Hot Take Sirius LLM by VoodooSoft / CyberLock

[danb]

Yes, I do not have all of the file types configured properly yet, and .bin is one of them. We have almost all of the common file types configured, like portable executables and scripts, but there is a long list of file types I need to configure for them to all work properly (and there is a huge list to go through). For example, we are going to analyze macros in Microsoft Office documents as well, but we need to parse the macros from the documents first. But if there is a file type that we need to add sooner than later, let me know and I will do so. Thank you!

 

[danb]

Hey Guys,

Here is the latest version... please check out the new Model 2 at the top, although you will probably want to use Model 1 for everyday use. Also check out the Verdict Type: Deep. The LLM models now provide tons of info about each file, and we will probably add even more. I still have not added any extra file types because most of the common ones are already covered, but I will do so once I get some rest and catch up on a couple small things from our other products.

SiriusLLM 0.57

https://www.cyberlock.global/downloads/SiriusLLM57.exe

SHA-256: 684e43863fab5dcd2a57680aec0780136481ddc726bc6ccb2c9acb7ff01cd554

Thank you guys!

 

[danb]

Hey guys, here is the latest, mainly just a few small bug fixes and optimizations. Now we have to decided whether to implement SiriusLLM into our other products now, or maybe do something else while we wait to make sure there are no remaining bugs to fix, and to make sure the models are optimized. Thank you guys!

SiriusLLM 0.59

https://www.cyberlock.global/downloads/SiriusLLM.exe

SHA-256: d25d30fe7e1ea5c572a32c811a7f443ab8146daaf0b5df88e46e1f94d7c945f0

 

[simmerskool]

@danb quick question still running 0.57 on win10_VM -- I downloaded sniffnet app which is .msi and did right-click scan and it quickly reported in red WLC says Not Safe, but then zero sirius analysis, so does sirius stop if WLC doesn't like it, &/or is it not analyzing msi files?
PS I'm still down around 30,000 tokens and I ran this VM overnight so (so far) it has not refreshed -- going to DL 0.59

UPDATE running 0.59 now -- now back to 50k tokens, again tried to sirius right click scan sniffnet msi and this time, the entire operation was blocked by AppGuard, so put AG into install mode and right clicked again to scan sniffnet and instead of scanning the msi started to install. so not what I was expecting

 

[danb]

@danb quick question still running 0.57 on win10_VM -- I downloaded sniffnet app which is .msi and did right-click scan and it quickly reported in red WLC says Not Safe, but then zero sirius analysis, so does sirius stop if WLC doesn't like it, &/or is it not analyzing msi files?
PS I'm still down around 30,000 tokens and I ran this VM overnight so (so far) it has not refreshed -- going to DL 0.59

UPDATE running 0.59 now -- now back to 50k tokens, again tried to sirius right click scan sniffnet msi and this time, the entire operation was blocked by AppGuard, so put AG into install mode and right clicked again to scan sniffnet and instead of scanning the msi started to install. so not what I was expecting

SiriusLLM does not actively block anything yet... it is currently a small portable app with no kernel mode driver to block files pre-execution. The current version can only perform Snapshot Scans and manual scans of individual files. The purpose of this version is to demonstrate the efficacy of the SiriusLLM engine.

I forgot to mention, as of yet, SiriusLLM is not able to scan .msi files, so for .msi files, we rely on the WhitelistCloud result. I am not sure why the sniffnet installer started when you tried to scan it with SiriusLLM, so I just downloaded it and it scanned correctly for me. So I am guessing that you clicked Install instead of SiriusLLM Scan.

 

[Shadowra]

Test planned, it should be out on Thursday

 

[danb]

Test planned, it should be out on Thursday

Very cool, thank you Shadowra!

 

[n8chavez]

Wouldn't it be better to hold off testing it, waiting until it has the capabilities to block?

 

[simmerskool]

SiriusLLM does not actively block anything yet... it is currently a small portable app with no kernel mode driver to block files pre-execution. The current version can only perform Snapshot Scans and manual scans of individual files. The purpose of this version is to demonstrate the efficacy of the SiriusLLM engine.

I forgot to mention, as of yet, SiriusLLM is not able to scan .msi files, so for .msi files, we rely on the WhitelistCloud result. I am not sure why the sniffnet installer started when you tried to scan it with SiriusLLM, so I just downloaded it and it scanned correctly for me. So I am guessing that you clicked Install instead of SiriusLLM Scan.

as for not sure why the sniffnet installer started: probably due to interruption of AppGuard. Don't know I doubt I hit install button as I only "approached" sniffnet via sirius. Just info.

 

[simmerskool]

Wouldn't it be better to hold off testing it, waiting until it has the capabilities to block?

blocking is easy for @danb, the test as I understand it is about "comparing" detection of sirius with DeepInstinct or with whatever exceptional app Shadowra will be using... No wait, go go go

 

[danb]

Wouldn't it be better to hold off testing it, waiting until it has the capabilities to block?

