@danb Thank you so much! I downloaded a malware sample and purposely left it on my desktop just to see if SiriusLLM would analyze and detect it. And to my surprise it detected it as Not Safe. Excellent tool and a perfect ally to CyberLock.
Sirius LLM by VoodooSoft / CyberLock
- Thread starter danb
- Start date
Thank you, I appreciate that! And yes, I agree, SiriusLLM is the perfect ally to CyberLock, and here is why...@danb Thank you so much! I downloaded a malware sample and purposely left it on my desktop just to see if SiriusLLM would analyze and detect it. And to my surprise it detected it as Not Safe. Excellent tool and a perfect ally to CyberLock.
You can think of SiriusLLM as a little expert malware researcher sitting on your shoulder as you use the computer, ensuring you make the correct decisions. And you know how I was saying that this is just the baseline, and that it is only going to get better as we go? Well, I am not sure if you guys have heard this or not, but the next generation of all of the major LLM's are going to be smarter than any human expert for any given task, including malware researcher. So that little assistant sitting on your shoulder is going to get significantly smarter in the next couple of months when the next generation of LLMs are released. Here is the funny thing, I have only tested a total of 5 models. There are 300+ to choose from, so while we are waiting for the next gen to be released, I am going to test even more to see if we can find an even better model, although I am perfectly happy with the two we are currently using, and I highly doubt we find a model that is significantly better... but it will be fun to try.
I have tested Sirius's efficacy extensively, and even at baseline, the results have been truly astonishing. For example, in the testing session from yesterday, there was one "malware" sample that I downloaded where SIriusLLM returned a Safe verdict. The more I looked into the file, it turned out that SiriusLLM was absolutely correct. To give everyone an idea of its efficacy, whenever I test, it might miss 1 or 2 portable executable samples, but I have yet to see it miss a single non-portable executable sample (scripts, etc.)... it has been 100% on those. And as far as portable executable analysis goes, there are actually quite a few features we can add to SiriusLLM's feature extraction to provide the LLM with even more information, so it will render even better verdicts for portable executables.
Once integrated into CyberLock, DefenderUI Pro and WDAC Lockdown, SiriusLLM will also be able to render verdicts for Command Line blocks, and I fully expect the efficacy for Command Line analysis will be on par with the current Script analysis... it should be approaching 100% as well. And AutoPilot mode will include SiriusLLM making all of the decisions for the end user, so that will be pretty cool.
So yeah, this is only the beginning, and there are tons of things we can do with the SiriusLLM tech.
Also, please keep in mind that CyberLock, DefenderUI Pro and WDAC Lockdown will still have WhitelistCloud as well. So even if SiriusLLM does miss a portable executable analysis, WhitelistCloud will have its back. It would be extremely difficult to trick both.
@piquiteco & @danb but I am confused. You downloaded malware file and left it on your desktop, but did not open / run it, correct?? I thought Sirius snapshot was only scanning running apps, but that you can right-click a file and manually scan it and get an analysis, or does snapshot also scan items on your desktop running or not??Thank you so much! I downloaded a malware sample and purposely left it on my desktop just to see if SiriusLLM would analyze and detect it. And to my surprise it detected it as Not Safe. Excellent tool and a perfect ally to CyberLock.
PS I vaguely recall having scan issues with portable files and letting the cybergods know...
Running 0.61 here, ok so far...
fwiw on win10_VM I downloaded an unsigned portable exe that is not malware to my \downloads -- tried to do a right-click windows context menu manual scan and nada I get windows popup "you'll need a new app to open this .exe file -- look for an app in the MS store" or not... Is my right-click finger out of whack...?
or not... Is my right-click finger out of whack...?
First, I ran Sirius LLM, the portable version made available by @danb himself here in the thread that I downloaded. I hadn't downloaded the malware sample yet. So, I just ran a scan with Sirius LLM on my computer, and it analyzed all the active processes running, and all of them were considered safe. I believe that here it may have used WhitelistCloud. I assume @danb can correct me if I'm wrong. So, as I'm curious, it's a new tool for me, so I had this idea of looking for some new malware samples on the web, which is quite easy to find today. When you download these samples, they come compressed and password-protected, precisely so they are not deleted by AVs when downloaded. These samples are useful for security experts to analyze, demystify, and reverse engineer, especially when it is malware created and sponsored by the state. Of course, they are also useful for enthusiasts, malware testers, and curious people like me lol. Before extracting the sample from the compressed file, I had to disable my real-time AV protection to extract the sample to my desktop, which I did on my physical machine. I extracted the sample to my desktop and ran a new scan with Sirius LLM, which had already analyzed my computer's execution processes and deemed it safe. With the sample already on my desktop, I ran another scan with Sirius LLM, and it almost instantly flagged this file as unsafe in red. I came to the conclusion that Sirius LLM works similarly to an AV that scans new and tampered files. Since this malware sample was new, I had extracted it to my desktop after running the first scan with Sirius, so on the second scan, Sirius LLM detected this sample without any major problems.
Yes, that's correct. I didn't open or run the malware sample file, I just extracted the compressed file containing the malware sample. It would be almost impossible to run any malware sample or any script or executable even if I disabled the AV on my computer. Because I have SAC enabled on my machine, I have SmartScreen, and I still have WHHL enabled, I would have to go through all these obstacles to run something. So I consider my AV to be the first line of defense. That's why it's important to have CyberLock and Sirius LLM, which act as an extra layer of security protection.
Yes, Sirius analyzes running processes and apps, but it also analyzes them manually. So the answer is both.
Yes, Sirius also performs manual analysis and static analysis via the context menu in the file you want. Just enable Sirius LLM at the top right of your screen to activate it in the Windows context menu so you can manually scan the file you want to analyze.
