{"id":30169,"date":"2026-02-07T12:58:09","date_gmt":"2026-02-07T11:58:09","guid":{"rendered":""},"modified":"2026-02-07T12:58:09","modified_gmt":"2026-02-07T11:58:09","slug":"server-protection-execguard","status":"publish","type":"page","link":"https:\/\/www.firestorm.ch\/en\/server-protection-execguard\/","title":{"rendered":"FireStorm ExecGuard &#8211; Server Execution Protection"},"content":{"rendered":"        <script type=\"application\/ld+json\">{\"@context\":\"https:\/\/schema.org\",\"@type\":\"FAQPage\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"What are the requirements for ExecGuard?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"ExecGuard supports Linux servers with Plesk Obsidian and Ubuntu 22.04\/24.04 LTS as well as Windows servers with Plesk for Windows and Windows Server 2019\/2022\/2025. Shared hosting is not supported \u2014 you need root or Administrator access. Microsoft Sysmon is automatically installed on Windows servers.\"}},{\"@type\":\"Question\",\"name\":\"Does ExecGuard affect my websites?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"No. ExecGuard only monitors process executions at the operating system level. PHP websites (WordPress, Joomla etc.) run through PHP-FPM (Linux) or IIS (Windows) and are not affected. Cron jobs, Scheduled Tasks and CLI tools also work seamlessly thanks to configurable interpreter rules and whitelists.\"}},{\"@type\":\"Question\",\"name\":\"What happens in Observe mode?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"In Observe mode, suspicious processes are only logged but not blocked. This allows you to first see what activities are taking place on your server before activating Active mode.\"}},{\"@type\":\"Question\",\"name\":\"Does ExecGuard work on Linux and Windows?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes. ExecGuard protects both platforms with platform-specific detection modules. On Linux, it uses the Audit Framework (auditd\/execve); on Windows, Microsoft Sysmon and ETW. Whitelists, interpreter rules, and detection modules are each adapted to the operating system.\"}},{\"@type\":\"Question\",\"name\":\"What Windows-specific attacks does ExecGuard detect?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"On Windows, ExecGuard detects: PowerShell EncodedCommands, ASPX webshells, credential theft tools (Mimikatz, LaZagne, ProcDump), LOLBin abuse (certutil, mshta, rundll32, bitsadmin), AMSI bypass attempts, Windows Defender tampering, suspicious EXE\/DLL in temporary directories, and reverse shells via ncat\/PowerShell. Outgoing IRC and mining connections are blocked via Windows Firewall.\"}},{\"@type\":\"Question\",\"name\":\"What Linux-specific attacks does ExecGuard detect?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"On Linux, ExecGuard detects and blocks: cryptominers (XMRig, etc.), IRC bots, reverse shells (bash -i, nc -e, python), PHP webshells, unauthorized ELF binaries, suspicious shell scripts, encoded payloads, download-and-execute chains (curl\/wget + chmod), fake thread detection (forged kernel process names), and privilege escalation (sudo\/su abuse, linpeas). Outgoing IRC and mining connections are blocked via iptables.\"}},{\"@type\":\"Question\",\"name\":\"Can I use ExecGuard alongside other security solutions?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes. ExecGuard works at a different level than most security products: directly at the OS level via the Linux Audit Framework or Windows Sysmon\/ETW. It monitors every program start and complements existing solutions such as malware scanners, Windows Defender, or web application firewalls as an additional protection layer.\"}},{\"@type\":\"Question\",\"name\":\"How much does ExecGuard cost?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"ExecGuard costs from CHF 9.90 per month with annual billing (or CHF 14.90 with monthly billing) as an addon to your existing FireStorm root server. For external servers, ExecGuard is available as a standalone product from CHF 24.90\/mo. A one-time setup fee of CHF 50.- applies to monthly billing only \u2014 annual, 2-year and 3-year plans include free setup.\"}},{\"@type\":\"Question\",\"name\":\"What is the difference between ExecGuard and \\\"mount noexec \/tmp\\\"?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"The traditional approach \\\"mount -o noexec \/tmp\\\" prevents file execution in the \/tmp directory, but causes numerous problems: webmail clients stop working, ExifTool breaks, various installers fail. ExecGuard works at the OS level and intelligently monitors every process start. It only blocks actually dangerous executions \u2014 while all regular services continue to work. On Windows, there is no equivalent to noexec \u2014 ExecGuard fills this gap with Sysmon-based process monitoring.\"}}]}<\/script>\n            <script type=\"application\/ld+json\">{\"@context\":\"https:\/\/schema.org\",\"@type\":\"Product\",\"name\":\"FireStorm ExecGuard - Server Execution Protection\",\"description\":\"Have you ever been frustrated that unauthorized programs can be executed on your servers? With FireStorm ExecGuard, that's a thing of the past. For Linux servers (Ubuntu 22.04\/24.04) and Windows servers (2019\/2022\/2025) with Plesk.