User Manual

Set up Guardian, activate a device, and operate the app with confidence.

This is the practical playbook for the live product: account setup, billing, activation, alert response, baselines, vault workflows, and troubleshooting. For architecture and model internals, use the technical reference.

Open My Account Open Technical Reference
5 Core setup steps from account creation to first protected device
4 Alert tiers: Monitoring, Under Review, Investigation Required, and Action Required
2 On-device detection layers working together on one machine
Local Core detection inference runs on-device without required cloud scoring
01 — Quick Start

The shortest path to a working Guardian install

If you only need the practical setup path, follow these five steps in order. This matches the current live website and desktop flow.

1

Create your account

Open Create Account, enter your email and password, and verify the email using the code sent to your inbox. Registration is not complete until the verification code is accepted.

2

Choose a plan

Use the checkout page to choose monthly or annual billing, confirm the billing email, and continue into Stripe. Checkout is available in the United States and certain other countries; the EEA, UK, Switzerland, and U.S.-sanctioned regions are not supported (details).

3

Get your activation token

After purchase, your activation token is available in your account area. Keep it private because it is used to activate protected devices tied to your subscription.

4

Download the Windows app

Download Guardian from the account page (Windows installer from this site; saves to your Downloads folder). Install it on the Windows device you want to protect.

5

Activate the device

On first launch, enter the billing email and activation token in the desktop activation overlay. If a device is later removed from your account, that machine must be activated again.

02 — Account + Billing

What the website account area is for

The website handles registration, sign-in, checkout, password resets, subscription visibility, the activation token, and registered-device management.

Registration and sign-in

  • Registration uses email plus password only.
  • Email verification is part of account creation.
  • The sign-in page is the entry point for existing users.
  • If you forget your password, use the reset flow and the emailed reset code.

Checkout and billing

  • Checkout lets you choose monthly or annual billing before Stripe opens.
  • The billing email matters because receipts and activation context are tied to it.
  • Stripe handles payment entry; card details do not pass through the website directly.
  • If your subscription becomes inactive, the desktop app will show the inactive overlay until the subscription is renewed.

My Account page

  • View your sign-in email and change your password.
  • See the current plan and subscription status.
  • Reveal or copy the activation token.
  • Download Guardian for Windows.

Registered devices

  • The account page lists registered devices and the current device-limit usage.
  • Removing a device is useful when you replace or retire a computer.
  • After removal, that Windows machine must be re-activated if you want to keep using Guardian there.
  • If you hit the device limit, remove an old device before activating another.
03 — Desktop App

What each desktop area is for

The Windows app is organized into main sidebar views. If subscription status is missing or inactive, the activation or renewal overlay appears before normal dashboard access.

Dashboard

Shows overall protection state, counts for Investigation Required and Action Required, Under Review summaries, and a tier-marked timeline for recent activity.

Alerts

Shows actionable review lanes (user-installed and newly discovered executables), plus dedicated tabs for Windows OS, signed software, hardware processes, and background monitoring.

Investigation Required

Deviation Tier 3 work that is not yet operational Tier 4: review evidence, use Suggested Actions on protected categories, and wait for corroboration before destructive steps.

Action Required

Operational Tier 4 only: corroborated escalation that needs an immediate decision (quarantine when eligible, or follow Windows Security / Defender guidance).

Configuration Posture

Compares local snapshots of Defender, firewall, and related Windows settings against a reference you establish. Drift and unacknowledged incidents can surface review items.

Vault

Holds quarantined files and the restore/delete history. A quarantined file can no longer execute until it is restored.

Baseline Recordings

Where you record trusted per-app or whole-system clean behavior so Guardian can personalize local thresholds on your PC.

Settings

Used for global sensitivity, monitor-only behavior, and other device-side operating preferences. Use Check for Updates to install the latest build from the same release channel as the website installer (no in-app browser checkout).

04 — Alerts

How Guardian classifies, escalates, and responds to suspicious activity

Guardian uses local anomaly scores to move activity through review tiers. Different process categories expose different actions so the app does not offer unsafe remediation for Windows or driver components.

Tier 1

Background Monitoring

A process has been flagged at least once, but not strongly enough to demand immediate action. Guardian keeps watching it quietly.

Tier 2

Under Review

Suspicious behavior is becoming consistent. User-installed processes appear in actionable review lanes; protected system categories stay in their own tabs. You can Acknowledge to return a card to monitoring; it may re-escalate if activity continues.

Tier 3

Investigation Required

Strong sustained deviation from baseline: a behavioral signal, not a final verdict. Work is routed to the Investigation Required sidebar view so you can review evidence before any destructive step.

