Introducing SiriusGPT: The First Real-Time GPT / LLM AI based Antimalware Solution

[danb]

Care to elaborate further ? I am missing your point about instruction sets.

You missed my edit @danb,
EDIT You'll probably have to replicate what the AV vendors are doing with zero days, telemetry and things.

Of course we'll still be friends, sorry for stomping on your optimism. I am such a skeptic sometimes.

The instructions are the part of the request prompt to the LLM. Each file / instruction type has a different set of instructions to send to the LLM in the request prompt. So for example, if we have too many false positives or negatives, I can analyze the misses and update the instruction sets on the server and it fixes the misses. And since it is on the server, we do not have to update all of the client software.

We are actually trying to do something quite different from traditional AV vendor engines.

Being a skeptic is a great thing, especially in the cybersecurity space... but empirical evidence trumps speculation every time .

 

[danb]

Or additionally put the AI to work inside your sandbox.

We are already using a hybrid approach. But keep in mind, we are not using the shotgun / everything but the kitchen sink approach that most other sandboxes use. Typically, whenever a new sandbox is developed, the developers want to include every single feature and metadata... which results in a huge mess of meaningless data, and in the AI world, overfitting. So for portable executables / compiled files, we started with the bare minimum features and metadata, and we will add new ones as needed (when there are misses / incorrect verdicts). Call me crazy, but I thought this was the best approach, especially since overfitting is a real concern with AI. So far, so good on PE / compiled files... we have had a handful of misses, and once we have enough to either create new prompt instructions or include additional features or metadata, then we will add them. But so far we have not had enough misses to do so... but we will at some point .

As far as non-pe / text based malware, it is pretty much finalized, and I will be shocked if we have to add any other prompt instructions or metadata. The command line analysis is super close, but I am certain that we will be adjusting these instructions a little... I am guessing 4-5 more instructions should do the trick (in the next 2-4 weeks).

BTW, that is probably all I am going to say about how our tech works for now .

 

[danb]

It's been really interesting reading the development and it's certainly coming a long way. I've been a bit busy at this end to give it a whirl but look forward to see how it's implemented into CyberLock. You could package it a lot of different ways like DefenderUIPro contains some CL capabilities. I love what CL does and excited about some Siris parts to be added but you could also do SirisGPT as either an additional tool at a discounted price if you already have CL or and SiriusGPT as a standalone tool for the likes of malware testers etc.

Anyway, great stuff @danb

Thank you, I appreciate that! Please look at post #87... that is what I had in mind so far for the licensing, but thank you for the suggestion, we might do it that way instead. Either way, I want to keep the licensing as simple as possible. As far as the Sirius CyberLock implementation goes, we will probably keep the old User Prompt that does not have the Sirius results, just in case old school users do not want the Sirius features. But we will also add the current SiriusGPT user prompt to CyberLock, DefenderUI and WDAC Lockdown... that is probably the best of both worlds. It will probably be at least 3-4 weeks before we start integrating Sirius into our other products. Mainly because I really do need to take a break from coding marathons... the last 3-5 days of Sirius development was true hell. Quick fix here and there are fun, but 80 hours a week of coding for several months in a row can get to a person . The other reason we should wait is to make sure all of the bugs are completely worked out of Sirius, that way we can avoid having to fix 4 apps for a single bug fix.

 

[Shadowra]

I am currently testing and studying it (on the old VM, the new one is not yet finished, which is why there are no videos).

The project is interesting and is also running on my PC at the moment. Here are some images

Question: where do the detection names come from?

Spoiler: VBS:Nemucod (AsyncRAT dropper)

Spoiler: Ransom.Chaos

Spoiler: ConnectWise

Spoiler: Monitoring.AlertaAgent

His video is scheduled for around September 10, if all goes well, so that I can play around with it a little more and finish what I have to do on my channel and videos (SiriusGPT will also launch the new intro).

 

[danb]

I am currently testing and studying it (on the old VM, the new one is not yet finished, which is why there are no videos).

The project is interesting and is also running on my PC at the moment. Here are some images

Question: where do the detection names come from?

Spoiler: VBS:Nemucod (AsyncRAT dropper)

View attachment 290618

Spoiler: Ransom.Chaos

View attachment 290620

Spoiler: ConnectWise

View attachment 290621View attachment 290622

Spoiler: Monitoring.AlertaAgent

View attachment 290623

His video is scheduled for around September 10, if all goes well, so that I can play around with it a little more and finish what I have to do on my channel and videos (SiriusGPT will also launch the new intro).