\",\"image\":\"https:\/\/www.firestorm.ch\/wp-content\/uploads\/2017\/09\/logo_firestorm.png\",\"brand\":{\"@type\":\"Brand\",\"name\":\"FireStorm ISP\"},\"provider\":{\"@type\":\"Organization\",\"name\":\"FireStorm ISP GmbH\",\"url\":\"https:\/\/www.firestorm.ch\",\"address\":{\"@type\":\"PostalAddress\",\"addressLocality\":\"Tann\",\"addressRegion\":\"ZH\",\"postalCode\":\"8632\",\"addressCountry\":\"CH\"}},\"offers\":{\"@type\":\"Offer\",\"price\":\"9.90\",\"priceCurrency\":\"CHF\",\"priceSpecification\":{\"@type\":\"UnitPriceSpecification\",\"price\":\"9.90\",\"priceCurrency\":\"CHF\",\"unitText\":\"MONTH\"},\"url\":\"https:\/\/admin.firestorm.ch\/cart.php?a=add&pid=7564&billingcycle=triennially&language=en\",\"availability\":\"https:\/\/schema.org\/InStock\",\"priceValidUntil\":\"2027-12-31\",\"hasMerchantReturnPolicy\":{\"@type\":\"MerchantReturnPolicy\",\"applicableCountry\":\"CH\",\"returnPolicyCategory\":\"https:\/\/schema.org\/MerchantReturnFiniteReturnWindow\",\"merchantReturnDays\":30,\"returnMethod\":\"https:\/\/schema.org\/ReturnByMail\",\"returnFees\":\"https:\/\/schema.org\/FreeReturn\"},\"shippingDetails\":{\"@type\":\"OfferShippingDetails\",\"shippingRate\":{\"@type\":\"MonetaryAmount\",\"value\":0,\"currency\":\"CHF\"},\"deliveryTime\":{\"@type\":\"ShippingDeliveryTime\",\"handlingTime\":{\"@type\":\"QuantitativeValue\",\"minValue\":0,\"maxValue\":0,\"unitCode\":\"d\"},\"transitTime\":{\"@type\":\"QuantitativeValue\",\"minValue\":0,\"maxValue\":0,\"unitCode\":\"d\"}},\"shippingDestination\":{\"@type\":\"DefinedRegion\",\"addressCountry\":\"CH\"}}},\"aggregateRating\":{\"@type\":\"AggregateRating\",\"ratingValue\":\"4.8\",\"reviewCount\":\"127\",\"bestRating\":\"5\"}}<\/script>\n        <style>\n    .fs-landing{max-width:1100px;margin:0 auto;padding:0 20px;font-family:-apple-system,BlinkMacSystemFont,\"Segoe UI\",Roboto,sans-serif}\n    .fs-landing-hero{text-align:center;padding:60px 20px;background:linear-gradient(135deg,#f0f7ff,#e8f4fd);border-radius:16px;margin-bottom:50px}\n    .fs-landing-hero h1{font-size:36px;color:#1a1a2e;margin-bottom:15px;line-height:1.2}\n    .fs-landing-hero p{font-size:18px;color:#555;max-width:700px;margin:0 auto 25px}\n    .fs-landing-hero-price{font-size:24px;color:#197dc8;font-weight:700;margin-bottom:20px}\n    .fs-landing-hero-cta{display:inline-block;padding:16px 40px;background:#22c55e;color:#fff!important;text-decoration:none!important;border-radius:8px;font-size:18px;font-weight:700;transition:all 0.3s}\n    .fs-landing-hero-cta:hover{background:#16a34a;transform:scale(1.05);color:#fff!important;text-decoration:none!important}\n    .fs-landing-benefits{display:grid;grid-template-columns:repeat(3,1fr);gap:30px;margin-bottom:50px}\n    .fs-landing-benefit{text-align:center;padding:30px 20px;background:#fff;border:1px solid #e2e8f0;border-radius:12px}\n    .fs-landing-benefit-icon{font-size:40px;margin-bottom:15px}\n    .fs-landing-benefit h3{font-size:18px;color:#333;margin-bottom:10px}\n    .fs-landing-benefit p{font-size:15px;color:#666;line-height:1.6}\n    .fs-landing-content{margin-bottom:50px}\n    .fs-landing-content h2{font-size:28px;color:#333;margin-bottom:20px}\n    .fs-landing-content .fs-landing-text{font-size:16px;color:#555;line-height:1.8}\n    .fs-landing-content .fs-landing-text p{margin:0 0 16px 0}\n    .fs-landing-content .fs-landing-text p:last-child{margin-bottom:0}\n    .fs-landing-content-wrap{display:flex;gap:40px;align-items:flex-start}\n    .fs-landing-hero-badge{display:inline-block;background:#22c55e;color:#fff;font-size:16px;font-weight:700;padding:8px 24px;border-radius:30px;margin:15px 0 5px;letter-spacing:0.5px;animation:fs-badge-pulse 2s ease-in-out infinite}\n    @keyframes fs-badge-pulse{0%,100%{box-shadow:0 0 0 0 rgba(34,197,94,0.4)}50%{box-shadow:0 0 0 10px rgba(34,197,94,0)}}\n    .fs-landing-content-wrap .fs-landing-text{flex:1}\n    .fs-landing-content-img{flex:0 0 420px;max-width:420px}\n    .fs-landing-content-img img{width:100%;height:auto;border-radius:12px;box-shadow:0 4px 20px rgba(0,0,0,0.1)}\n    .fs-landing-features{display:grid;grid-template-columns:repeat(4,1fr);gap:12px;margin:40px 0}\n    .fs-landing-feat{background:#f8fafc;border:1px solid #e2e8f0;border-radius:8px;padding:12px 15px;text-align:center;font-size:14px;color:#333;font-weight:600}\n    .fs-landing-feat::before{content:'\\2713 ';color:#22c55e;font-weight:700}\n    .fs-landing-faq{margin:50px 0}\n    .fs-landing-faq h2{font-size:28px;color:#333;margin-bottom:25px;text-align:center}\n    .fs-landing-faq-item{background:#fff;border:1px solid #e2e8f0;border-radius:8px;margin-bottom:12px;overflow:hidden}\n    .fs-landing-faq-q{padding:20px 25px;cursor:pointer;font-weight:600;font-size:16px;color:#333;display:flex;justify-content:space-between;align-items:center}\n    .fs-landing-faq-q:hover{background:#f8fafc}\n    .fs-landing-faq-q::after{content:'+';font-size:18px;color:#197dc8;flex-shrink:0;margin-left:15px;transition:transform 0.3s}\n    .fs-landing-faq-item.open .fs-landing-faq-q::after{transform:rotate(45deg)}\n    .fs-landing-faq-a{max-height:0;overflow:hidden;transition:max-height 0.3s;background:#f8fafc}\n    .fs-landing-faq-item.open .fs-landing-faq-a{max-height:400px}\n    .fs-landing-faq-a p{padding:20px 25px;margin:0;color:#555;line-height:1.7}\n    .fs-landing-cta-bar{text-align:center;padding:50px;background:linear-gradient(135deg,#197dc8,#1565a0);border-radius:16px;margin:50px 0}\n    .fs-landing-cta-bar h2{color:#fff;font-size:28px;margin-bottom:10px}\n    .fs-landing-cta-bar p{color:rgba(255,255,255,0.85);font-size:16px;margin-bottom:25px}\n    .fs-landing-cta-bar a{display:inline-block;padding:16px 40px;background:#22c55e;color:#fff!important;text-decoration:none!important;border-radius:8px;font-size:18px;font-weight:700;transition:all 0.3s}\n    .fs-landing-cta-bar a:hover{background:#16a34a;transform:scale(1.05);color:#fff!important;text-decoration:none!important}\n    .fs-landing-related{margin:40px 0;padding:30px 0;border-top:1px solid #e2e8f0}\n    .fs-landing-related h3{text-align:center;color:#333;margin-bottom:20px;font-size:22px}\n    .fs-landing-related-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(200px,1fr));gap:12px;max-width:900px;margin:0 auto}\n    .fs-landing-related-item{display:block;background:#f8fafc;border:1px solid #e2e8f0;border-radius:8px;padding:15px;text-align:center;text-decoration:none!important;color:#0066cc!important;font-weight:600;font-size:14px;transition:all 0.2s;line-height:1.4}\n    .fs-landing-related-item:hover{background:#e8f4fd;border-color:#0066cc;text-decoration:none!important;color:#004a99!important}\n    .fs-dns-pricing{margin:50px 0}\n    .fs-dns-pricing h2{text-align:center;font-size:28px;color:#333;margin-bottom:30px}\n    .fs-dns-pricing-grid{display:grid;grid-template-columns:repeat(3,1fr);gap:24px;max-width:960px;margin:0 auto}\n    .fs-dns-card{background:#fff;border:1px solid #e2e8f0;border-radius:12px;padding:35px 25px;text-align:center;position:relative;transition:box-shadow 0.3s}\n    .fs-dns-card:hover{box-shadow:0 8px 30px rgba(0,0,0,0.1)}\n    .fs-dns-card.fs-dns-hl{border:2px solid #197dc8;box-shadow:0 4px 20px rgba(25,125,200,0.15)}\n    .fs-dns-badge{position:absolute;top:-13px;left:50%;transform:translateX(-50%);background:#197dc8;color:#fff;font-size:12px;font-weight:700;padding:4px 16px;border-radius:20px;text-transform:uppercase}\n    .fs-dns-card h3{font-size:22px;color:#333;margin-bottom:8px}\n    .fs-dns-zones{font-size:15px;color:#666;margin-bottom:20px}\n    .fs-dns-price{font-size:36px;color:#197dc8;font-weight:700;line-height:1.2}\n    .fs-dns-price span{font-size:16px;color:#888;font-weight:400}\n    .fs-dns-periods{margin:20px 0 25px;font-size:13px;color:#888;line-height:2}\n    .fs-dns-periods div{display:flex;justify-content:space-between;padding:0 10px}\n    .fs-dns-cta{display:inline-block;padding:12px 30px;border-radius:8px;font-size:16px;font-weight:700;text-decoration:none!important;transition:all 0.3s}\n    .fs-dns-card.fs-dns-hl .fs-dns-cta{background:#22c55e;color:#fff!important}\n    .fs-dns-card.fs-dns-hl .fs-dns-cta:hover{background:#16a34a;color:#fff!important}\n    .fs-dns-card:not(.fs-dns-hl) .fs-dns-cta{background:#f0f7ff;color:#197dc8!important;border:1px solid #197dc8}\n    .fs-dns-card:not(.fs-dns-hl) .fs-dns-cta:hover{background:#197dc8;color:#fff!important}\n    @media(max-width:768px){\n        .fs-dns-pricing-grid{grid-template-columns:1fr;max-width:400px}\n        .fs-landing-benefits{grid-template-columns:1fr}\n        .fs-landing-features{grid-template-columns:repeat(2,1fr)}\n        .fs-landing-hero h1{font-size:28px}\n        .fs-landing-content-wrap{flex-direction:column}\n        .fs-landing-content-img{flex:none;max-width:100%}\n    }\n    @media(max-width:500px){\n        .fs-landing-features{grid-template-columns:1fr}\n    }\n    <\/style>\n    <div class=\"fs-landing\">\n        <div class=\"fs-landing-hero\">\n            <h1>FireStorm ExecGuard - Server Execution Protection<\/h1>\n            <p>Have you ever been frustrated that unauthorized programs can be executed on your servers? With FireStorm ExecGuard, that&#039;s a thing of the past. For Linux servers (Ubuntu 22.04\/24.04) and Windows servers (2019\/2022\/2025) with Plesk.<\/p>\n                                    <div class=\"fs-landing-hero-price\">from CHF 9.90\/mo<\/div>\n            <a href=\"https:\/\/admin.firestorm.ch\/cart.php?a=add&#038;pid=7564&#038;billingcycle=triennially&#038;language=en\" class=\"fs-landing-hero-cta\">Activate ExecGuard<\/a>\n                    <\/div>\n\n                <div class=\"fs-landing-benefits\">\n                        <div class=\"fs-landing-benefit\">\n                <div class=\"fs-landing-benefit-icon\">&#128737;<\/div>\n                <h3>Real-time Process Monitoring<\/h3>\n                <p>Every program execution on your server is monitored in real-time. Unauthorized processes are instantly detected and automatically terminated in Active mode.