I would prefer that Sirus be built-inside the main program. Having it start separately is asking for trouble: attackers will attempt to disable it from running.
Sirius LLM by VoodooSoft / CyberLock
- Thread starter danb
- Start date
fwiw I tend to agree with @Victor M -- unless a separate app is beta to work out bugs and then incorporate Sirius in Cyberlock and ...
F
ForgottenSeer 94738
Dan writes in #1 that Sirius LLM will be integrated into the other programs (CyberLock, DefenderUI Pro, WDAC Lockdown) in 2-3 months. It's apparently only a separate program during the testing phase.
Thank you guys for your input! I think we should skip the personalities for now and possibly add them later. The feature is already implemented, but I do not want to risk throwing the LLM for a loop. I do not think that would happen, but there is sense in taking that chance.
Yes, the SiriusLLM version that is integrated into our other products will be just the basic features. The portable SiriusLLM desktop app is mainly for development and to work out all of the bugs before we implement the tech into our other products, thank you!
Yes, assuming that everything works out as we hope (and that LLM's are technologically advanced enough that they achieve high efficacies), SiriusLLM will be integrated into CyberLock, DefenderUI Pro and WDAC Lockdown. If not, we will just keep polishing SiriusLLM while waiting for the LLM's to further advance. If anything, SiriusLLM is a great malware research tool as it currently is.
Yes, LLM's and Ai in general is not 100%, and it never will be when it comes to malware analysis. But if we can achieve higher efficacies than signature based or current next-gen engines, it is certainly worth it. So far I have been incredibly impressed with the results, but we really need other people like @Shadowra to test as well to make sure.
Another way to look at it... if we were to achieve 100% efficacy with LLM malware analysis, then there would not be a need for CyberLock or other zero-trust products
.If I had to guess, with the limited preliminary testing that I have performed so far, I would say that the LLM's may or may not be quite ready for this tech, but I certainly beleive they will be ready in the next year or two. And by that time SiriusLLM will have evolved into a full-blown AV
.
Yeah, we are going to skip it for now, thank you!
Yeah, exactly, I do not think anyone would use it anyway. It would be fun for a few samples, but it would get old quick. And there is no point in risking throwing off the model... it already has to refine its response for beginner, intermediate and advanced users. I think performing one translation is okay, but probably not two, thank you!I think it is an unnecessary function. But if it doesn't cause bloating of the programme and problems with its further maintenance, you can leave it.Personally, I wouldn't use personalisation of the report, a report with specifics is enough for me.
Great question, thank you! It totally depends on the file. For example, there is no point in going back through the database and reanalyzing every file in the database. We would not be able to do this anyway since files are deleted on the server immediately following analysis. But here is a good example... in our database there are probably 100-200 results for old VoodooShield installers, like say InstallVoodooShield4.44.exe. There is no point in wasting compute time and electricity on these old samples that no one will ever see again... especially if it means that the user has to wait 20-60 seconds for a result.
The reanalyze button is similar to the reanalyze button at VirusTotal... it serves a very similar purpose.
Having said that, while developing VoodooAi, we created new databases for each version of VoodooAi, so we had a total of 5 VoodooAi databases, with all new results from the latest LLM. I am quite sure this will happen with SiriusLLM as well, but who knows... wouldn't it be nice to nail it on the first model?
We are going to test 2 models for sure, and possibly a third and forth... I have already narrowed them down to the exact models that seem to perform really well. So we will see what happens... we kind of have to play everything by ear and just go with the flow
.
Yeah, that is essentially what SiriusLLM started out to be, but I have since fallen in love with it, so it is going to be an app as well... I think you guys will see why once you try it
. And we will integrate the barebones (but still fully capable) version into our other products.
Yes, I completely agree. As it evolves into a blown AV, it will have all of the protections of a standard AV, thank you!
Hey Guys,
Here is the first release of SiriusLLM. We will obviously add more features and try different / optimize models as we go, but so far it is performing quite nicely.
The Deep analysis is enabled by default, and we might have a Deeper analysis soon. But for those who have used LLM's extensively, you understand that the Deeper analysis takes much, much longer, and from what I have seen with SiriusLLM, it tends to overthink and get the final verdict wrong. But we might include the analysis discussion from a Deeper model soon (if selected)... it does into crazy details about the file that is being analyzed, but I decided to not fully implement that yet.
We will also integrate a streamlined version of SiriusLLM into our other products. Enjoy!
SiriusLLM 0.55
SHA-256: 010bcbda4209781930cacbc0e703e59de6a02f400cc9055f9fba7529de31501a
Thank you guys!
Here is the first release of SiriusLLM. We will obviously add more features and try different / optimize models as we go, but so far it is performing quite nicely.