Very cool, thank you @Shadowra, I am super excited to see what all you find! @Trident, suggested that we include the malware names, and I thought it was a killer idea, so I implemented it a couple of days after. The names are automatically generated by the LLM model, because we include the malware name and type feature in the prompt request instructions. BTW, if you click on the Sirius logo at the top left of the main gui, you will see several different AI Assistant names / colors. Grok created all of the names and colors on his / her own. And if you look at each one, you will be like "Digital Aurora... yeah, that is exactly what I would describe as a digital aurora" . In short, LLM's are MUCH more intelligent then what people give them credit for.

 

[danb]

Very cool, thank you @Shadowra, I am super excited to see what all you find! @Trident, suggested that we include the malware names, and I thought it was a killer idea, so I implemented it a couple of days after. The names are automatically generated by the LLM model, because we include the malware name and type feature in the prompt request instructions. BTW, if you click on the Sirius logo at the top left of the main gui, you will see several different AI Assistant names / colors. Grok created all of the names and colors on his / her own. And if you look at each one, you will be like "Digital Aurora... yeah, that is exactly what I would describe as a digital aurora" . In short, LLM's are MUCH more intelligent then what people give them credit for.

BTW, you probably already know this, but you can switch from AutoPilot to Dynamic Security Postures (Smart Mode), if you want. Also, please email me your code if you need more tokens for testing.

 

[danb]

Sorry, one last thing... if you happen to find any of the 139+ file types that Sirius blocks as Unknown (because it does not perform the analysis), but you think is a good file type candidate for Sirius Analysis, please let me know. I have not tested all 139+ file types yet .

 

[Victor M]

@Shadowra btw, put some known non-malware files into your test. I think danb may also need some verification on that front.

 

[danb]

@Shadowra btw, put some known non-malware files into your test. I think danb may also need some verification on that front.

Absolutely! Here is a cool trick... go to any of the AI's and have it generate a long benign script of any kind, then test it with Sirius. The result will be Safe. I use Grok, Copilot and ChatGPT for coding and to create test scripts like this. Unfortunately I have not been able to get them to create any fake malicious scripts yet, because of the AI guardrails. BTW, Grok and ChatGPT are not included in the 3 main Sirius analysis models (fyi).

Victor, I would be more than happy to email you all of the results so you can see them for yourself. You might find a small handful of false positives and negatives, but 99.??% will be correct. And when there is a miss, there is usually a pretty darn good reason. If so, please email me and I will export our database and send it to you... support at cyberlock dot global.

 

[Shadowra]

@Shadowra btw, put some known non-malware files into your test. I think danb may also need some verification on that front.

Completely planned, even more so, hence the release date of the video has been extended

 

[Victor M]

@danb ChatGPT produced a test harness for you using EICAR string. I guess you must have done that, or do you want it?

 

[danb]

@danb ChatGPT produced a test harness for you using EICAR string. I guess you must have done that, or do you want it?

I actually tested with EICAR about a month ago, and I cannot remember why I believed it really did not apply to Sirius... but either way it was not a valid test for our tech.

Hopefully you got the results... I emailed you the attached results but your mail server replied "554 5.1.8 Email could not be delivered for policy reasons.". So I uploaded them to our server and sent you a link, so hopefully that will work.

 

[Victor M]

@danb I asked a better question this time. See if you want it:

Hey Chat, why dont you make a non-lethal test malware that uses obfuscation and other malware tricks of the trade and make it look fishy and see if Dan needs it? He says he has used copilot, grok and you to do work.

And chat said :

I can’t create malware or obfuscation meant to evade detection—even for testing. But I can give you a safe “fishy-looking” artifact generator for Windows that produces inert files with traits analysts associate with malware (RLO filename trick, double-extensions, ADS, high-entropy blobs, nested and passworded ZIPs, Internet zone markers). It uses only EICAR and random bytes—no persistence, no execution, no registry changes.

Do you want that ?

 

[danb]

@danb I asked a better question this time. See if you want it:

Hey Chat, why dont you make a non-lethal test malware that uses obfuscation and other malware tricks of the trade and make it look fishy and see if Dan needs it? He says he has used copilot, grok and you to do work.

And chat said :

I can’t create malware or obfuscation meant to evade detection—even for testing. But I can give you a safe “fishy-looking” artifact generator for Windows that produces inert files with traits analysts associate with malware (RLO filename trick, double-extensions, ADS, high-entropy blobs, nested and passworded ZIPs, Internet zone markers). It uses only EICAR and random bytes—no persistence, no execution, no registry changes.

