The sidecar is a Windows service named VexifaCS-Sidecar. Check its status and restart it:

1. Press Win + R, type services.msc, press Enter
2. Find VexifaCS Sidecar in the list
3. If status is Stopped, right-click → Start
4. If it fails to start, right-click → Properties → Log On and ensure it's running as Local System

If the service doesn't appear in the list, the installation may be incomplete. Re-run the installer from the downloads page and choose Repair.

This usually means the sidecar didn't have sufficient permissions to query the system. Try:

• Close Vexifa Cyber Secure completely, then relaunch it using Run as Administrator (right-click the app icon)
• If that resolves it, the scan requires elevated permissions on your system — you can pin a shortcut that always launches with admin rights

If running as admin doesn't help, check that Windows Defender or a third-party antivirus isn't blocking Vexifa Cyber Secure from accessing process and network APIs. Add VexifaCS.exe and VexifaCS-sidecar.exe to your antivirus exclusion list.

The CVE database syncs from the NVD API. Common causes of sync failure:

• No internet connection: The initial sync requires internet. Confirm you're online and retry.
• NVD API rate limit: The NVD API has a rate limit for unauthenticated requests. If you're on a shared network, wait 30 minutes and retry.
• Firewall blocking outbound HTTPS: Ensure outbound HTTPS (port 443) to services.nvd.nist.gov is not blocked by your corporate firewall or VPN.
• Corrupted local database: Navigate to %AppData%\VexifaCS\ and delete the cve-cache.db file. Restart Vexifa Cyber Secure and re-trigger the sync.

This usually means the CVE database hasn't been populated yet, or the installed software inventory is incomplete:

• Go to Settings → CVE Database and confirm the last sync date. If it shows "Never synced", trigger a manual sync.
• The scanner reads from Add/Remove Programs, the Windows Registry software keys, and common installation directories. Software installed outside these paths (portable apps, manual extractions) will not appear.
• After a successful sync, run a new full scan — the CVE matching happens during the scan, not during the sync.

Note: Not all software has CVEs. A clean result on a well-patched, minimally-installed machine is possible. Sort the installed apps list by name and verify your highest-risk applications (browsers, PDF readers, media players) are present.

Open Settings → AI Provider and verify your configuration:

• For cloud providers (Claude, OpenAI, Gemini, OpenRouter): Confirm the API key is pasted correctly with no leading/trailing spaces. Test the key in the provider's own dashboard to confirm it's valid and has remaining credits.
• For local Ollama: Confirm Ollama is running — open a terminal and run ollama list to see available models. If Ollama isn't running, start it with ollama serve.
• For Ollama model errors: The model name in Settings must exactly match the installed model name shown by ollama list (e.g., phi3:medium not phi3).

After updating settings, click Save and then send a test message like "hello" in the AI Chat tab before asking security questions.

The AI only has context for data that has been collected by a scan. If you haven't run a scan since installing, the AI has no machine-specific data to work with:

1. Run a full attack surface scan from the Dashboard first
2. Wait for the scan to complete (30–90 seconds)
3. Then open the AI Chat tab and ask your question

The AI context includes your CVE list, active threats, open ports, and weak password count. It does not include your process names, network connection destinations, or filesystem contents — ask specifically about items visible in the Vexifa Cyber Secure panels.

False positives are expected in the first few days while the monitor learns your normal baseline. To manage them:

• Dismiss trusted alerts: Dismiss alerts from processes you've verified as legitimate. Dismissed alerts are archived and excluded from the active count, but never deleted — you can review them later.
• Use the source filter: Filter the Threat Log by source. If your VPN is triggering every network_monitor alert, filter to other sources to see the rest.
• Ask the AI to verify: Before dismissing, ask the AI: "Is [process name] making connections to [IP] a known false positive?" — it can confirm whether the pattern is common for that software.

A recurring threat means the underlying condition hasn't been resolved — the process, service, or configuration causing the alert is still active and being re-detected by the sidecar monitor.

• If it's a process alert: The process is still running. If you want to stop the alerts, you need to terminate or disable the process, not just dismiss the alert.
• If it's a network alert: The connection to the flagged destination is still active or recurring. Use the AI Advisor to determine if the connection is malicious and how to block it.
• If it's a CVE alert: The vulnerable software is still installed. Patch or remove the application to stop the alert permanently.

Use the AI Advisor for a removal or mitigation plan: "How do I permanently stop the alert for [process/CVE]?"

Most hardening actions modify the Windows Registry or system services and require administrator privileges:

1. Close Vexifa Cyber Secure and relaunch it as Administrator (right-click → Run as administrator)
2. Retry the hardening action from the Hardening page

If the action applies successfully but reverts on the next scan, another application or Group Policy may be overriding the setting. This is common in domain-joined machines where Group Policy enforces specific configurations. In that case, the hardening action cannot be applied via Vexifa Cyber Secure — it must be changed at the domain policy level by your IT administrator.

The risk score is recalculated on each full scan. If it isn't dropping after completing hardening actions:

• Run a new full scan: Click Scan Now on the Dashboard. Completed hardening actions only affect the score after a fresh scan — the score doesn't update in real time.
• High-weight items remain: The score is weighted — CVEs with CVSS 9.0+ and high-risk open ports contribute significantly more than Medium-severity hardening completions. If you have critical CVEs, completing low-severity hardening won't move the score much. Prioritize patching the high-CVSS applications first.
• Active threats present: Unresolved active threats in the Threat Log contribute to the score independently of hardening completion. Triage and dismiss or quarantine active threats before expecting a major score drop.