Introducing SiriusGPT: The First Real-Time GPT / LLM AI based Antimalware Solution

  • Thread starter Thread starter danb
  • Start date Start date
  • Featured
Hi Dan,
I ran a scan using SiriusGPT on my virtual machine, and it flagged two applications as unsafe. The reason given was the absence of a digital signature or publisher information which is similar to how Cyberlock WhiteCloud works.

Applications Initially Marked as Unsafe:
1. SpyTheSpy.exe
  • Location: C:\Program Files (x86)\SpyTheSpy\
  • Purpose: Runs in the background to monitor new file installations. Both the installer and executable are safe.
  • Publisher: MediaChance - SpyTheSpy
    This is an old utility, but it's lightweight and useful for tracking newly installed applications.
2. Windows11FirewallControl.exe
  • Location: C:\Program Files\Windows11FirewallControl
  • Purpose: Acts as a simple firewall layer on top of Windows Defender Firewall. Both the installer and executable are safe.
  • Publisher: GitHub - Windows11FirewallControl
After resetting the Whitelist within SiriusGPT and rescanning my running applications, these two programs were no longer flagged as unsafe.
To test whether this change was stored in memory, I shut down SiriusGPT and performed another scan. The applications were still running but were not marked as unsafe—suggesting the safe status was retained.

My Question:
Where is the data stored for applications that are manually marked as safe?
Is it saved somewhere other than the local whitelis.dbt?
It would be helpful to view and manage these entries similar to how we use Cyberlock which shows a list of trusted applications.
 
  • Like
  • Applause
  • Hundred Points
Reactions: Oldie1950, danb, rashmi and 3 others
Trident said:
I like contributing with ideas.

Anyway, depending on the test results I will either send private messages, or text here.

Let’s see if it’s mature enough to be reviewed.
Click to expand...
It's ready ;). There was one bug where if one of the 139 esoteric file types was blocked, then the Allow, Block and Quarantine buttons were not visible, but that is fixed for the next version. Other than that, yeah, we are 98-99% there on the models and instructions, and we can tweak them over the next couple of weeks on the backend. I look forward to seeing the test results from other testers ;).
 
  • +Reputation
  • Applause
Reactions: ErzCrz, Oldie1950 and simmerskool
Kongo said:
Great, was looking forward to the release. Does it update automatically to newer versions? I always kind of miss a "check for updates" button in your products I have to admit.
Click to expand...
Yes, I think the auto update is active, I better double check though. That reminds me, I need to activate the self-protection as well. The self-protection has been disabled in case something goes wrong, we can kill Sirius in the task manager, but it is perfectly stable now, so I need to activate it for the next version as well.
 
  • +Reputation
  • Applause
Reactions: Kongo, Oldie1950 and simmerskool
Victor M said:
Is this going to be a separate product or merged into CyberLock as originally planned ?
Click to expand...
It is a separate product, but the Sirius engine will be implemented into CyberLock soon, hopefully within 1-2 months. We will need to use the User Prompt from Sirius in CyberLock as well, but I think that will be a great improvement, especially after we finish optimizing the Sirius User Prompt.
 
  • +Reputation
  • Applause
Reactions: ErzCrz, Oldie1950 and simmerskool
simmerskool said:
small point re taskbar right-click: having disable at the top of list threw me "off" a tad, I was expecting show siriusgpt at the top. (probably just me)
Click to expand...
That's cool, what order do you think we should put those 4 items? If anyone else wants to offer their suggestions as well, please do.
 
  • +Reputation
Reactions: simmerskool
simmerskool said:
so I have a VM that needs an AV. @danb is SiriusGPT (final version) intended to be THE primary AV and register with Windows Security Center? (sorry if I read over that point)...
Click to expand...
That's hard to say. When I first started developing Sirius, it was mainly intended to be a portable app / second-opinion scanner. But now that I have seen what it is capable of, it will probably evolve into a full blown AV... it is already very close to being one. The only thing is, I do not want to clutter it up with all of the ancillary features, like url monitoring, VPN, etc. that most AVs have, so we will probably not have it register with Windows Security Center any time soon. For now, I just want to keep it as a super-light AV companion, like our other products.
 