The Deep analysis is enabled by default, and we might have a Deeper analysis soon. But for those who have used LLM's extensively, you understand that the Deeper analysis takes much, much longer, and from what I have seen with SiriusLLM, it tends to overthink and get the final verdict wrong. But we might include the analysis discussion from a Deeper model soon (if selected)... it does into crazy details about the file that is being analyzed, but I decided to not fully implement that yet.
We will also integrate a streamlined version of SiriusLLM into our other products. Enjoy!
SiriusLLM 0.55
SHA-256: 010bcbda4209781930cacbc0e703e59de6a02f400cc9055f9fba7529de31501a
Thank you guys!
No issues here with 0.55 beta, although admittedly I don't know what I'm looking for. Everything ran smoothly and it was very fast; taking about three seconds to scan. The context menu scan work perfectly as well.
Downloaded ok, it's portable (correct?) so I moved it to \program files\sirius_LLM -- it ran initial scan in less than 5 seconds, seemed to scan only running files. Then did a right-click scan of mullvad vpn installer, again pretty fast for a 218 mb file and read its analysis 95% confidence safe. It cross-referenced WhitelistCloud. The mullvad scan used about 3000 tokens. not sure how the tokens fit-in but I saw a $ sign. (something to know). Default scan every 4 hours, I set it to 1 hour for now. If I download a file, will sirius scan it automagically, or user needs to scan manually with windows context right-click scan. PS I like its systray icon.
If Mullvad used 3000 tokens, you might want to leave the default scan @ 4 hours given the token limit. But, yes, it's portable.
Very cool, thank you for letting me know! There really is nothing to look for... just try to scan some tricky files good and bad
.
Very cool, thank you! Not yet... we do not have a folder watcher setup yet but at some point we might, or we might just make it on execution like CyberLock and our other products. BTW, keep in mind, I have done very little to optimize the model... I wanted to start from a baseline worst case scenario, so the efficacy we see now is the worst case scenario, and it is going to automatically get better... even if we do nothing other than just update the model to the latest model. We also have around 200 or so other models that I am going to go through and see if any of them perform better than the once we are currently using. I was incredibly impressed with how well the selected model performed, so I doubt we find a better model for now, but it will be fun looking around at the different models. And just think... in 2-3 years, LLM's (or whatever they are at that time), are only going to get better... so I think we jumped in at about the right time. We might be a little early, but I am okay with that.
Keep in mind, the Snapshot Scans do not count against the token limit... only manual scans to. That way SiriusLLM can continue to run the scheduled snapshot scans, because really that is what is most important when it comes to security.
I figured on average 13 manual scans per day is more than enough for most users, and if anyone wants to buy more tokens, they are super cheap... $1.00 per 1 million... which is around 250 manual scans.
@danb after running sirius on VM for a few hours, I'm now running it on Host and initial scan took about 15 sec and thinks 2 are "not safe" and one surprises a little \program files\libreoffice\program\soffice.bin -- this is my first "not safe" with sirius so: ok I see, click it in list (don't recall if right or left) and 4 choice popup: process info, open location, exclude/whitelist, reanalyze. So in this beta it is purely informational, ie, it did not block or suspend the 2 files it thinks are not safe.
EDIT update the other file is MICA 2.2.2 (US Naval Observatory Multiyear Interactive Computer Almanac) & gee Hybrid Analysis says MALICIOUS (This report has 152 indicators that were mapped to 74 attack techniques and 11 tactics) -- VT says 1/63 by SecureAge -- MICA has been around for a long time. the other 62 say undetected and it is clean according to DeepInstinct on Host and Cyberlock w/WLC also treat it as safe. MICA is not signed.
EDIT update the other file is MICA 2.2.2 (US Naval Observatory Multiyear Interactive Computer Almanac) & gee Hybrid Analysis says MALICIOUS (This report has 152 indicators that were mapped to 74 attack techniques and 11 tactics) -- VT says 1/63 by SecureAge -- MICA has been around for a long time. the other 62 say undetected and it is clean according to DeepInstinct on Host and Cyberlock w/WLC also treat it as safe. MICA is not signed.
Last edited:
Quick update: I sent the libreoffice soffice.bin to VT and it returns 0/71 and when I re-analyzed it with sirius still Not Safe but also the analysis text was blank and said unknown? was LLM server down around 24jun 0200 utc.
You may also like...
-
Introducing SiriusGPT: The First Real-Time GPT / LLM AI based Antimalware Solution- Started by danb
- Replies: 241
-
Introducing VoodooSoft's RansomGuard EDR - Streamlined EDR for Consumers and SMB
- Started by danb
- Replies: 37
-
-
SOpera One R3 arrives with new AI, Google integrations, and more
- Started by Santiago Benavides García
- Replies: 0
-