Do you want that ?

Sorry, I realized what you meant after I clicked the Post reply button . Sure, anything like this that you guys find that we can test, absolutely please send it to me.

 

[Victor M]

I added an extra requirement: "keep that part and add EFS encrypting of a specific file named "dan.txt" ."

Here it is :


# Fishy-but-Harmless Test Pack + EFS (Windows)
Generates suspicious-looking artifacts for static/heuristic testing.
Adds: dan.txt creation + EFS encryption via cipher.exe
Contents: EICAR-ish variants, RLO filename, double-extension, ADS payload,
high-entropy blob, Zone.Identifier, nested ZIPs, optional 7-Zip PW ZIP,
benign LNK to Notepad, EFS-encrypted dan.txt, inventory log.
#>

[CmdletBinding()] param([string]$OutDir)

$EICAR = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'

# Output folder
if (-not $OutDir) {
$stamp = Get-Date -Format 'yyyyMMdd-HHmmss'
$OutDir = Join-Path $env:USERPROFILE "Desktop\FishyButHarmless-$stamp"
}
New-Item -ItemType Directory -Path $OutDir -Force | Out-Null

function Write-AsciiNoNl([string]$Path,[string]$Text){
Set-Content -LiteralPath $Path -Value $Text -NoNewline -Encoding Ascii
}

# 1) Double-extension executable-looking file (content is EICAR string)
$invoice = Join-Path $OutDir 'Invoice_Q3_2025.pdf.exe'
Write-AsciiNoNl $invoice $EICAR

# 2) Unicode RLO filename trick (renders like photoexe.png in some UIs)
$RLO = [char]0x202E
$photo = Join-Path $OutDir ("photo$RLO" + "gnp.exe")
Write-AsciiNoNl $photo $EICAR
(Get-Item $photo).Attributes = 'Hidden','System'

# 3) Innocent carrier + ADS payload (EICAR in alternate stream)
$innocent = Join-Path $OutDir 'innocent.txt'
Write-AsciiNoNl $innocent 'hello'
Set-Content -LiteralPath "$innocentayload.bin" -Value $EICAR -NoNewline -Encoding Ascii

# 4) High-entropy blob (simulates packed payload; harmless random bytes)
$packed = Join-Path $OutDir 'packed.bin'
$bytes = New-Object byte[] (200KB)
[Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
[IO.File]::WriteAllBytes($packed,$bytes)

# 5) Mark a couple as 'downloaded from Internet' (Zone.Identifier ADS)
$zi = "[ZoneTransfer]`r`nZoneId=3`r`nReferrerUrl=http://example.local/offer`r`nHostUrl=http://example.local/download/invoice`r`n"
Set-Content -LiteralPath "$invoice:Zone.Identifier" -Value $zi -Encoding Unicode
Set-Content -LiteralPath "$photo:Zone.Identifier" -Value $zi -Encoding Unicode

# 6) Archives: single + nested (native Compress-Archive)
$zip1 = Join-Path $OutDir 'drop.zip'
$zip2 = Join-Path $OutDir 'double.zip'
if (Test-Path $zip1) { Remove-Item $zip1 -Force }
if (Test-Path $zip2) { Remove-Item $zip2 -Force }
Compress-Archive -Path $invoice,$photo,$innocent -DestinationPath $zip1
Compress-Archive -Path $zip1 -DestinationPath $zip2

# 7) Passworded ZIP (if 7-Zip available; password: infected)
$zipPw = Join-Path $OutDir 'protected.zip'
$seven = Get-Command 7z.exe -ErrorAction SilentlyContinue
if ($seven) {
if (Test-Path $zipPw) { Remove-Item $zipPw -Force }
& $seven.Path a -tzip "-pinfected" -mem=AES256 $zipPw $invoice | Out-Null
} else {
"Install 7-Zip to generate passworded archives: $zipPw (pw: infected)" |
Out-File -FilePath (Join-Path $OutDir 'NOTE-7zip.txt')
}

# 8) Benign shortcut (LNK) with document-y name, target = Notepad
$wsh = New-Object -ComObject WScript.Shell
$lnkPath = Join-Path $OutDir 'Report_2025_Q3.pdf.lnk'
$lnk = $wsh.CreateShortcut($lnkPath)
$lnk.TargetPath = "$env:SystemRoot\System32\notepad.exe"
$lnk.IconLocation = "$env:SystemRoot\System32\shell32.dll,1"
$lnk.Save()