Tier 4

Action Required

Operational Tier 4 only: corroborated escalation (for example correlated secondary indicators or Defender-confirmed routing). Quarantine appears when category and path rules allow it, not on every row.

Alert lanes you will see

  • Actionable Alerts: Tier 2 user-installed processes and newly discovered executables that need review.
  • Investigation Required: deviation Tier 3 follow-up before operational Tier 4.
  • Action Required: operational Tier 4 only; immediate decisions when corroboration clears the bar.
  • Windows OS Processes: core Windows components that cannot safely be quarantined.
  • Signed Software: known vendor software behaving unexpectedly.
  • Hardware Processes: driver and peripheral vendor software where quarantine is blocked to avoid destabilizing the system.
  • Behavioral pattern alerts: system-level suspicious patterns that are not tied to one executable file.
  • Background Monitoring: Tier 1 processes under quiet observation.

What the action buttons mean

  • Information: opens context for the alert: process history, layer scores, and guidance (the same dialog title you see in the app).
  • Quarantine: moves the executable into the vault so it cannot restart from disk. Shown only when eligibility rules allow (commonly user-installed paths and corroborated items on Action Required).
  • Investigate: opens the behavioral-pattern explanation and investigation guidance.
  • Acknowledge: moves the alert back to monitoring while keeping the process under watch.
  • Dismiss: removes the alert from active monitoring until a future anomaly creates a new alert.
  • Suggested Actions / Open Windows Security: directs remediation for Windows, signed, hardware, or Defender-confirmed cases.
05 — Baselines + Vault

How local personalization and the vault work

Guardian ships with fixed ONNX models. Local recordings do not retrain model weights; they derive bounded local thresholds on your machine so Guardian can better separate trusted behavior from true anomalies.

Per-application baseline

Record a clean lifecycle for one trusted executable. This is the right tool when one app repeatedly raises false positives and you want Guardian to learn a tighter local envelope for that process on your PC.

Whole-system baseline

Record a machine state you trust. This can expand process coverage and contribute clean behavioral windows for the slower machine-wide layer. Use it only on a clean, stable system state you actually trust.

Merge and re-record

If a trusted application changes meaningfully over time, recording again can improve local coverage. Guardian treats the resulting baseline information as additive local context rather than a model-weight change.

Monitor Only Mode

Useful when you want to observe without quarantining. In this mode, the app replaces quarantine-first actions with review/detail behavior so you can evaluate alerts conservatively.

Quarantine Vault

  • Quarantined: files currently isolated and unable to execute from their original path.
  • Restored: files you explicitly put back.
  • Permanently Deleted: deletion history for files removed from the vault.

Restore carefully

Restoring a file gives it the ability to run again. Only restore if you are confident the quarantine was a false positive and you understand why the file was moved.

06 — Support + Troubleshooting

What to do when the flow does not go as expected

Most issues fall into a few predictable buckets: email delivery, inactive subscriptions, device limits, or alert interpretation. Start with the simplest explanation first.

I did not get a verification or reset email

Check spam or filtered folders first. If the website flow says the request was accepted but the message never arrives, use the support form and include the email address you used.

The app says my subscription is inactive

Sign in on the website, confirm subscription status, and renew if needed. Once the account is active again, return to the app and retry activation or renewal.

I reached the device limit

Open the account page, remove an old device, then activate the current machine again using the same billing email and token.

I think an alert is a false positive

Open Information on the card first. If the process is trusted, Acknowledge can move it back to monitoring, and a clean baseline recording can make future evaluation more accurate on your PC.

Windows Defender or SmartScreen blocked Guardian

Guardian is not yet code-signed with a publisher certificate, so Windows may flag the installer or monitor as unknown software. Download only from this website, use More info → Run anyway on SmartScreen if needed, and add a Defender exclusion for %LOCALAPPDATA%\AI Malware Guardian\ if the monitor is quarantined. You can submit a false-positive report to Microsoft if desired.

Games, launchers, or dev tools trigger alerts

Elevated or automation-heavy workloads can surface Under Review or Investigation Required. Action Required stays corroboration-gated. Use Information and baseline recordings before quarantining trusted tools.

What stays local

The detection engine runs on-device. Account, billing, token, device, and support actions use the website/backend surface, but Guardian does not depend on cloud-hosted behavior scoring to evaluate local activity.

Where to get help

Use the Support page for account, billing, setup, or technical issues. If the form is unavailable, the documented fallback path is support@aimalwareguardian.com.

Check for Updates or reinstall

In Settings → Check for Updates, install the latest build from the same channel as the website. If the monitor will not start after Defender quarantine, reinstall from your account download and re-activate if needed.