  • Hundred Points
  • Like
Reactions: Oldie1950, Digmor Crusher and simmerskool
I say integrate it into CL, but there's no need to make it a full-blown AV. On-access-second-opinion scanner is awesome. But it shouldn't try to overshadow or eclipse CL.
 
  • Hundred Points
  • Like
Reactions: danb and simmerskool
Higgsie said:
Hi Dan,
I ran a scan using SiriusGPT on my virtual machine, and it flagged two applications as unsafe. The reason given was the absence of a digital signature or publisher information which is similar to how Cyberlock WhiteCloud works.

Applications Initially Marked as Unsafe:
1. SpyTheSpy.exe
  • Location: C:\Program Files (x86)\SpyTheSpy\
  • Purpose: Runs in the background to monitor new file installations. Both the installer and executable are safe.
  • Publisher: MediaChance - SpyTheSpy
    This is an old utility, but it's lightweight and useful for tracking newly installed applications.
2. Windows11FirewallControl.exe
  • Location: C:\Program Files\Windows11FirewallControl
  • Purpose: Acts as a simple firewall layer on top of Windows Defender Firewall. Both the installer and executable are safe.
  • Publisher: GitHub - Windows11FirewallControl
After resetting the Whitelist within SiriusGPT and rescanning my running applications, these two programs were no longer flagged as unsafe.
To test whether this change was stored in memory, I shut down SiriusGPT and performed another scan. The applications were still running but were not marked as unsafe—suggesting the safe status was retained.

My Question:
Where is the data stored for applications that are manually marked as safe?
Is it saved somewhere other than the local whitelis.dbt?
It would be helpful to view and manage these entries similar to how we use Cyberlock which shows a list of trusted applications.
Click to expand...
Very cool, thank you for letting me know! I downloaded both Spy TheSpy and Windows11FirewallControl, and also reviewed the Sirius verdict. Since these are not highly prevalent files, and since they are not digitally signed, I have to agree with the Sirius verdict. If a file is unsigned, but extremely prevalent, then I would expect Sirius to render a Safe verdict. In fact, if you read the Sirius Analysis Reports, you will see that Sirius is aware of most of the prevalent files, and will discuss their attributes in detail, and tell you that it is a safe file. What is even cooler, if you edit a highly prevalent file with a hex editor, Sirius will usually catch this and let you know that the file has been compromised, and render a Not Safe verdict. It is truly unreal what Sirius is capable of.

So anyway, I installed both apps, and performed a snapshot scan, and they were both labeled Not Safe, as expected. I then followed your exact procedure, like resetting the whitelist, restarting Sirius, etc, and then performed another snapshot scan, and both were Not Safe, as expected. So it was working for me.

Please keep in mind, the snapshot scan only scans the processes that are currently running, it does not scan the entire whitelist. So I am guessing that maybe those two processes were not running when you performed the scan again, and they simply did not show up in the snapshot scan results. The reason I say that is because those results are just a simple call to our SQL database, to fetch the results. And as I was saying, I manually reviewed the results in our database, and they were correct. Having said that, if you are able to somehow get these two items to show up as Safe in the the snapshot scan results, please send me the steps to reproduce that behavior, because that would mean there is a bug somewhere. But as I was saying, the snapshot scan results are just a simple call to the SQL database, so I do not see how they could be incorrect. The Sirius Final Verdict is stored in the whitelist.db, but the Malware Type, Malware Name and the Analysis Report are not... they are only stored on the SQL server. At some point we will probably have a whitelist editor, but it will probably be in the Web Management Console. Thank you!
 
  • Hundred Points
Reactions: Oldie1950
Hi Dan, will try and replicate what I did previously and try and capture.