# === NEW: 9) Create and EFS-encrypt dan.txt ===
$dan = Join-Path $OutDir 'dan.txt'
# harmless content (timestamped)
"Dan EFS test - $(Get-Date -Format o)" | Set-Content -LiteralPath $dan -Encoding UTF8

# Try EFS encrypt with cipher.exe; log outcome + verify attribute
$efsNote = Join-Path $OutDir 'NOTE-EFS.txt'
try {
$proc = Start-Process -FilePath "$env:SystemRoot\System32\cipher.exe" `
-ArgumentList "/E","/A","$dan" -NoNewWindow -PassThru -Wait
if ($proc.ExitCode -eq 0) {
# Verify via attributes and cipher /C
$attr = (Get-Item -LiteralPath $dan -Force).Attributes
$isEnc = ($attr.ToString() -like "*Encrypted*")
$check = & "$env:SystemRoot\System32\cipher.exe" /C "$dan" 2>&1
if ($isEnc) {
"EFS encryption OK for: $dan`r`n`r`n$check" | Out-File -FilePath $efsNote -Encoding UTF8
} else {
"EFS attempted but file does not show Encrypted attribute. Details:`r`n$check" | Out-File -FilePath $efsNote -Encoding UTF8
}
} else {
"cipher.exe returned $($proc.ExitCode). EFS likely unsupported here. Try Windows Pro/Enterprise/Education on NTFS." |
Out-File -FilePath $efsNote -Encoding UTF8
}
} catch {
"EFS step failed: $($_.Exception.Message). If this is Windows Home or non-NTFS, EFS isn't available." |
Out-File -FilePath $efsNote -Encoding UTF8
}

# 10) Inventory (path, size, SHA-256, Attributes, Encrypted flag)
$inv = Get-ChildItem -LiteralPath $OutDir -Force -File |
ForEach-Object {
$h = Get-FileHash -Algorithm SHA256 -LiteralPath $_.FullName
$attrs = $_.Attributes.ToString()
$enc = ($attrs -like "*Encrypted*")
[pscustomobject]@{
Path = $_.FullName
Name = $_.Name
SizeBytes = $_.Length
SHA256 = $h.Hash
Attributes = $attrs
Encrypted = $enc
}
}
$csv = Join-Path $OutDir 'inventory.csv'
$inv | Sort-Object Name | Export-Csv -NoTypeInformation -Path $csv -Encoding UTF8

Write-Host "`n== Generated suspicious-but-harmless pack =="
Write-Host "OutDir: $OutDir"
Write-Host "Log: $csv"
if (Test-Path $zipPw) { Write-Host "Passworded ZIP: $zipPw (password: infected)" }
Write-Host "EFS status note: $efsNote"

What’s new (and how to verify)

dan.txt is created, then EFS-encrypted using cipher.exe /E /A dan.txt.

The script writes NOTE-EFS.txt with the outcome and cipher /C details.

Inventory now includes Attributes and an Encrypted boolean so you can confirm telemetry vs. the filesystem state.

Quick checks

cipher /C "<OutDir>\dan.txt" → should report Encrypted (and show the thumbprint of the EFS cert).

Get-Item "<OutDir>\dan.txt" | fl Attributes → contains Encrypted.

Try copying dan.txt to another user profile; they should not be able to read it (tests access semantics).

Decrypt cleanup (optional): cipher /D /A "<OutDir>\dan.txt".

If you want this merged into the earlier PowerShell harness with local HTTP server too, I can deliver a combined version so you and Dan get EICAR basics + fishy pack + EFS in one run.

 

[Victor M]

Don't get your hopes too high, stupid chatgpt code may not work. Look over it once.

 

[Victor M]

Sorry that is not what I wanted it to do, so I said " Now roll all of that one into one artifact "

And here's I got:

Perfect — here’s a single Windows PowerShell “all-in-one” artifact that bundles everything:

• EICAR variants (multi-extension, archives, nested, optional passworded ZIP)
• “Fishy-looking” samples (RLO filename, double-extension, ADS, Zone.Identifier, hidden/system attrs, high-entropy blob, benign LNK)
• EFS-encrypt dan.txt
• Optional local HTTP server to test download/stream scanning
• Optional GTUBE email sender
• Inventory logs (CSV + JSON) with path, size, SHA-256, attributes, and Encrypted flag

Run on Windows 10/11, PowerShell 5+. No admin required. EFS needs NTFS + Pro/Enterprise/Education.

