VaultGuard Backup — Features Page
EVERY FEATURE EARNED ITS PLACE
Built around the threats your backup software ignores.
VaultGuard Backup wasn't designed by committee. Every feature here exists because something went wrong somewhere first — silent corruption, ransomware that ate the backup folder, drives that quietly failed, "successful" backup logs that hid empty archives. Here's the full list.
Page Intro
If you read most backup-software feature lists, you'll see the same handful of bullets repeated across every product: "automatic backups," "cloud storage," "encryption." The bullets don't tell you anything because every product claims them.
This page is different. It tells you specifically what VaultGuard does, how it works, and — more importantly — why each feature is there. If you're evaluating VaultGuard against another product, the differences are in the details below.
Backup Integrity
The single most important category. If your backup tool doesn't verify what it wrote, you're trusting hope.
SHA-256 manifest of every file Every file VaultGuard writes is fingerprinted with a SHA-256 cryptographic hash and recorded in a manifest stored alongside the backup. The manifest itself is hashed and signed.
Tamper detection If anything in the backup changes between runs — a file modified, a file removed, a file silently corrupted — VaultGuard detects it. You'll see exactly what changed, when, and where.
Verification before any restore Before VaultGuard will restore from a backup, it verifies the manifest against the backup files. If the verification fails, the restore is blocked and you're told exactly what's wrong. There is no "best effort" restore from a corrupted backup. If the data isn't trustworthy, VaultGuard refuses to put it back.
Automatic post-backup integrity checks 24 hours after every backup completes, VaultGuard automatically re-verifies the backup against its manifest. The 24-hour delay is intentional — it ensures the integrity check runs after the backup has finished, but at a predictable off-hours time so the verification work doesn't compete with your business day. If you ran a backup last night, the integrity check has already happened by tonight.
Hash history VaultGuard preserves the manifest history across multiple backup generations, so you can see when corruption or tampering first appeared and trace it back through the chain.
Threat Awareness
A clean backup of an infected drive is worse than no backup at all.
Pre-backup Windows Defender scan Before each backup runs, VaultGuard kicks off a Defender scan of the source data. If active threats are detected, the backup is paused and you're alerted. You'd rather know now than discover six weeks later that your backup is full of malware.
Defender definition age check VaultGuard checks how recent your Defender threat definitions are. If they're dangerously out of date — say, your computer hasn't been online in two months — VaultGuard refuses to back up known-infected systems with stale detection rules.
Two-layer ransomware defense on restore Modern ransomware specifically targets backup files, so VaultGuard checks the backup two different ways before any restore:
First, manifest verification. Every file in the backup is compared against its SHA-256 hash from the original manifest. If anything has changed since the backup was created — a file silently re-encrypted by ransomware, a file modified, a file removed — manifest verification fails and the restore is blocked.
Second, ransomware extension scanning. The "Check Backup" function on the Restore tab scans the backup folder for files with extensions used by known ransomware families (.encrypted, .locked, .crypto, .crypt, .ryk, .revil, .conti, .darkside, .maze, .ryuk, and others). If ransomware-renamed files are found inside the backup, the backup is flagged as compromised and an alert is sent — pointing you to your cloud copy for a clean restore instead.
Together: the hash check catches any change to the backup; the extension scan adds a fast, specific check for the most common ransomware patterns. Either one fires and the restore stops before bad data goes back onto your machine.
BitLocker status awareness VaultGuard checks the encryption status of your backup target drive. If the drive should be BitLocker-encrypted and isn't, you're warned. An unencrypted backup of sensitive data sitting on a desk is itself a security incident.
Drive And Media Health
Hardware fails. The question is whether you find out before or after it costs you data.