<\/p>            <\/div>\n                        <div class=\"fs-landing-benefit\">\n                <div class=\"fs-landing-benefit-icon\">&#9940;<\/div>\n                <h3>Block Malicious Code Execution<\/h3>\n                <p>Cryptominers, IRC bots, reverse shells and other malware are stopped immediately. Whether in \/tmp, \/dev\/shm or a hacked web directory.<\/p>            <\/div>\n                        <div class=\"fs-landing-benefit\">\n                <div class=\"fs-landing-benefit-icon\">&#128200;<\/div>\n                <h3>Central Management via Plesk<\/h3>\n                <p>Configuration, whitelist and monitoring directly in your Plesk panel. No SSH required. All events centrally visible with email alerts for incidents.<\/p>            <\/div>\n                    <\/div>\n        \n                <div class=\"fs-landing-screenshot\" style=\"margin:30px 0; text-align:center;\">\n            <img decoding=\"async\" src=\"\/wp-content\/uploads\/2026\/02\/execshield-plesk-dashboard.png\" alt=\"ExecGuard Plesk Dashboard - Real-time Security Monitor\" loading=\"lazy\" style=\"max-width:100%; height:auto; border-radius:8px; box-shadow:0 4px 20px rgba(0,0,0,.15);\">\n        <\/div>\n        \n        <div class=\"fs-landing-content\">\n            <h2>Why does your server need ExecGuard?<\/h2>\n                        <div class=\"fs-landing-text\"><p>On a standard server, any user can execute arbitrary programs: cryptominers, IRC bots, reverse shells, DDoS tools. A single hacked WordPress account is enough to compromise your entire server. Vulnerabilities are exploited daily \u2014 on Linux, tools land in \/tmp; on Windows, in %TEMP% or Public directories. FireStorm ExecGuard protects both platforms.<\/p><p>Case Study 1 \u2014 Cryptominer via WordPress (Linux): An attacker exploits a vulnerability in an outdated WordPress plugin. They download an XMRig cryptominer as an ELF binary to \/tmp and start it. The miner uses all CPU cores to mine Monero. Your server becomes extremely slow, CPU load hits 100%, and you only notice when customers complain. With ExecGuard: The miner is immediately blocked and terminated on startup \u2014 it cannot execute at all since \/tmp is not a trusted path.<\/p><p>Case Study 2 \u2014 IRC Bot via Joomla Vulnerability (Linux): A vulnerable Joomla extension allows file uploads. The attacker uploads a Perl script that connects as an IRC bot to a command-and-control server. Your server becomes part of a botnet, sending spam or launching DDoS attacks. With ExecGuard: The Perl script is detected as an unauthorized execution and blocked. The IRC connection is additionally prevented at the firewall level.<\/p><p>Case Study 3 \u2014 ASPX Webshell on IIS (Windows): An attacker exploits a vulnerability in an ASP.NET application and places an ASPX webshell in the IIS directory. Through the webshell, they execute PowerShell commands, download Mimikatz and attempt to extract credentials. With ExecGuard: The suspicious process execution from the IIS context is immediately detected via Sysmon. The Mimikatz download is identified as a credential theft tool and blocked.<\/p><p>Case Study 4 \u2014 PowerShell Attack (Windows): An attacker gains access to a Windows server and launches an encrypted PowerShell reverse shell using &quot;powershell -EncodedCommand&quot;. They then attempt to download additional malware via certutil or bitsadmin. With ExecGuard: Encoded PowerShell commands are immediately detected. The certutil\/bitsadmin misuse as download tools is blocked. The reverse shell connection is prevented at the firewall level.<\/p><p>What makes ExecGuard unique? Traditional security solutions like malware scanners and web application firewalls work at the application level: they detect known signatures in files and filter suspicious HTTP requests. ExecGuard goes one step further and works directly at the operating system level. On Linux, ExecGuard monitors every execve() system call via the Audit Framework. On Windows, ExecGuard uses Microsoft Sysmon and ETW (Event Tracing for Windows) to monitor all process starts, network connections, and file creations. This means: regardless of how malicious code reached your server, and regardless of whether it is a known or completely new threat \u2014 as soon as an unauthorized program is started, ExecGuard intervenes. This approach optimally complements existing security solutions as an additional protection layer at the operating system level.<\/p><p>Linux Protection: Based on the Linux Audit Framework, ExecGuard monitors every single process start on your server in real-time. Only programs from trusted paths (\/usr\/bin, \/opt\/plesk, etc.) are allowed to execute. Everything else is immediately blocked in Active mode and the process is terminated.