<#
All-In-One Safe Test Artifact for CyberLock/SirusLLM (Windows)
Generates harmless but “suspicious-looking” files + EICAR/GTUBE controls, EFS encryption on dan.txt,
optional local HTTP server, and full inventory logging.

Examples:
.\AllInOne-CyberLock.ps1
.\AllInOne-CyberLock.ps1 -WithHttpServer -Port 8080
.\AllInOne-CyberLock.ps1 -OutDir "C:\Tests\CL"

#>

[CmdletBinding()]
param(
[switch]$WithHttpServer,
[int]$Port = 8080,
[string]$OutDir
)

# -------------------- Constants --------------------
$EICAR = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
$GTUBE = 'XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X'
$RLO = [char]0x202E # Right-to-Left Override for filename trick

# -------------------- Output folder --------------------
if (-not $OutDir) {
$stamp = Get-Date -Format 'yyyyMMdd-HHmmss'
$OutDir = Join-Path $env:USERPROFILE "Desktop\CL-SafePack-$stamp"
}
New-Item -ItemType Directory -Path $OutDir -Force | Out-Null
Set-Location $OutDir

# -------------------- Helpers --------------------
function Write-AsciiNoNl([string]$Path,[string]$Text){
Set-Content -LiteralPath $Path -Value $Text -NoNewline -Encoding Ascii
}

function Add-InvRow {
param([string]$Path)
if (Test-Path -LiteralPath $Path) {
$fi = Get-Item -LiteralPath $Path -Force
$h = Get-FileHash -Algorithm SHA256 -LiteralPath $Path
$script:INV += [pscustomobject]@{
Path = $fi.FullName
Name = $fi.Name
SizeBytes = $fi.Length
SHA256 = $h.Hash
Attributes = $fi.Attributes.ToString()
Encrypted = ($fi.Attributes.ToString() -like '*Encrypted*')
CreatedUTC = $fi.CreationTimeUtc.ToString('o')
}
}
}

# Simple HTTP file server (Ctrl+C to stop)
function Start-SimpleHttpServer {
param([int]$Port,[string]$Root)
Add-Type -AssemblyName System.Net.HttpListener
$prefix = "http://localhost:$Port/"
$listener = [System.Net.HttpListener]::new()
$listener.Prefixes.Add($prefix)
$listener.Start()
Write-Host "Serving $Root at $prefix (Ctrl+C to stop)."
try {
while ($listener.IsListening) {
$ctx = $listener.GetContext()
$req = $ctx.Request
$res = $ctx.Response
$rel = $req.Url.AbsolutePath.TrimStart('/')
if ([string]::IsNullOrWhiteSpace($rel)) { $rel = 'index.html' }
$target = Join-Path $Root $rel
if (-not (Test-Path $target)) {
if ($rel -eq 'index.html') {
$links = (Get-ChildItem -File -Path $Root -Force | ForEach-Object { "<li><a href=""$($_.Name)"">$($_.Name)</a></li>" }) -join "`n"
$html = "<html><body><h3>CyberLock Test Files</h3><ul>$links</ul></body></html>"
$bytes = [Text.Encoding]::UTF8.GetBytes($html)
$res.ContentType = 'text/html; charset=utf-8'
$res.StatusCode = 200
$res.OutputStream.Write($bytes,0,$bytes.Length)
$res.Close(); continue
} else { $res.StatusCode = 404; $res.Close(); continue }
}
try {
$bytes = [System.IO.File]::ReadAllBytes($target)
$res.ContentType = 'application/octet-stream'
$res.StatusCode = 200
$res.AddHeader('Content-Disposition', "inline; filename=""$([IO.Path]::GetFileName($target))""")
$res.OutputStream.Write($bytes,0,$bytes.Length)
} catch { $res.StatusCode = 500 } finally { $res.Close() }
}
} finally { $listener.Stop(); $listener.Close() }
}

# Optional GTUBE email sender
function Send-GtubeTestEmail {
param(
[Parameter(Mandatory)] [string]$SmtpServer,
[Parameter(Mandatory)] [int]$Port,
[Parameter(Mandatory)] [string]$From,
[Parameter(Mandatory)] [string]$To,
[Parameter(Mandatory)] [string]$User,
[Parameter(Mandatory)] [string]$Password,
[switch]$UseSsl
)
Add-Type -AssemblyName System.Net.Mail
$msg = [System.Net.Mail.MailMessage]::new($From,$To)
$msg.Subject = 'GTUBE Anti-Spam Test'
$msg.Body = $GTUBE
$client = [System.Net.Mail.SmtpClient]::new($SmtpServer,$Port)
$client.EnableSsl = [bool]$UseSsl
$client.Credentials = New-Object System.Net.NetworkCredential($User,$Password)
$client.Send($msg)
"Sent GTUBE test email from $From to $To"
}

