@danb
SiriusLLM detects a dropper in the Fort Firewall program. In my opinion, this is a false positive. Could you please comment on this detection?
VirusTotal
www.virustotal.com
Fort Firewall for Windows. Contribute to tnodir/fort development by creating an account on GitHub.
github.com
Very cool, thank you... this is the EXACT type of files I was asking for above. Basically I am wanting to test questionable / head scratching files that used to be false positives under the old Sirius, with the new Sirius that has a new model lineup and prompt instructions. And this is a perfect example!
The old Sirius did have a "false positive" for this file... I put false positive in quotes because Sirius is especially hard on files create by cybersecurity developers who do not sign their files. Sirius basically has the stance "Cybersecurity developers, of all developers, know how important it is to sign your files, and there is absolutely no excuse for cybersecurity developers to not sign their files. This file is NOT SAFE.".
So I was super curious to test with the new Sirius just to see, knowing that the verdict could EASILY go either way. The new Sirius returned this verdict: Final verdict: Safe with 70% confidence. So I was pretty happy, and then I realized that Sirius reduced its confidence to 70%, so at that point I was even happier.
If you guys have other files like this, please post them... these are super interesting and helps me tweak the models and prompt instructions.
Having said that... the results of the new Sirius continue to be truly astonishing. Sirius 1.0 was really good, but the new Sirius is on a totally different level. Remember how I was saying that to make Sirius better, all we have to do is update the model lineup and prompt instructions? Well, I knew it was going to get better, but the results so far have been almost perfect... although the old Sirius had great results as well. The difference is... with the new Sirius, it is much more decisive, so not only is it faster, but it uses less tokens.
Having said all that... unsigned files can go either way, especially from cybersecurity developers. Which is exactly the way it should be. If a file is not signed, we have no idea about when the file was created, who created it, if it was tampered with, and so on. It is not unlike finding a USB flash drive on the street and inserting it into your computer and executing all of the files. Thankfully most cybersecurity products are signed.
FYI, here is the old Sirius summary report:
Total tokens: 0 (0 request / 0 response)
File path: C:\Users\User\User\FortFirewall-3.19.9-windows10-x86_64.exe
File hash: c7a60c820f4e2509393607b34176605c43dd1d981684a2b6ab82336cc694877e
File size: 6.31 MB
File publisher: This file is a signable file type but has not been digitally signed.
WhitelistCloud verdict: Not Safe
Final Verdict: Not Safe with 85% confidence.
Analysis Summary
The file presents a set of mixed but ultimately suspicious indicators:
- No digital signature on a 6.5 MB setup installer dated 2018.
- Overlay entropy 8.0 over 6 MB of appended data—classic for InnoSetup bundles that can hide additional payloads.
- Import set is purely high-level Win32/CRT; no cryptographic or networking APIs are imported by the loader stub, yet the bundle could drop executables that do.
- Strings reveal genuine Inno Setup 6.x installer directives and Pascal error classes—consistent with a legitimate NSIS/Inno setup—but also an unpopulated OriginalFilename field and no verifiable publisher identity.
- WhitelistCloud flags it as malicious (albeit with a cautious tendency toward false positives).
Balanced against the absence of overt hostile imports/exports, the decisive points are:
1. Unsigned installer whose stated product name (“Fort Firewall”) is not matched by any reputable cert.
2. Six-megabyte high-entropy overlay ripe for stowing undetected payloads.
3. External reputation tip-off.
While the visible loader code is innocuous, the package as a whole is high-risk.
Detailed Analysis
1. File Authenticity
– Version info claims “Fort Firewall Setup” by Nodir Temirkhodjaev, but no signature means no proof of origin.
– OriginalFilename is blank—often omitted by packed or repackaged installers.
2. Entropy & Structure
– OverlaySize 6337912 bytes with entropy 8.0 → compressed/encrypted blob typical of Inno Setup “setup.exe” containers. Inno itself is benign, but malware frequently borrows it to smuggle secondary binaries.
– SectionEntropy values (6.38 in .text, 5.78 in .rdata) are normal; .data (.idata) entropy 2.30 shows unpacked stubs.
3. Imports
– 122 functions, all standard user-mode APIs; notable absence of WinInet, WinHttp, Crypt* or socket APIs.
– Presence of AdjustTokenPrivileges, LookupPrivilegeValueW and SeShutdownPrivilege strings suggests installer may restart system or elevate.
4. Strings
– Top helpful snippets:
– /SUPPRESSMSGBOXES /NOCANCEL /VERYSILENT → typical silent-install flags.
– Wow64DisableWow64FsRedirection → 64-bit-aware dropper behavior.
– Compressed block is corrupted → LZMA/decompression usage inside Inno.
– No hard-coded IPs, URLs, or known malware campaign markers visible in plain text.