<\/p><p>Windows Protection: On Windows servers, ExecGuard uses Microsoft Sysmon for real-time monitoring. Every process start (Event ID 1), every network connection (Event ID 3), and every suspicious file creation (Event ID 11) is analyzed. Windows-specific attack vectors such as PowerShell abuse, ASPX webshells, certutil\/bitsadmin downloads, credential theft tools (Mimikatz, LaZagne), and LOLBin abuse are specifically detected. The whitelist is adapted to Windows paths (C:\\Program Files, C:\\Windows, etc.).<\/p><p>What makes it special: ExecGuard also detects interpreter-based attacks. On Linux: bash and Python scripts from web directories. On Windows: PowerShell EncodedCommands, certutil abuse, and suspicious .NET executions. PHP applications like WordPress, Nextcloud and Laravel continue to work seamlessly on both platforms thanks to intelligent interpreter rules.<\/p><p>Advanced Threat Detection: ExecGuard includes specialized detection modules for both operating systems. Hidden process detection exposes processes with forged names. Reverse shells, webshells (PHP and ASPX), and encoded payloads are detected along with download-and-execute chains. On Windows, ExecGuard additionally detects: credential theft tools (Mimikatz, ProcDump, LaZagne), LOLBin abuse (certutil, mshta, rundll32), AMSI bypass attempts, Windows Defender tampering, and suspicious EXE\/DLL files in temporary directories. The privilege escalation module detects sudo\/su abuse on Linux and runas attempts and known exploit patterns on Windows. All modules work together to provide multi-layered protection.<\/p><p>IRC and Mining Blocking: On Linux, outgoing IRC and mining connections are blocked via iptables. On Windows, blocking is done through Windows Firewall (netsh advfirewall). Ports for IRC (6667-6669, 7000-7002) and known mining pools are blocked on both platforms.<\/p><p>Central management is done through your Plesk panel: manage whitelists, choose mode (Observe\/Active), view logs and configure email alerts. Global rules are automatically synchronized to all servers \u2014 separately for Linux and Windows. A config fingerprint ensures that rules are correctly loaded on every server.<\/p><p>Unlike the commonly used &quot;mount -o noexec \/tmp&quot; on Linux, ExecGuard causes no compatibility issues. Webmail (Roundcube, Horde), ExifTool, PHP installers and all regular server services continue to work flawlessly. ExecGuard selectively blocks only unauthorized executions instead of blanket-blocking an entire directory.<\/p><p>Requirements: ExecGuard supports Linux servers with Plesk Obsidian and Ubuntu 22.04 \/ 24.04 LTS as well as Windows servers with Plesk for Windows and Windows Server 2019 \/ 2022. Installation is automatic \u2014 on Linux through the Plesk panel, on Windows via a PowerShell script. Microsoft Sysmon is automatically installed and configured on Windows servers.<\/p><p>Maximum security with minimal resource consumption: ExecGuard is extremely resource-efficient. The optimized monitor uses less than 10 MB of RAM and causes CPU load of less than 0.1%. You won&#039;t even notice that ExecGuard is running in the background \u2014 your server&#039;s performance remains fully intact. Unlike conventional malware scanners that regularly scan the entire file system and generate significant load, ExecGuard works event-driven: it only becomes active when a process is actually started. This gives you real-time protection without any noticeable impact on your server performance.<\/p><p>Automatic Updates: ExecGuard updates itself automatically in the background. New detection rules, threat signatures and security improvements are rolled out regularly \u2014 without any manual intervention on your part. This keeps your server protected against the latest threats at all times.<\/p><\/div>\n                    <\/div>\n\n                <div class=\"fs-landing-features\">\n                        <div class=\"fs-landing-feat\">Real-time process monitoring<\/div>\n                        <div class=\"fs-landing-feat\">Linux &amp; Windows Server<\/div>\n                        <div class=\"fs-landing-feat\">Automatic malware blocking<\/div>\n                        <div class=\"fs-landing-feat\">Hidden process detection<\/div>\n                        <div class=\"fs-landing-feat\">Reverse shell detection<\/div>\n                        <div class=\"fs-landing-feat\">Webshell detection (PHP &amp; ASPX)<\/div>\n                        <div class=\"fs-landing-feat\">Cryptominer detection<\/div>\n                        <div class=\"fs-landing-feat\">IRC\/mining blocking<\/div>\n                        <div class=\"fs-landing-feat\">Encoded payload detection<\/div>\n                        <div class=\"fs-landing-feat\">PowerShell abuse detection<\/div>\n                        <div class=\"fs-landing-feat\">Credential theft detection<\/div>\n                        <div class=\"fs-landing-feat\">LOLBin detection (Windows)<\/div>\n                        <div class=\"fs-landing-feat\">Download &amp; execute protection<\/div>\n                        <div class=\"fs-landing-feat\">Privilege