SMART data monitoring VaultGuard reads the Self-Monitoring, Analysis, and Reporting Technology data from your source and target drives. SMART warnings — reallocated sectors, pending sectors, increasing read error rates — are early indicators of imminent drive failure. VaultGuard surfaces them before they become catastrophic.
chkdsk integration Filesystem-level health checks are integrated into VaultGuard's scheduling. Filesystem corruption is a different category of failure than drive failure; both matter; both are checked.
Drive age tracking Old drives are likely-to-fail drives. VaultGuard tracks the age of your backup target media and warns you when a drive crosses the failure-probability threshold for its class. You'll know to budget a replacement before the failure forces one.
Available space monitoring VaultGuard tracks free space on backup targets and warns you well before the next backup would fail for lack of room. Configurable thresholds — defaults are sensible, you can tighten them.
Auto-eject after cloud sync Once a local backup has been mirrored to your cloud storage, VaultGuard can automatically eject the backup drive. Physical separation is the strongest defense against malware spreading from the source to the backup. A drive that's not connected can't be encrypted by ransomware on the source machine.
Cloud And Off-site Strategy
One copy is no copies. Three copies, two media types, one off-site is the rule. VaultGuard handles the first two; you bring your own off-site mirror.
Local image backup via wbadmin VaultGuard uses Windows' built-in wbadmin tool for system image creation. This means: no third-party backup format that could become unreadable when a vendor goes out of business. Your backups can be restored on any Windows machine, with or without VaultGuard installed.
Cloud copy to a folder you choose After each local backup, VaultGuard copies it to a folder you designate — typically a folder synced by your preferred cloud storage provider. Use any cloud service you trust: the choice is yours. Once your cloud sync app picks up the new files, your backup is safely off the local machine.
Works with off-site mirroring tools For true disaster recovery, you can layer any cloud-to-cloud sync service on top of VaultGuard's cloud copy to mirror your backups to a second cloud account at a different provider. VaultGuard doesn't manage that mirror itself — but its cloud-folder approach plays well with any mirroring tool you choose to add. If your primary cloud account is compromised, an independently-managed off-site copy remains intact.
Network share support Backup to UNC paths on your network. Useful for environments with NAS or file servers as a backup target.
Restore Options
A backup you can't restore from is not a backup. VaultGuard makes restore the easy part.
File-level restore Recover individual files or folders without rolling back your entire system. Browse the backup like a folder tree, pick what you need, and restore it.
Full system restore Reboot into Windows Recovery Environment and restore from your latest verified backup. The whole computer comes back exactly as it was at backup time. Useful after ransomware, hardware replacement, or any catastrophic event.
Cloud restore If your local backup target is gone (drive dead, drive stolen, drive corrupted), restore directly from your cloud copy. Pull the backup files down from your cloud storage to a local folder, point VaultGuard at them, and restore. Slower than local, but available.
Verification before any restore Whichever restore mode you use, the manifest check runs first. No exceptions.
Security Hardening
The features you'll never see day-to-day. They're the reason VaultGuard stays trustworthy when nothing else has been touched in eighteen months.
Optional administrator passphrase, NIST SP 800-63B compliant VaultGuard offers an optional administrator passphrase that gates access to configuration changes and other administrative actions. The passphrase isn't required to use the application — it's there for users and organizations that want or need the extra layer (compliance, shared workstations, regulated industries). When set, the passphrase requirements follow the National Institute of Standards and Technology's modern password guidelines: length over complexity, no forced periodic resets, no insulting "your password must contain a lowercase letter" rules. The passphrase is hashed and stored using accepted cryptographic primitives — never in plain text.
ACL-locked runtime data VaultGuard's configuration and runtime data live in C:\ProgramData\VaultGuardBackup\ with an access control list that grants access only to administrators and to VaultGuard itself. Standard user accounts on the same machine cannot read or modify the configuration.
Configuration integrity verification On every launch, VaultGuard hashes its configuration file and compares it against the stored hash. If the configuration has been modified outside VaultGuard — by malware, by an unauthorized user, by a misguided "fix" — VaultGuard refuses to start and alerts you.
