Google safe brwosing blocking this site, but i try to report them of false positive, dns currently shomehow blocking the reporting of domain but ill do that
Introducing SiriusGPT: The First Real-Time GPT / LLM AI based Antimalware Solution
- Thread starter danb
- Start date
- Featured
Thank you for letting me know!!!
Can everyone please click on the following link to report cyberlock.global as safe?
Reported as false positive. Even NextDNS's AI Protection blocks it now. Did you change anything that may cause this?
I don't get it. When I access the site through the link you provided in your first post in this thread - it is getting blocked still.
When I access it through the link on Bleeping Computers it isn't blocked. Anyone can reproduce?
www.bleepingcomputer.com
When I access it through the link on Bleeping Computers it isn't blocked. Anyone can reproduce?
SiriusLLM (Portable) - Anti-Virus, Anti-Malware, and Privacy Software
SiriusLLM (Portable) - posted in Anti-Virus, Anti-Malware, and Privacy Software: SiriusLLM (Portable) is a free second opinion scanner based on LLM (AI): https://cyberlock.global/Sirius.aspx Enabling the Windows Context Menu option allows you to analyze executable files on your PC. The...
That's good news, especially given the great video @Shadowra made where SiriusGPT preformed very well. I'm looking forward to the integrated version. But, if I might ask, what happens in between the time when auto-block begins and when it actually blocks something. I mean, if the file allowed to run during that time? Can the auto-block timer be changed? It seems awfully long to me.
<--------
Last edited:
Thank you for letting me know, this is frustrating. No, there have not been any changes on our website since it was updated with the Sirius page, and that has been at least a month.Reported as false positive. Even NextDNS's AI Protection blocks it now. Did you change anything that may cause this?
View attachment 290798
I went through the process to figure out exactly why they are flagging it as Dangerous, and they did not provide a reason or a specific URL...
The only thing that has changed is that I emailed a guy I know who works at google in their security / AI department to tell him about Sirius a few days ago. I am 100% certain he would not cause issues for us, but I wonder if that somehow led to this. We need to figure it out either way because this is a serious issue for us.
The process is suspended by the kernel mode driver until the gui responds to the driver with the decision. 95% of the analysis time is due to the WhitelistCloud analysis... only about 5% is the SiriusLLM analysis. That is why some files are super fast to analyze and some are slow. For example, if a file was added to the WhitelistCloud database a year ago, it does not have to be reanalyzed by Sirius... it just grabs the WLC result then performs the Sirius analysis. The samples in Shadowra's test were probably very new, so they were certainly not in the WLC database... that is why they took a long time. For every day files, WLC contains most of those, so the Sirius analysis should be pretty quick.
The even better news is that once we are finished refining the Sirius prompt instructions, I am 99% certain we are going to be able to remove WLC completely from all of our products, because most of the time Sirius just kind of ignores the WLC anyway. I am in the process of testing the Sirius results with and without WLC, and so far it looks like Sirius does not need WLC. Although, I think it might be wise to keep WLC for now... it is quite accurate in determining if a file is Safe or Not Safe, but it does have some false positives. But if we do remove WLC completely, the analysis will be a lot faster. We will figure it out either way
. Thank you!
The process is suspended by the kernel mode driver until the gui responds to the driver with the decision. 95% of the analysis time is due to the WhitelistCloud analysis... only about 5% is the SiriusLLM analysis. That is why some files are super fast to analyze and some are slow. For example, if a file was added to the WhitelistCloud database a year ago, it does not have to be reanalyzed by Sirius... it just grabs the WLC result then performs the Sirius analysis. The samples in Shadowra's test were probably very new, so they were certainly not in the WLC database... that is why they took a long time. For every day files, WLC contains most of those, so the Sirius analysis should be pretty quick.