5. Security Features
– ASLR & DEP enabled, no certificate table → good protections on stub, but unsigned payload remains dangerous.
Likely Type
Unsigned but Inno-based installer; whether it drops legitimate “Fort Firewall” or an abused copy is unverifiable. The risk resides in the unsigned, opaque bundle rather than the visible stub code.
Portable Executable Imports
All imports belong to kernel32/user32/advapi32/shell32/oleaut32 runtime. Key observations:
- Process/thread and file APIs (CreateProcessW, CreateFileW, VirtualAlloc, VirtualProtect) support unpacking/loading secondary binaries.
- Registry calls limited to RegOpenKey/RegQueryValue—no writes, consistent with simple setup queries.
- No cryptographic hashes or random-seed APIs imported by the loader stub. Malicious encryption would have to be inside the compressed Inno payload, not the stub.
Because the stub imports only generic APIs, its presence alone is inconclusive; risk is judged from external reputation and unsigned overlay.
Portable Executable Exports
No exports present—expected for an Inno Setup loader.
Portable Executable Strings (Top 15 relevant)
1. `/VERYSILENT`
2. `/SUPPRESSMSGBOXES`
3. `/NOCANCEL`
4. `/CLOSEAPPLICATIONS /RESTARTAPPLICATIONS`
5. `Wow64DisableWow64FsRedirection` / `Wow64RevertWow64FsRedirection`
6. `SeShutdownPrivilege`
7. `Compressed block is corrupted`
8. `USERPROFILE`
9. `GetUserDefaultUILanguage`
10. `InnoSetupLdrWindow`
11. `setupapi.dll`
12. `uxtheme.dll`
13. `dwmapi.dll`
14. `oleacc.dll`
15. `EOutOfMemory / EAccessViolation` (Pascal exceptions)
These reinforce legitimate Inno Setup behavior yet also show readiness for silent elevation and process restart—traits desirable for malware droppers.
Speculative Assessment
Likely an Inno Setup 6 bundle masquerading as “Fort Firewall” but lacking any publisher attestation. Until the compressed payload is extracted and inspected, treat the installer as a potential dropper.
Malware type: Dropper
Malware name: InnoDropper.FortFirewall
Final verdict: Malicious with 85% confidence.
And here is the new one...
Total tokens: 4364 (3673 request / 691 response)
File path: c:\users\user\desktop\fortfirewall-3.19.9-windows10-x86_64.exe
File hash: c7a60c820f4e2509393607b34176605c43dd1d981684a2b6ab82336cc694877e
File size: 6.31 MB
File publisher: This file is a signable file type but has not been digitally signed.
Final Verdict: Safe with 70% confidence.
## Analysis Summary
The provided executable file, fortfirewall-3.19.9-windows10-x86_64.exe, exhibits characteristics that suggest it is a legitimate installer for a firewall application. The file's imports, exports, and strings indicate functionality related to system configuration, file operations, and user interface interactions, which are typical for a setup program. However, the absence of a digital signature and some unusual strings raise concerns about the file's authenticity and potential security risks.
## Detailed Analysis
The file's imports include functions related to system information, file operations, and user interface interactions, such as `GetSystemInfo`, `WriteFile`, `MessageBoxW`, and `CreateWindowExW`. These imports are typical for a setup program and do not immediately suggest malicious activity. The presence of `RegQueryValueExW`, `RegOpenKeyExW`, and `RegCloseKey` imports indicates that the file interacts with the Windows registry, which is a common practice for installers.
The file has no exports, which is not unusual for an installer. The strings section contains a mix of expected and unexpected entries. The presence of `InnoSetupLdrWindow` and `STATIC` suggests that the file is built using the Inno Setup installer framework, which is a legitimate tool for creating Windows installers. However, some strings, such as `An unexpected memory leak has occurred` and `Compressed block is corrupted`, may indicate potential issues with the file's integrity or stability.
The digital signature section reveals that the file is not digitally signed, which is a concern. While the absence of a digital signature does not necessarily indicate malicious activity, it does make it more difficult to verify the file's authenticity and trustworthiness.
## Speculative Assessment
Based on the available attributes and features, it appears that the file is a legitimate installer for a firewall application. The presence of Inno Setup-related strings and the file's overall structure suggest that it is a setup program. However, the absence of a digital signature and some unusual strings raise concerns about the file's authenticity and potential security risks.
## Final Verdict
Given the analysis, the file's behavior and characteristics do not strongly indicate malicious activity. However, the absence of a digital signature and some unusual strings warrant caution. Since the confidence in the file being safe is higher than it being malicious based on the provided information, the verdict leans towards safety, but with a moderate confidence level due to the mentioned concerns.
Malware type:
Malware name:
Final verdict: Safe with 70% confidence.