Session timeout Administrative sessions time out automatically after a configurable period of inactivity (default 10 minutes). Walk away from your computer and the next person can't change your backup configuration.
Failed-attempt lockout Five failed passphrase attempts trigger a timed lockout, with the attempt logged to the security log. Brute-force attacks against your local VaultGuard installation get nowhere.
Code-signed binary Every VaultGuard release is digitally signed by Information Security Kentucky LLC. Windows verifies the signature on install and every update. If a binary claiming to be VaultGuard isn't signed by us, Windows will tell you.
Hardware-bound licensing Your subscription is tied to your specific computer's hardware. Casually sharing a license key with another machine doesn't work. (Need to move VaultGuard to a new computer? Email customer service — we'll re-bind your license.)
Operations
The boring stuff. Doing this well is what separates real backup software from consumer toys.
SMTP email alerts Configurable email notifications on backup success, backup failure, integrity check failure, drive warnings, and other events. Sent through our managed email relay so you don't have to configure SMTP credentials yourself.
Note: Email alert content passes through our infrastructure on the way to your inbox. The contents of your backups never leave your computer, but the alert subject and body do. Full disclosure is in the Privacy Policy.
Restore test reminders On a configurable schedule, VaultGuard reminds you to perform a test restore. The reminder is firm and visible. A backup you've never tested isn't a backup.
Machine and client identity fields Set a machine name and a client name in VaultGuard's configuration. These appear in alerts, logs, and reports — useful when you're using VaultGuard across multiple sites or running it for clients.
Task Scheduler integration VaultGuard registers Windows Task Scheduler entries for backup runs, cloud copy operations, and integrity checks. The scheduled tasks are visible to you, manageable through standard Windows tools, and survive reboots.
Manual run-now option Run a backup on demand without waiting for the next scheduled time. Useful before risky changes — Windows updates, software installations, hardware swaps.
Cleanup tools Selectively delete old backup versions when you need to free space. Cloud copies are unaffected by local cleanup unless you specifically choose to remove them.
Detailed logging Every backup, restore, integrity check, configuration change, and security event is logged locally in C:\ProgramData\VaultGuardBackup\. Logs are useful for troubleshooting and required for any forensic investigation if something goes wrong.
What It Runs On
Operating system: Windows 10 (version 1909 or later) or Windows 11
Architecture: 64-bit only
Disk space: ~100 MB for the application
Backup target: External USB drive, internal drive, or accessible network share
Cloud sync (optional but recommended): Any cloud storage provider with a Windows desktop sync app. The choice of provider is yours.
Off-site mirror (optional, separate from VaultGuard): Any cloud-to-cloud sync service of your choice, configured by you
Network: Required for license validation (subject to a 7-day grace period if offline) and for cloud sync features
What VaultGuard Backup Does NOT Do
Honest about the limits.
It is not antivirus software. VaultGuard scans with Defender as part of backup operations, but it doesn't replace a real antivirus product running continuously. Use Defender or a third-party AV alongside VaultGuard.
It does not back up Mac or Linux machines. Windows only, for now.
It does not provide cloud storage itself. You bring your own cloud storage account from whichever provider you prefer (and optionally a second account at a different provider for off-site mirroring). VaultGuard moves data into those accounts; we don't host data ourselves.
It does not replace a managed-IT relationship. For Kentucky small businesses that want hands-on setup, monitoring, and support, that's what [Information Security Kentucky's services](services link) are for.
It does not guarantee against data loss. No backup software can. VaultGuard is engineered to make data loss as unlikely as possible and recovery as reliable as possible — but you are still responsible for testing your backups, maintaining redundant copies, and following the 3-2-1 rule.
Final CTA
See for yourself.
A 14-day free trial gives you full feature access, no credit card required to start. Configure VaultGuard against your real environment, run a backup, run a restore, and decide whether the engineering matches the description.