exe

The server reads config.yaml for addresses and analysis tuning. Default: gRPC on 0.0.0.0:50051, REST on 0.0.0.0:8080.

On first startup, the server generates CA and server certificates in certs_rcgen/ if they don't exist.


Step 3: Enroll a Client

Generate an enrollment token

From any machine with HTTP access to the server:

Invoke-RestMethod -Method Post -Uri "http://<SERVER_IP>:8080/api/v1/agent/tokens"

Response:

{
  "token": "a1b2c3d4-...",
  "command": "Invoke-RestMethod -Uri \"http://<SERVER_IP>:8080/api/v1/enroll/windows?token=a1b2c3d4-...\" | Invoke-Expression"
}

The token is single-use and stored in memory on the server.

Run the enrollment on the client

Copy the command value from the response and run it in an elevated PowerShell session on the target Windows machine:

Invoke-RestMethod -Uri "http://<SERVER_IP>:8080/api/v1/enroll/windows?token=a1b2c3d4-..." | Invoke-Expression

This script automatically:

  1. Creates C:\Program Files\ExfilGuardian\ and certs\
  2. Writes the mTLS certificates (agent cert signed by server CA)
  3. Downloads exfil-agent.exe, exfil_guardian.sys, .inf, .cat, driver.cer from the server
  4. Imports the driver certificate into Cert:\LocalMachine\Root and Cert:\LocalMachine\TrustedPublisher
  5. Installs the driver package via pnputil.exe /add-driver
  6. Sets HKLM\SOFTWARE\ExfilGuardian\TargetUrl to the server's gRPC address
  7. Creates Windows services: ExfilGuardian (kernel, demand-start) and ExfilAgent (user-mode, auto-start)
  8. Starts both services (driver first, agent after 2-second delay)

Verify

On the client, check services are running:

Get-Service ExfilGuardian, ExfilAgent

On the server, check agent connection in the logs. You can also query metrics:

Invoke-RestMethod -Uri "http://<SERVER_IP>:8080/api/status"
# {"status":"Running","version":"0.3.0-analysis"}

Invoke-RestMethod -Uri "http://<SERVER_IP>:8080/api/v1/metrics"
# {"packets_received":142857,"active_flows":23,...}

Troubleshooting

Agent won't start

Check the agent log file next to the executable (e.g., exfil-agent.log).

Common causes:

  • Driver not started: sc start ExfilGuardian (driver must start before agent)
  • Registry missing: Verify HKLM\SOFTWARE\ExfilGuardian\TargetUrl is set
  • Server unreachable: Check firewall rules for port 50051

Driver won't load

  • Test signing: Enable test signing on the client: bcdedit /set testsigning on (reboot required)
  • Certificate not trusted: Verify driver.cer is in both Root and TrustedPublisher certificate stores
  • OS version mismatch: The driver must be compiled on the same Windows version as the target (or a compatible one)

gRPC connection fails

  • Check the server is listening on port 50051: netstat -an | findstr 50051
  • Ensure no firewall blocks the port between client and server
  • If mTLS is enabled, verify agent certificate is signed by the server's CA

No alerts showing

  • The behavioral baseline needs a learning period (default: 15 days) before anomaly detection activates
  • DPI and signature detections are immediate; try generating DNS tunneling traffic to test
  • Check /api/v1/metrics to see if packets are being received and flows processed

On this page