escalation protection<\/div>\n                        <div class=\"fs-landing-feat\">Sysmon integration (Windows)<\/div>\n                        <div class=\"fs-landing-feat\">Interpreter rules (PHP\/Node\/Python)<\/div>\n                        <div class=\"fs-landing-feat\">Email alerts &amp; Plesk integration<\/div>\n                        <div class=\"fs-landing-feat\">Observe &amp; Active mode<\/div>\n                        <div class=\"fs-landing-feat\">Automatic updates<\/div>\n                    <\/div>\n        \n        \n        \n                <div class=\"fs-landing-faq\">\n            <h2>FAQ<\/h2>\n                        <div class=\"fs-landing-faq-item\">\n                <div class=\"fs-landing-faq-q\">What are the requirements for ExecGuard?<\/div>\n                <div class=\"fs-landing-faq-a\"><p>ExecGuard supports Linux servers with Plesk Obsidian and Ubuntu 22.04\/24.04 LTS as well as Windows servers with Plesk for Windows and Windows Server 2019\/2022\/2025. Shared hosting is not supported \u2014 you need root or Administrator access. Microsoft Sysmon is automatically installed on Windows servers.<\/p><\/div>\n            <\/div>\n                        <div class=\"fs-landing-faq-item\">\n                <div class=\"fs-landing-faq-q\">Does ExecGuard affect my websites?<\/div>\n                <div class=\"fs-landing-faq-a\"><p>No. ExecGuard only monitors process executions at the operating system level. PHP websites (WordPress, Joomla etc.) run through PHP-FPM (Linux) or IIS (Windows) and are not affected. Cron jobs, Scheduled Tasks and CLI tools also work seamlessly thanks to configurable interpreter rules and whitelists.<\/p><\/div>\n            <\/div>\n                        <div class=\"fs-landing-faq-item\">\n                <div class=\"fs-landing-faq-q\">What happens in Observe mode?<\/div>\n                <div class=\"fs-landing-faq-a\"><p>In Observe mode, suspicious processes are only logged but not blocked. This allows you to first see what activities are taking place on your server before activating Active mode.<\/p><\/div>\n            <\/div>\n                        <div class=\"fs-landing-faq-item\">\n                <div class=\"fs-landing-faq-q\">Does ExecGuard work on Linux and Windows?<\/div>\n                <div class=\"fs-landing-faq-a\"><p>Yes. ExecGuard protects both platforms with platform-specific detection modules. On Linux, it uses the Audit Framework (auditd\/execve); on Windows, Microsoft Sysmon and ETW. Whitelists, interpreter rules, and detection modules are each adapted to the operating system.<\/p><\/div>\n            <\/div>\n                        <div class=\"fs-landing-faq-item\">\n                <div class=\"fs-landing-faq-q\">What Windows-specific attacks does ExecGuard detect?<\/div>\n                <div class=\"fs-landing-faq-a\"><p>On Windows, ExecGuard detects: PowerShell EncodedCommands, ASPX webshells, credential theft tools (Mimikatz, LaZagne, ProcDump), LOLBin abuse (certutil, mshta, rundll32, bitsadmin), AMSI bypass attempts, Windows Defender tampering, suspicious EXE\/DLL in temporary directories, and reverse shells via ncat\/PowerShell. Outgoing IRC and mining connections are blocked via Windows Firewall.<\/p><\/div>\n            <\/div>\n                        <div class=\"fs-landing-faq-item\">\n                <div class=\"fs-landing-faq-q\">What Linux-specific attacks does ExecGuard detect?<\/div>\n                <div class=\"fs-landing-faq-a\"><p>On Linux, ExecGuard detects and blocks: cryptominers (XMRig, etc.), IRC bots, reverse shells (bash -i, nc -e, python), PHP webshells, unauthorized ELF binaries, suspicious shell scripts, encoded payloads, download-and-execute chains (curl\/wget + chmod), fake thread detection (forged kernel process names), and privilege escalation (sudo\/su abuse, linpeas). Outgoing IRC and mining connections are blocked via iptables.<\/p><\/div>\n            <\/div>\n                        <div class=\"fs-landing-faq-item\">\n                <div class=\"fs-landing-faq-q\">Can I use ExecGuard alongside other security solutions?<\/div>\n                <div class=\"fs-landing-faq-a\"><p>Yes. ExecGuard works at a different level than most security products: directly at the OS level via the Linux Audit Framework or Windows Sysmon\/ETW. It monitors every program start and complements existing solutions such as malware scanners, Windows Defender, or web application firewalls as an additional protection layer.<\/p><\/div>\n            <\/div>\n                        <div class=\"fs-landing-faq-item\">\n                <div class=\"fs-landing-faq-q\">How much does ExecGuard cost?<\/div>\n                <div class=\"fs-landing-faq-a\"><p>ExecGuard costs from CHF 9.90 per month with annual billing (or CHF 14.90 with monthly billing) as an addon to your existing FireStorm root server. For external servers, ExecGuard is available as a standalone product from CHF 24.90\/mo. A one-time setup fee of CHF 50.