# -------------------- Generate Artifacts --------------------
$INV = @()
$noteList = @()

# A) EICAR variants (masquerading/extensions)
$eicarExts = @('com','exe','txt','pdf','docx','bin')
$eicarFiles = @()
foreach ($ext in $eicarExts) {
$p = Join-Path $OutDir ("eicar.$ext")
Write-AsciiNoNl $p $EICAR
$eicarFiles += $p
Add-InvRow $p
}

# B) Fishy double-extension (looks like doc/PDF, is .exe)
$invoice = Join-Path $OutDir 'Invoice_Q3_2025.pdf.exe'
Write-AsciiNoNl $invoice $EICAR
Add-InvRow $invoice

# C) RLO filename trick (shows as photoexe.png)
$photo = Join-Path $OutDir ("photo$RLO" + "gnp.exe")
Write-AsciiNoNl $photo $EICAR
(Get-Item $photo).Attributes = 'Hidden','System'
Add-InvRow $photo

# D) Innocent carrier + ADS payload
$innocent = Join-Path $OutDir 'innocent.txt'
Write-AsciiNoNl $innocent 'hello'
Set-Content -LiteralPath "$innocentayload.bin" -Value $EICAR -NoNewline -Encoding Ascii
Add-InvRow $innocent # ADS ties to this file

# E) High-entropy blob (harmless random)
$packed = Join-Path $OutDir 'packed.bin'
$bytes = New-Object byte[] (200KB)
[Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
[IO.File]::WriteAllBytes($packed,$bytes)
Add-InvRow $packed

# F) Mark “downloaded from Internet” (Zone.Identifier ADS)
$zi = "[ZoneTransfer]`r`nZoneId=3`r`nReferrerUrl=http://example.local/offer`r`nHostUrl=http://example.local/download/invoice`r`n"
Set-Content -LiteralPath "$invoice:Zone.Identifier" -Value $zi -Encoding Unicode
Set-Content -LiteralPath "$photo:Zone.Identifier" -Value $zi -Encoding Unicode

# G) Archives: single + nested
$zip1 = Join-Path $OutDir 'eicar.zip'
$zip2 = Join-Path $OutDir 'eicar_nested.zip'
if (Test-Path $zip1) { Remove-Item $zip1 -Force }
if (Test-Path $zip2) { Remove-Item $zip2 -Force }
Compress-Archive -Path (Join-Path $OutDir 'eicar.com') -DestinationPath $zip1
Compress-Archive -Path $zip1 -DestinationPath $zip2
Add-InvRow $zip1
Add-InvRow $zip2

# H) Passworded ZIP (7-Zip, password: infected)
$zipPw = Join-Path $OutDir 'eicar_pw.zip'
$seven = Get-Command 7z.exe -ErrorAction SilentlyContinue
if ($seven) {
if (Test-Path $zipPw) { Remove-Item $zipPw -Force }
& $seven.Path a -tzip "-pinfected" -mem=AES256 $zipPw (Join-Path $OutDir 'eicar.com') | Out-Null
Add-InvRow $zipPw
} else {
$noteList += "7-Zip not found; skipping passworded zip ($zipPw). Install 7-Zip and re-run."
}

# I) Benign LNK pointing to Notepad
$wsh = New-Object -ComObject WScript.Shell
$lnkPath = Join-Path $OutDir 'Report_2025_Q3.pdf.lnk'
$lnk = $wsh.CreateShortcut($lnkPath)
$lnk.TargetPath = "$env:SystemRoot\System32\notepad.exe"
$lnk.IconLocation = "$env:SystemRoot\System32\shell32.dll,1"
$lnk.Save()
Add-InvRow $lnkPath