The even better news is that once we are finished refining the Sirius prompt instructions, I am 99% certain we are going to be able to remove WLC completely from all of our products, because most of the time Sirius just kind of ignores the WLC anyway. I am in the process of testing the Sirius results with and without WLC, and so far it looks like Sirius does not need WLC. Although, I think it might be wise to keep WLC for now... it is quite accurate in determining if a file is Safe or Not Safe, but it does have some false positives. But if we do remove WLC completely, the analysis will be a lot faster. We will figure it out either way
I guess I see WLC and VoodooAI to be repetitive and not needed with SiriusGPT. But, I am a self-proclaimed dumbass.
Hey @danb , is there telemetry so that Sirrus can learn from all users' evaluations ?
Not at all, I keep everything as private and secure as possible.
F
ForgottenSeer 123960
I believe a different name would serve the product more effectively.
Sirius Scan
Sirius Scan is an open-source General-Purpose Vulnerability Scanner.
The WLC verdict can actually change over time based on the file's reputation, although it is quite uncommon. So just to be sure, I deleted the old WLC result and tested again, and the new WLC verdict is Safe. The new Sirius verdict did not change, and the confidence actually increased significantly to 92%, and after reading the Sirius Analysis Report, we know exactly why...
"While the internal metadata looks legitimate, the file is **completely unsigned** and imports a mixture of low-level system, privilege, and cryptographic routines together with the cURL library – a combination that is highly atypical for a mere “tray” helper. Coupled with the absence of any export table and the presence of multiple entropy-rich sections, the binary exhibits classic traits of a **dropper / downloader** rather than a bona-fide backup utility. WhitelistCloud’s “Safe” rating is overridden by the stronger behavioural evidence."
### 4. Imports – Suspicious Syscalls & cURL
Beyond the usual CRT and kernel32 routines, the binary explicitly imports:
- **Token impersonation**: `ImpersonateLoggedOnUser`, `RevertToSelf`, `DuplicateTokenEx`, `AdjustTokenPrivileges`, `LookupPrivilegeValueW` – allows running in the context of another user.
- **Service control**: `OpenSCManagerW`, `OpenServiceW`, `ControlService` – can stop/start services (useful for disabling AV or backup agents).
- **Environment-block creation**: `CreateEnvironmentBlock` / `DestroyEnvironmentBlock` – almost exclusively used when spawning processes under a different token.
- **Mini-dump capability**: `MiniDumpWriteDump` – classic credential-stealing or LSASS-dumping primitive.
- **Registry persistence**: `RegCreateKeyExW`, `RegSetValueExW`, `RegDeleteValueW`.
- **File encryption flag**: `DecryptFileW` – suggests awareness of encrypted filesystems (often used to decrypt then re-encrypt ransomware targets).
- **Full cURL API**: `curl_easy_init`, `curl_easy_perform`, `curl_mime_*` – clear network download/upload capability.
The combination of **impersonation + service control + minidump + cURL** is a textbook feature set for:
- Dropping a second-stage payload fetched from an external server.
- Escalating privileges, dumping credentials, then covering tracks.
I have to agree with Sirius on this one... a tray utility does not typically need to perform these types of functions. It would be extremely interesting to see what Sirius would say if the file was signed. Hopefully Hasleo will start signing their files soon and we can see what it says then.
In other words (if I can speak for Sirius for a second
)... that is fine if a tray utility genuinely does need to perform these functions, but it at least needs to be signed and the signature needs to be verified, so what we at least know where the file originated and that it was not tampered with or altered in any way.
I totally agree... Sirius is a great name but there are at least 4-5 AI related Sirius products on the market, and if we are going to change the name, it would be better to do it now since we are just getting started. Thanks again!I believe a different name would serve the product more effectively.
Sirius Scan
Sirius Scan is an open-source General-Purpose Vulnerability Scanner.sirius.publickey.io
You may also like...
-
Testing real-time protection of antiviruses with 10.124 Sample- Started by Dexter_Morgan31
- Replies: 120
-
-
-
MAnalyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
- Started by Microsoft Threat Intelligence
- Replies: 0
-
ESET repports that OilRig’s persistent attacks using cloud service-powered downloaders- Started by Lymphocyte
- Replies: 0