- applies to monthly billing only \u2014 annual, 2-year and 3-year plans include free setup.<\/p><\/div>\n            <\/div>\n                        <div class=\"fs-landing-faq-item\">\n                <div class=\"fs-landing-faq-q\">What is the difference between ExecGuard and &quot;mount noexec \/tmp&quot;?<\/div>\n                <div class=\"fs-landing-faq-a\"><p>The traditional approach &quot;mount -o noexec \/tmp&quot; prevents file execution in the \/tmp directory, but causes numerous problems: webmail clients stop working, ExifTool breaks, various installers fail. ExecGuard works at the OS level and intelligently monitors every process start. It only blocks actually dangerous executions \u2014 while all regular services continue to work. On Windows, there is no equivalent to noexec \u2014 ExecGuard fills this gap with Sysmon-based process monitoring.<\/p><\/div>\n            <\/div>\n                    <\/div>\n        <script>document.addEventListener('DOMContentLoaded',function(){document.querySelectorAll('.fs-landing-faq-q').forEach(function(q){q.addEventListener('click',function(){this.parentElement.classList.toggle('open')})})});<\/script>\n        \n                <div class=\"fs-landing-related\">\n            <h3>You might also be interested in<\/h3>\n            <div class=\"fs-landing-related-grid\">\n                                <a href=\"\/en\/rootserver\/\" class=\"fs-landing-related-item\">Root Server Switzerland<\/a>\n                                <a href=\"\/en\/managed-server-switzerland\/\" class=\"fs-landing-related-item\">Managed Server Switzerland<\/a>\n                                <a href=\"\/en\/website-security-fully-protected\/\" class=\"fs-landing-related-item\">Website security for your hosting<\/a>\n                                <a href=\"\/en\/plesk-hosting-switzerland\/\" class=\"fs-landing-related-item\">Plesk Hosting Switzerland<\/a>\n                            <\/div>\n        <\/div>\n        \n        <div class=\"fs-landing-cta-bar\">\n            <h2>FireStorm ExecGuard - Server Execution Protection<\/h2>\n            <p>Have you ever been frustrated that unauthorized programs can be executed on your servers? With FireStorm ExecGuard, that&#039;s a thing of the past. For Linux servers (Ubuntu 22.04\/24.04) and Windows servers (2019\/2022\/2025) with Plesk.<\/p>\n                        <a href=\"https:\/\/admin.firestorm.ch\/cart.php?a=add&#038;pid=7564&#038;billingcycle=triennially&#038;language=en\">Activate ExecGuard<\/a>\n                    <\/div>\n    <\/div>\n    \n","protected":false},"excerpt":{"rendered":"FireStorm ExecGuard - Server Execution Protection Have you ever been frustrated that unauthorized programs can be executed on your servers? With FireStorm ExecGuard, that&#039;s a thing of the past. For Linux servers (Ubuntu 22.04\/24.04) and Windows servers (2019\/2022\/2025) with Plesk. from CHF 9.90\/mo Activate ExecGuard &#128737; Real-time Process Monitoring Every program execution on your server [...]","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_relevanssi_hide_post":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","footnotes":""},"class_list":["post-30169","page","type-page","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.1 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>FireStorm ExecGuard | Server Execution Protection | FireStorm<\/title>\n<meta name=\"description\" content=\"FireStorm ExecGuard - Server Execution Protection for maximum security. Protects your server from unauthorized code execution. Swiss Hosting.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.firestorm.ch\/en\/server-protection-execshield\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"FireStorm ExecGuard - Server Execution Protection\" \/>\n<meta property=\"og:description\" content=\"FireStorm ExecGuard - Server Execution Protection for maximum security. Protects your server from unauthorized code execution. Swiss Hosting.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.firestorm.ch\/en\/server-protection-execshield\/\" \/>\n<meta property=\"og:site_name\" content=\"FireStorm ISP\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/firestorm.ch\/\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.firestorm.ch\\\/en\\\/server-protection-execshield\\\/\",\"url\":\"https:\\\/\\\/www.firestorm.ch\\\/en\\\/server-protection-execshield\\\/\",\"name\":\"FireStorm ExecGuard | Server Execution Protection | FireStorm\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.firestorm.ch\\\/#website\"},\"datePublished\":\"2026-02-07T11:58:09+00:00\",\"description\":\"FireStorm ExecGuard - Server Execution Protection for maximum security. Protects your server from unauthorized code execution. Swiss Hosting.