Enterprise-grade security analysis for Windows servers and workstations, powered by local AI.
- ✅ Windows Server Security - IIS, Active Directory, RDP analysis
- ✅ PowerShell Integration - Native Windows administration
- ✅ Event Log Analysis - Security, System, Application logs
- ✅ Windows Defender - Antivirus status, scanning, and configuration
- ✅ Malware & Rootkit Detection - Comprehensive threat scanning with AI analysis
- ✅ SMB Security - Network share and SMB version checks
- ✅ Firewall Analysis - Windows Firewall configuration review
- ✅ Registry Security - Security-critical registry settings and persistence detection
- ✅ Active Directory - Domain security assessment (when applicable)
- Windows 10/11 or Windows Server 2016+
- PowerShell 5.1 or higher
- 8GB RAM minimum (16GB+ recommended for 70B model)
- 50GB free disk space
- Administrator privileges
- .NET Framework 4.7.2 or higher
- Internet connection (initial setup only)
-
Download the repository:
git clone https://github.com/barrersoftware/ai-security-scanner.git cd ai-security-scanner\windows
-
Run installer as Administrator:
# Right-click PowerShell and select "Run as Administrator" Set-ExecutionPolicy Bypass -Scope Process -Force .\install.ps1
The installer will:
- Install Chocolatey package manager (if needed)
- Install required dependencies (curl, jq)
- Install and configure Ollama
- Download your chosen AI model
- Set up security scanner scripts
- Configure system PATH
-
Install Chocolatey:
Set-ExecutionPolicy Bypass -Scope Process -Force [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072 iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
-
Install dependencies:
choco install curl jq -y -
Install Ollama:
- Download from ollama.com/download
- Or use Chocolatey:
choco install ollama -y
-
Start Ollama:
ollama serve
(Keep this window open or run as a service)
-
Install AI model:
# Choose based on your RAM ollama pull llama3.1:8b # For 16GB RAM # OR ollama pull llama3.1:70b # For 32GB+ RAM
-
Copy scripts:
$installDir = "$env:ProgramFiles\AISecurityScanner" New-Item -ItemType Directory -Force -Path $installDir Copy-Item -Path ".\scripts\*" -Destination $installDir -Recurse
Run a complete Windows security audit:
cd "$env:ProgramFiles\AISecurityScanner"
.\SecurityScanner.ps1What it scans:
- System configuration and user accounts
- IIS web server (if installed)
- RDP and remote access settings
- File system permissions
- Network configuration and SMB
- Windows Defender and updates
- Installed applications
- Event logs (Security, System, Application)
Output: Detailed report in Documents\SecurityReports\
Comprehensive malware detection with Windows Defender:
.\MalwareScanner.ps1
# OR for quick scan
.\MalwareScanner.ps1 -QuickScan
# OR for full scan
.\MalwareScanner.ps1 -FullScanWhat it scans:
- Windows Defender virus/malware scan with latest definitions
- Running processes and network connections
- File system for malware indicators (temp files, hidden files, startup items)
- Registry persistence mechanisms
- Web shells in IIS directories
- Network configuration and suspicious DNS queries
- Scheduled tasks and autorun locations
Output: Detailed report in Documents\security-reports\malware_scan_*.md
Chat with AI security expert:
.\SecurityChat.ps1Example questions:
- "How do I secure RDP on Windows Server?"
- "What are the best practices for Active Directory security?"
- "How to detect if my Windows server is compromised?"
- "Analyze this suspicious PowerShell command: [command]"
Scan code for vulnerabilities:
.\CodeReview.ps1 "C:\inetpub\wwwroot\myapp"Supports: PowerShell, C#, JavaScript, Python, PHP, Java, C/C++
# Create scheduled task for 3:30 AM daily
$action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument "-File `"$env:ProgramFiles\AISecurityScanner\SecurityScanner.ps1`""
$trigger = New-ScheduledTaskTrigger -Daily -At 3:30AM
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName "AI Security Scan" -Action $action -Trigger $trigger -Principal $principalGet-ScheduledTask -TaskName "AI Security Scan"- Local user accounts and password policies
- Administrator group membership
- Failed login attempts from Event Log
- Scheduled tasks
- Auto-start programs in registry
- IIS service status and configuration
- Website bindings and SSL
- Application pool isolation
- Anonymous authentication
- Request filtering
- RDP status and configuration
- RDP port (default vs custom)
- Network Level Authentication (NLA)
- WinRM configuration
- OpenSSH server (if installed)
- Listening ports and services
- Active network connections
- Network shares and permissions
- SMB version (SMBv1 detection)
- DNS configuration
- Real-time protection status
- Scan history and frequency
- Exclusion paths (potential risks)
- Windows Update status
- Missing critical updates
- World-writable directories
- Excessive permissions on executables
- System32 directory protection
- Program Files security
- Failed login attempts (Event ID 4625)
- Successful logins (Event ID 4624)
- System errors
- Application crashes
- Security policy changes
Edit any script and modify:
$MODEL = "llama3.1:8b" # Change to your preferred modelEdit SecurityScanner.ps1 and adjust:
- Number of events to analyze (
-MaxEvents) - Paths to scan
- Services to check
- Report sections
$REPORT_DIR = "D:\SecurityReports" # Custom location# Check if Ollama is running
Get-Process ollama
# Restart Ollama
Stop-Process -Name ollama -Force
Start-Process ollama -ArgumentList "serve" -WindowStyle HiddenSet-ExecutionPolicy RemoteSigned -Scope CurrentUser# Install required modules
Install-Module -Name WebAdministration -Force
Import-Module WebAdministration- Use smaller model:
ollama pull llama3.1:8b - Close other applications
- Increase page file size
The scanner checks for:
- Disable SMBv1 - Known security vulnerability
- Enable NLA for RDP - Prevents unauthorized access
- Windows Firewall - Ensure it's enabled and configured
- Strong Password Policy - Complex passwords required
- Principle of Least Privilege - Minimize admin accounts
- Windows Update - Install security patches
- Defender Real-Time Protection - Always enabled
- Audit Logging - Track security events
- Remove Unnecessary Services - Reduce attack surface
- Secure Network Shares - Proper permissions
$report = Get-Content "Documents\SecurityReports\security_analysis_*.md" | Out-String
Send-MailMessage -To "admin@company.com" -From "security@company.com" -Subject "Security Scan Report" -Body $report -SmtpServer "smtp.company.com"$webhook = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
$report = Get-Content "Documents\SecurityReports\security_analysis_*.md" -First 50
$body = @{ text = "Security Scan Complete: $report" } | ConvertTo-Json
Invoke-RestMethod -Uri $webhook -Method Post -Body $body -ContentType 'application/json'For domain controllers and AD environments:
# Additional checks can be added:
Get-ADUser -Filter * -Properties PasswordLastSet, PasswordNeverExpires
Get-ADGroup "Domain Admins" -Properties Members
Get-GPOReport -All -ReportType Html -Path "GPOReport.html"- 8GB RAM: Use llama3.2:3b model (fast)
- 16GB RAM: Use llama3.1:8b model (balanced)
- 32GB+ RAM: Use llama3.1:70b model (best quality)
- Scan Time: 5-15 minutes depending on system size and model
- Issues: GitHub Issues
- Windows-specific questions: Tag with
windowslabel - Documentation: Main README
MIT License - see LICENSE file
Made for Windows administrators and security professionals 🪟🛡️