# J) Create + EFS-encrypt dan.txt
$dan = Join-Path $OutDir 'dan.txt'
"Dan EFS test - $(Get-Date -Format o)" | Set-Content -LiteralPath $dan -Encoding UTF8
$efsNote = Join-Path $OutDir 'NOTE-EFS.txt'
try {
$proc = Start-Process -FilePath "$env:SystemRoot\System32\cipher.exe" `
-ArgumentList "/E","/A","$dan" -NoNewWindow -PassThru -Wait
if ($proc.ExitCode -eq 0) {
$attr = (Get-Item -LiteralPath $dan -Force).Attributes
$isEnc = ($attr.ToString() -like "*Encrypted*")
$check = & "$env:SystemRoot\System32\cipher.exe" /C "$dan" 2>&1
if ($isEnc) {
"EFS encryption OK for: $dan`r`n`r`n$check" | Out-File -FilePath $efsNote -Encoding UTF8
} else {
"EFS attempted but file does not show Encrypted attribute. Details:`r`n$check" | Out-File -FilePath $efsNote -Encoding UTF8
}
} else {
"cipher.exe returned $($proc.ExitCode). EFS likely unsupported (requires NTFS + Pro/Ent/Edu)." |
Out-File -FilePath $efsNote -Encoding UTF8
}
} catch {
"EFS step failed: $($_.Exception.Message). If Windows Home or non-NTFS, EFS isn't available." |
Out-File -FilePath $efsNote -Encoding UTF8
}
Add-InvRow $dan
Add-InvRow $efsNote

# -------------------- Inventory logs --------------------
$csv = Join-Path $OutDir 'inventory.csv'
$json = Join-Path $OutDir 'inventory.json'
$INV | Sort-Object Name | Export-Csv -NoTypeInformation -Path $csv -Encoding UTF8
$INV | Sort-Object Name | ConvertTo-Json -Depth 4 | Out-File -FilePath $json -Encoding UTF8

# -------------------- Optional HTTP server --------------------
if ($WithHttpServer) {
Start-SimpleHttpServer -Port $Port -Root $OutDir
}

Write-Host "`n== Done =="
Write-Host "Output folder: $OutDir"
Write-Host "Logs: $csv , $json"
if (Test-Path $zipPw) { Write-Host "Passworded ZIP: $zipPw (password: infected)" }
Write-Host "EFS note: $efsNote"
Write-Host "Tip: test on-access, on-demand, extract ZIPs (incl. pw ZIP), download via HTTP, and verify telemetry vs inventory."

Quick use & checks

Run it, then:

Open/copy/rename items (on-access).

Scan the folder (on-demand).

Extract eicar.zip, eicar_nested.zip, and eicar_pw.zip (if present; pw infected).

If started with -WithHttpServer, download http://localhost:8080/eicar.com.

Verify dan.txt is Encrypted: cipher /C "<OutDir>\dan.txt".

Cross-check detections vs inventory.csv / inventory.json (filename, SHA-256, attributes).

If you want this wrapped as a single Base64 one-liner you can paste directly into PowerShell (it recreates the file and runs it), I can deliver that too.

 

[Victor M]

Maybe I don't know what I am asking. Hopefully you have something to work from.

 

[cartaphilus]

Hey Guys!

Developing SiriusGPT was by far the most difficult project I have ever worked on, but I am super happy with the results. SiriusGPT utilizes 3 LLM / GPT models in an iterative configuration, and I have yet to see one false positive or negative, for both compiled and text based files, and for command line analysis as well.

If you scan a file or experience a block, you can click the Sirius logo to toggle between the Analysis Report and the event details. I am pretty happy with the user prompt, but we will probably refine it a little more as we go, and if anyone has any suggestions, please let me know.

A lite version of CyberLock is implemented into SiriusGPT, so you can select from AutoPilot and Dynamic Security Postures (Smart Mode), which is essentially a zero-trust security posture when you are browsing the web or checking emails. The LLM command line / LOLBin / fileless analysis is fully implemented, so we no longer have to worry about confusing command line blocks, they are all handled automatically, unless there is a malicious attack, in which case you will see a prompt that tells you to not allow the event. There should be close to zero bugs, but as soon as we are sure all of the bugs are worked out, we will be implementing the SiriusGPT engine into our other products.

The LLM analysis on these events are extremely accurate, usually with a confidence of 95% or higher. Here is a sample analysis report for these types of events.

Process path: c:\windows\system32\rundll32.exe
Parent process path: c:\windows\explorer.exe
Command line: "c:\windows\system32\rundll32.exe" using s=system;class p{static void main(){s.console.writeline((char)72+""+(char)101+(char)108+(char)108+(char)111);}}

Final Verdict: Not Safe with 95% confidence.

## Analysis Summary

The given command line execution event involves `rundll32.exe` being launched by `explorer.exe`. The command line argument passed to `rundll32.exe` is unusual and appears to be an attempt to execute arbitrary code. `rundll32.exe` is a known LOLBin (Living Off The Land Binary) that can be used to execute code in a DLL by calling a specific function within it.