The kernel mode driver is 100% guaranteed to intercept and block all new process creation. The only question is whether the SiriusLLM engine will render the correct verdict or not, which will signal the kernel mode driver to allow or block a new item. This is why at this point we are only interested in the detection efficacy of SiriusLLM.

Sure, we could add our kernel mode driver to SiriusLLM, but then we would have another app to maintain, although this may not be a bad option. But the whole purpose of the SiriusLLM engine is to be integrated into our other products, and to replace VoodooAi. In the meantime, the portable SiriusLLM app is a super lightweight antivirus app that anyone can run as an additional layer of security, with its Snapshot Scans.

 

[danb]

as for not sure why the sniffnet installer started: probably due to interruption of AppGuard. Don't know I doubt I hit install button as I only "approached" sniffnet via sirius. Just info.

Interesting... if you get a chance, can you please test again to be sure? We do not want apps to auto launch when they are being scanned by SiriusLLM .

 

[simmerskool]

Interesting... if you get a chance, can you please test again to be sure? We do not want apps to auto launch when they are being scanned by SiriusLLM .

I sent you an email and now I'm sleeping

 

[simmerskool]

mini update on using Sirius 0.59 using a win10_VM running Cyberlock with WLC I just got my usual WLC "not safe" false positive after mullvad vpn updated (not signed), seemed like perfect time to manually right-click the mullvad exe, but sirius did not give me an analysis, it just said "already analyzed safe with 90% confidence" I only mention this because reading other reports I know that sirius looks to see what WLC says. I had the option to re-analyze mullvad but did not want to waste tokens and AI resources.

 

[danb]

mini update on using Sirius 0.59 using a win10_VM running Cyberlock with WLC I just got my usual WLC "not safe" false positive after mullvad vpn updated (not signed), seemed like perfect time to manually right-click the mullvad exe, but sirius did not give me an analysis, it just said "already analyzed safe with 90% confidence" I only mention this because reading other reports I know that sirius looks to see what WLC says. I had the option to re-analyze mullvad but did not want to waste tokens and AI resources.

Yes, the SiriusLLM analysis includes the WhitelistCloud analysis, but SiriusLLM is instructed to ignore the WhitelistCloud verdict if it is certain of its own verdict. And I have seen SiriusLLM overrule WhitelistCloud somewhere around 20% of the time . They are a great combo though and together usually deliver the correct verdict. I was going to include the old VoodooAi verdict as well, but I am perfectly happy exactly how it is currently.

We need to figure out how to get @Bot and SiriusLLM to talk . That would be interesting.

 

[danb]

Hey guys, here is is the latest, just a few more small bug fixes. And also one of the features for the portable executable analysis was not correct, but it is fixed now. I think most of the bugs are worked out, so now we need to start thinking about implementing this into our other products. Thank you guys!

SiriusLLM 0.60

https://www.cyberlock.global/downloads/SiriusLLM.exe

SHA-256: c42d49122aabcd191d967a9a84914b5f2047793efedc4bb1498d5b31b925a0df

 

[simmerskool]

0.60 running smoothly problem-free on VMware WS 17.6.3 win10_VM with Trendmicro and Cyberlock 8.02. (I had some issues on another VM but no cause determination)
@danb & @Shadowra for my better understanding -- when Sirius finds a file it has not analyzed, eg, user right-click context scan of newly DL'd file, does Sirius analyze the code or does it run it run the file in cloud sandbox and analyze was it "sees" / how the app behaves, or both?? Sorry if this is answered already in Sirius text info. My memory fades more quickly than Sirius's.

 

[danb]

0.60 running smoothly problem-free on VMware WS 17.6.3 win10_VM with Trendmicro and Cyberlock 8.02. (I had some issues on another VM but no cause determination)
@danb & @Shadowra for my better understanding -- when Sirius finds a file it has not analyzed, eg, user right-click context scan of newly DL'd file, does Sirius analyze the code or does it run it run the file in cloud sandbox and analyze was it "sees" / how the app behaves, or both?? Sorry if this is answered already in Sirius text info. My memory fades more quickly than Sirius's.

It actually does both... it analyzes the file locally and uploads the file and there is further / different analysis in the sandbox that it uploads to. if the file has already been uploaded and it has the info it needs, then the file is not uploaded again. But sometimes it does have to upload the file again because it deletes the file immediately after the analysis.

 

[danb]

Hey guys,

Here is the latest SiriusLLM. There was a bug in 0.60 that threw off the portable executable analysis results significantly, but it is fixed now. There was also a bug where some of the scripts would not analyze correctly, but it is fixed as well. I just happened to be testing again today and noticed these bugs. I am going to start recording my testing sessions so you guys can see the results I am seeing... I recorded the testing session today and I will probably post it soon.

Also, I cleared out all of the SiriusLLM results from the database, now that we are pretty much where we need to be, just in case some odd / bad results were stored. So if you see an analysis taking a little longer than usual, that is why.

SiriusLLM 0.61

https://www.cyberlock.global/downloads/SiriusLLM.exe

SHA-256: 02d0b78c19e898408b0ff67191968a2cd748b6dda079e6255b7c714d55465e59

 

[n8chavez]

No problems here. Excellent work as always, @danb.