Downloads

Choose what you need

ET Ducky ships in two main flavors. The Desktop App runs locally on a single Windows machine and gives you the full diagnostics dashboard, ETW monitoring, and AI live sessions without deploying anything else. The Endpoint Agent is installed on the machines you want to monitor remotely — one binary handles inventory, behavioral-security rules, ransomware kill-chain detection, and live root-cause analysis. The same dashboard, the same AI, on Windows or Linux. A third category, Standalone Tools, holds open-source utilities that work without a tenant or an agent.

All binaries below are signed and version-pinned. The SHA256SUMS file at the bottom of this page covers every download on this page; verify any of them before installing.

Desktop App

Endpoint Agent

Install on the endpoints you want to monitor. Same agent code on every OS; same dashboard, alerts, and AI live sessions.

Windows

Windows Agent Installer v2.0.1.5

ETW-based kernel monitoring with behavioral-security rules and ransomware kill-chain detection. Installs as a Windows service and registers itself with your tenant on first start.

Installer (.exe) ~22 MB Auto-update enabled
Debian / Ubuntu

Linux Agent (.deb) v2.0.1.5

eBPF-based kernel diagnostics for Debian, Ubuntu, and derivatives. Installs as a systemd service via apt. amd64.

Debian package (.deb) ~27 MB amd64
RHEL / Fedora / CentOS

Linux Agent (.rpm) v2.0.1.5

eBPF-based kernel diagnostics for RHEL, Fedora, CentOS Stream, AlmaLinux, and Rocky Linux. Install with dnf or rpm -i. x86_64.

RPM package (.rpm) ~25 MB x86_64
Other Linux

Linux Agent (universal .run) v2.0.1.5

Self-extracting installer for distros without first-class .deb / .rpm support — Arch, openSUSE, Alpine (with glibc compatibility), or custom builds. Run with sudo sh etducky-agent-2.0.1.5.run.

Self-extracting (.run) ~33 MB x86_64

Standalone Tools

Open-source utilities with no tenant or agent dependency. Source available on GitHub under Apache License 2.0.

Windows 10 / 11

ET Ducky Provider Explorer v1.0.0

Standalone WinForms tool for enumerating, profiling, and learning about ETW providers. Three tabs: browse every published provider on the host, sniff one for cost and event shape with an educational drill-down, and a built-in Help primer on ETW concepts. No cloud, no agent, no telemetry.

Installer (.exe) ~53 MB Administrator required

Prefer no install? Portable .exe (~58 MB) — self-contained, runs from anywhere.

Windows 10 / 11

ET Ducky ProcDelta v1.0.0

Differential environmental diagnosis for Windows app failures. Record a known-good baseline of an app on a working machine, capture the same action on a broken one, and get a deterministic report of every registry, file, network, or runtime difference that could explain the failure. Open-source under Apache License 2.0.

Installer (.exe) ~53 MB Administrator required

Prefer no install? Portable .exe (~58 MB) — self-contained, runs from anywhere.

Windows 10 / 11

ET Ducky AvProfiler v1.0.0

Measure the antivirus tax on your file I/O. Pick a process (or capture system-wide), run a workload, and get a per-path / per-process breakdown of how much slower it ran versus your machine's baseline — plus ready-to-paste exclusion commands for Defender, CrowdStrike, SentinelOne, and Sophos. Open-source under Apache License 2.0.

Installer (.exe) ~53 MB Administrator required

Prefer no install? Portable .exe (~58 MB) — self-contained, runs from anywhere.

Windows 10 / 11

ET Ducky NetPath v1.1.0

End-to-end network diagnosis. Capture every DNS, TCP, TLS, HTTP, and auth event during a workload window, grouped into per-destination “stories” with pattern-matched diagnoses for common failure modes (TLS-inspection proxies, Azure AD Conditional Access denials, Kerberos SPN problems, firewall drops). Recommends the right next-cheapest tool when ETW visibility ends at the browser. Open-source under Apache License 2.0.

Installer (.exe) ~53 MB Administrator required

Prefer no install? Portable .exe (~58 MB) — self-contained, runs from anywhere.

Verify your download

Compare the SHA-256 hash of any download against the signed checksum file below before installing. On Linux, run sha256sum -c SHA256SUMS in the directory where you downloaded the file. On Windows, Get-FileHash <file> -Algorithm SHA256 in PowerShell, then compare to the matching row.

Loading checksums…

Windows installers are Authenticode-signed — right-click the downloaded .exe, choose Properties → Digital Signatures, and confirm the publisher before running.

Looking for source or self-hosted builds?

Self-hosted deployments and on-prem image bundles are documented in the self-hosted guide. Air-gapped customers can request signed offline installers through support — see deployment options for details.