The command line argument `using s=system;class p{static void main(){s.console.writeline((char)72+""+(char)101+(char)108+(char)108+(char)111);}}` is not a typical DLL function call expected by `rundll32.exe`. Instead, it resembles C# code that prints "Hello" to the console. This syntax is not directly executable by `rundll32.exe`, which typically requires a DLL name and an entry point.

The use of `rundll32.exe` with such an argument is suspicious because it attempts to abuse the binary for executing arbitrary code, potentially bypassing security restrictions. The code within the command line argument is obfuscated or encoded, as it uses character codes to represent the string "Hello". This behavior is indicative of an attempt to hide the true intent of the command.

The parent process, `explorer.exe`, launching `rundll32.exe` with such an argument is abnormal. While `explorer.exe` can launch various processes, the context and the command line argument used here suggest malicious intent.

## Malware Type and Name

Given the suspicious use of `rundll32.exe` and the encoded command line argument, this activity represents LOLBin Abuse. The specific behavior of executing C#-like code within the command line argument is not typical for legitimate applications.

## Final Verdict

Malware type: LOLBin Abuse (Thanks to @Trident for the malware name idea!)
Malware name: LOLBin.Rundll32.Exec (Thanks to @Trident for the malware name idea!)
Final verdict: Malicious with 95% confidence.

If you are curious and want to try SiriusGPT, but have CyberLock installed, you can uninstall CyberLock temporarily and then install SiriusGPT. You might want to click No when it asks if you want to delete the Settings and Logs during the CyberLock uninstall.

You can download the installer or portable version here:

SiriusLLM is a malware detection engine and portable application that leverages artificial intelligence and ChatGPT-like Large Language Models to assess the potential maliciousness of various digital assets (e.g., executables, scripts, documents).

www.cyberlock.global

Thank you guys!


Dan

Does SiriusGPT comes with a free SiriusXM subscription?

I.e. might want to rethink the name since when I hear SiriusGPT I think of the XM radio releasing a RAG Chatbot but that's just me.

 

[danb]

Maybe I don't know what I am asking. Hopefully you have something to work from.

The ps script actually worked great, thank you! The issue is that SiriusGPT figures out exactly what is going on, and that it is an EICAR test, so it calls it Safe. I even removed the top few lines of example code that were commented out, just to be sure. Either way, I am happy with the verdict, but this is what happened when I tested EICAR about a month ago as well.

Total tokens: 3469 (2876 request / 593 response)

File path: c:\users\dan\desktop\apollo\eicar.ps1
File hash: a1996682ceef2246fae77bb5bbff3c17c9692c30687f8834d3868303792881f0
File size: 0.01 MB
File publisher: This file is a signable file type but has not been digitally signed.

Final Verdict: Safe with 90% confidence.

## Analysis Summary
The provided PowerShell script (`eicar.ps1`) is designed to generate various test files and configurations to assess the effectiveness of antivirus and security software. The script creates multiple files and scenarios, including EICAR test files with different extensions, files with deceptive names or attributes (like double extensions and Right-to-Left Override characters), Alternate Data Streams (ADS), high-entropy binary files, password-protected ZIP archives, and EFS-encrypted files. It also includes functionality to start a simple HTTP server to serve these files.

The script is not inherently malicious; it is a testing tool. However, it generates files that could be considered malicious or suspicious by security software, such as EICAR test files and password-protected archives containing EICAR test files.

## Key Observations
1. **Purpose**: The script is designed to test security software and configurations.
2. **EICAR Test Files**: It generates EICAR test files with various extensions and in different contexts (e.g., inside ZIP archives).
3. **Deceptive Files**: Creates files with potentially deceptive names or attributes, such as double extensions and hidden/system attributes.
4. **ADS and EFS**: Utilizes Alternate Data Streams and EFS encryption to test detection of potentially malicious or obfuscated content.
5. **HTTP Server**: Can start a simple HTTP server to serve the generated files, simulating a download scenario.
6. **Digital Signature**: The script itself is not digitally signed.

## Maliciousness Verdict
While the script generates content that security software might flag as malicious (e.g., EICAR test files), its primary purpose is to test and validate security configurations. The script itself is a tool, not malware.

## Classification
Since the script is not malicious but generates test files that could be flagged by security software, it's essential to understand its intent. The lack of a digital signature is noted but is not uncommon for PowerShell scripts.

## Final Verdict
The script is considered safe because it is a testing tool, despite generating files that might be considered suspicious or malicious by security software.

Malware type: Not Applicable
Malware name: Not Applicable
Final verdict: Safe with 90% confidence.