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.firestorm.ch\\\/en\\\/server-protection-execshield\\\/#breadcrumb\"},\"inLanguage\":\"en-CH\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.firestorm.ch\\\/en\\\/server-protection-execshield\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.firestorm.ch\\\/en\\\/server-protection-execshield\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/www.firestorm.ch\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"FireStorm ExecShield &#8211; Server Execution Protection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.firestorm.ch\\\/#website\",\"url\":\"https:\\\/\\\/www.firestorm.ch\\\/\",\"name\":\"FireStorm\",\"description\":\"Webhosting, Domainnamen, Server, Mailserver und Hosting mit Homepagebaukasten und Free SSL Zertifikat\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.firestorm.ch\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.firestorm.ch\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-CH\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.firestorm.ch\\\/#organization\",\"name\":\"FireStorm\",\"url\":\"https:\\\/\\\/www.firestorm.ch\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-CH\",\"@id\":\"https:\\\/\\\/www.firestorm.ch\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.firestorm.ch\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/FireStormLogo.png\",\"contentUrl\":\"https:\\\/\\\/www.firestorm.ch\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/FireStormLogo.png\",\"width\":589,\"height\":60,\"caption\":\"FireStorm\"},\"image\":{\"@id\":\"https:\\\/\\\/www.firestorm.ch\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/firestorm.ch\\\/\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"FireStorm ExecGuard | Server Execution Protection | FireStorm","description":"FireStorm ExecGuard - Server Execution Protection for maximum security. Protects your server from unauthorized code execution. Swiss Hosting.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.firestorm.ch\/en\/server-protection-execshield\/","og_locale":"en_US","og_type":"article","og_title":"FireStorm ExecGuard - Server Execution Protection","og_description":"FireStorm ExecGuard - Server Execution Protection for maximum security. Protects your server from unauthorized code execution. Swiss Hosting.","og_url":"https:\/\/www.firestorm.ch\/en\/server-protection-execshield\/","og_site_name":"FireStorm ISP","article_publisher":"https:\/\/www.facebook.com\/firestorm.ch\/","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.firestorm.ch\/en\/server-protection-execshield\/","url":"https:\/\/www.firestorm.ch\/en\/server-protection-execshield\/","name":"FireStorm ExecGuard | Server Execution Protection | FireStorm","isPartOf":{"@id":"https:\/\/www.firestorm.ch\/#website"},"datePublished":"2026-02-07T11:58:09+00:00","description":"FireStorm ExecGuard - Server Execution Protection for maximum security. Protects your server from unauthorized code execution. Swiss Hosting.","breadcrumb":{"@id":"https:\/\/www.firestorm.ch\/en\/server-protection-execshield\/#breadcrumb"},"inLanguage":"en-CH","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.firestorm.ch\/en\/server-protection-execshield\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.firestorm.ch\/en\/server-protection-execshield\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/www.firestorm.ch\/en\/"},{"@type":"ListItem","position":2,"name":"FireStorm ExecShield &#8211; Server Execution Protection"}]},{"@type":"WebSite","@id":"https:\/\/www.firestorm.ch\/#website","url":"https:\/\/www.firestorm.ch\/","name":"FireStorm","description":"Webhosting, Domainnamen, Server, Mailserver und Hosting mit Homepagebaukasten und Free SSL Zertifikat","publisher":{"@id":"https:\/\/www.firestorm.ch\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.firestorm.ch\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-CH"},{"@type":"Organization","@id":"https:\/\/www.firestorm.ch\/#organization","name":"FireStorm","url":"https:\/\/www.firestorm.ch\/","logo":{"@type":"ImageObject","inLanguage":"en-CH","@id":"https:\/\/www.firestorm.ch\/#\/schema\/logo\/image\/","url":"https:\/\/www.firestorm.ch\/wp-content\/uploads\/2026\/03\/FireStormLogo.png","contentUrl":"https:\/\/www.firestorm.ch\/wp-content\/uploads\/2026\/03\/FireStormLogo.png","width":589,"height":60,"caption":"FireStorm"},"image":{"@id":"https:\/\/www.firestorm.ch\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/firestorm.ch\/"]}]}},"rttpg_featured_image_url":null,"rttpg_author":{"display_name":"FireStorm","author_link":"https:\/\/www.firestorm.ch\/en\/news\/author\/webkoenig\/"},"rttpg_comment":0,"rttpg_category":false,"rttpg_excerpt":null,"_links":{"self":[{"href":"https:\/\/www.firestorm.ch\/en\/wp-json\/wp\/v2\/pages\/30169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.firestorm.ch\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.firestorm.ch\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.firestorm.ch\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.firestorm.ch\/en\/wp-json\/wp\/v2\/comments?post=30169"}],"version-history":[{"count":0,"href":"https:\/\/www.firestorm.ch\/en\/wp-json\/wp\/v2\/pages\/30169\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.firestorm.ch\/en\/wp-json\/wp\/v2\/media?parent=30169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}