Couple of Question

1. How do I look at the analysis report for items marked as Not Safe, I only see three options ? Process Info, Open Location and Exclude File

Manage to answer this myself I needed to click on Scan complete to go back to results page :)
2. When I click on the information icon how do I go back to the snapshot results? the only way I seem to be able to do this re-click the Snapshot Scan button.

Perhaps some hover over type messages to help with navigation.
 
To access the analysis report, I currently have to perform the following steps:
  1. Click on the "Not Safe" file to open its path.
  2. Right-click the file in explorer and select SyriusGPT Scan .
  3. This then displays the report.
Is this the intended method for retrieving the report?
Could this process be streamlined by adding a direct "View Report" or "Run Further Analysis" option within the "Not Safe" item context menu?

The Windows 1 and 2 in my screenshot appear static as they cannot be moved or repositioned on the screen. Would it be possible for you to enable repositioning for these windows.
 

Attachments

  • 1755243332032.png
    1755243332032.png
    261.3 KB · Views: 48
Leading from above I selected ALOW (Not Safe) on both items and then performed another scan but the results still showed the two items I marked as Safe.

Is this correct behaviour?
1755245219799.png
1755245375296.png
 
Last edited by a moderator:
Higgsie said:
Hi Dan, will try and replicate what I did previously and try and capture.

Couple of Question

1. How do I look at the analysis report for items marked as Not Safe, I only see three options ? Process Info, Open Location and Exclude File

Manage to answer this myself I needed to click on Scan complete to go back to results page :)
2. When I click on the information icon how do I go back to the snapshot results? the only way I seem to be able to do this re-click the Snapshot Scan button.

Perhaps some hover over type messages to help with navigation.
Click to expand...
Thank you for mentioning that... we should probably include a menu option to view the analysis report for the selected item. One thing you can do is click the Open Location on the Snapshot Scan context menu, then go to the file and click SiriusGPT Scan, this will show the full analysis report.

For your second question... there should be a magnifying glass to the right of the thumbs icons at the top of the analysis report... that should take you back to the scan results.
 
  • +Reputation
Reactions: simmerskool
Higgsie said:
To access the analysis report, I currently have to perform the following steps:
  1. Click on the "Not Safe" file to open its path.
  2. Right-click the file in explorer and select SyriusGPT Scan .
  3. This then displays the report.
Is this the intended method for retrieving the report?
Could this process be streamlined by adding a direct "View Report" or "Run Further Analysis" option within the "Not Safe" item context menu?

The Windows 1 and 2 in my screenshot appear static as they cannot be moved or repositioned on the screen. Would it be possible for you to enable repositioning for these windows.
Click to expand...
Yes, I wish I would have read this post before I responded to the previous one... yes, we should be able to create a menu option for this, thank you for the suggestions!
 
Higgsie said:
Leading from above I selected ALOW (Not Safe) on both items and then performed another scan but the results still showed the two items I marked as Safe.

Is this correct behaviour?
View attachment 290210
Click to expand...
The Allow button will add the item to the whitelist, but it will still show up as Not Safe until you right click on the item and click Exclude File. This is designed this way out of an abundance of caution, but I suppose we might want to exclude the file from the Snapshot Scan when the Allow button is clicked. We can go either way on this... let me think about the best way to go.
 
  • +Reputation
Reactions: simmerskool
XylentAntivirus said:
You can use CAPA for LLM get better analysis based on CAPA.
Click to expand...
Thank you for the suggestion! Yeah, the initial plan was to implement YARA, MISP/IntelMQ, CAPA, and other intelligence feeds on the backend sandbox. But honestly, I do not think we need it, especially if we continue to get the results we are currently getting. Sometimes when we over complicate things, things do not turn out as expected. I also love the fact that our Sirius engine is not dependent on any third party software.

Having said that, Sirius will evolve over time, so who knows what we will include ;).
 
  • Like
  • +Reputation
Reactions: simmerskool, Miravi, XylentAntivirus and 2 others

You may also like...