Yes, it checks whether it is running or not.
Something is wrong with your VM; it uploads the file to the cloud to WhitelistCloud.fwiw on win10_VM I downloaded an unsigned portable exe that is not malware to my \downloads -- tried to do a right-click windows context menu manual scan and nada I get windows popup "you'll need a new app to open this .exe file -- look for an app in the MS store"
@piquiteco yes, thanks for all the info, but @danb needs to clear this up for us, or maybe just for me
(blind not "cool") I've been using Sirius since dan first put it here. So if the file is unopened on your desktop, and NOT running, are you saying that Sirius scanned it with its next snapshot? Or auto-initiated a scan because it was a new file or your desktop? Or that once it was on your desktop, you did a manual right-clock window context scan? No offense, but you posted all that good content, but somehow did not answer my question or I did not stated clearly enough. Please clear this up for me. Thanks. (Dan is trying to discover why (some) of my right-click context scans of portable files fail on this VMware Guest OS).
maybe but Sirius' analysis may look at WLC rating in its analysis, but just a small part of what Sirius does, my WLC on CL 8.02 seems to be working. Sirius is not integrated with CL yet as I understand it.
F
ForgottenSeer 94738
I also still don't understand why the file was scanned at piquiteco.
The screenshot that @piquiteco posted is a manual scan of the malware sample. In order to be detected by the Snapshot Scan, the file would have to be executed and running. So I am guessing that he ran a Snapshot Scan, and then scanned the malware sample manually.
FYI, part of the Hasleo Backup Suite is seen as malware too, most likely cause it's not signed. But that's the only file that's seen as malware and none of HBS is signed.
ImageMountService.exe
Hash: 2f932895561723ef6911d3b0b0f35c22d4d765fa8f3a6c7896cebb70282f1b9c
ImageMountService.exe
Hash: 2f932895561723ef6911d3b0b0f35c22d4d765fa8f3a6c7896cebb70282f1b9c
Thank you for letting me know. Yeah, there are going to be some false positives, but I have seen very, very few overall. Yeah, valid digital signatures help a lot with reducing false positives.
The good news is that when I reanalyzed the ImageMountService.exe file, the verdict was 85% safe. So hopefully moving forward the model will return the correct verdict.
Yes, exactly, the file isn't there on the desktop until I run the scan a second time.
Exactly, I scanned the next snapshot, and that's when Sirius detected a sample of that file that was located on my desktop.
No, I manually initiated a new scan by Sirius scanning the snapshot, precisely to see if Sirius would detect this new sample file that was on the desktop. Before that, there was nothing on my desktop except my program's shortcuts.
No, I didn't manually check the file context menu, I did a manual instant check directly through the Sirius GUI.
Relax, I wasn't offended by your questions. It happens, don't worry, that's what this forum is for, to clarify any doubts you may have. If you didn't understand what I explained in my previous post, I'll explain it again. Just tell me what you didn't understand and I'll explain it again.
Just checked out this great program paired with Cyber Lock. 
I have two questions for Dan.
1. When analyzing a file, the program, or rather the AI, gives a long verdict. Is it systematized (standard) or does the AI itself "write" its opinion each time with different phrases? This question is important if you are going to translate the program into other languages.
2. Do you plan to merge CyberLock and Sirius LLM into one program? I think, sorry to jump in with my opinion, that all your (three, if I'm not mistaken) programs should be merged into one.
To avoid confusion and workload, you can make a choice of interface and functions on the principle of "Beginner", "Advanced User" and "Expert" and depending on this show the functionality and settings of the interface. Of course, AI and CyberLock analysis should be used in any of the modes.
I have two questions for Dan. 1. When analyzing a file, the program, or rather the AI, gives a long verdict. Is it systematized (standard) or does the AI itself "write" its opinion each time with different phrases? This question is important if you are going to translate the program into other languages.
2. Do you plan to merge CyberLock and Sirius LLM into one program? I think, sorry to jump in with my opinion, that all your (three, if I'm not mistaken) programs should be merged into one.
To avoid confusion and workload, you can make a choice of interface and functions on the principle of "Beginner", "Advanced User" and "Expert" and depending on this show the functionality and settings of the interface. Of course, AI and CyberLock analysis should be used in any of the modes.
F
ForgottenSeer 94738
@ Piquiteco
Your answer regarding the detection of a file located on the desktop contradicts the concept of Sirius LLM. According to this, only active files are analyzed during a snapshot scan. A file that is only located on the desktop and is not active will not be detected. That's also how I understand Dan's answer #71
""The screenshot that @piquiteco posted is a manual scan of the malware sample. In order to be detected by the Snapshot Scan, the file would have to be executed and running. So I am guessing that he ran a Snapshot Scan, and then scanned the malware sample manually.""
If your answer is correct, then I don't understand the entire Sirius LLM program.
Your answer regarding the detection of a file located on the desktop contradicts the concept of Sirius LLM. According to this, only active files are analyzed during a snapshot scan. A file that is only located on the desktop and is not active will not be detected. That's also how I understand Dan's answer #71
""The screenshot that @piquiteco posted is a manual scan of the malware sample. In order to be detected by the Snapshot Scan, the file would have to be executed and running. So I am guessing that he ran a Snapshot Scan, and then scanned the malware sample manually.""
If your answer is correct, then I don't understand the entire Sirius LLM program.
Yes, a new unique response is generated each time the user submits a new prompt / file. We currently store the final verdict in the database for quick lookups later, we currently do not store the full prompt. So whenever a new file is encountered, or the user clicks reanalyze, SiriusLLM will generate and return a new, unique response. FYI, there is a setting in most of the LLMs called Temperature. The Temperature is a setting that controls the randomness or creativity of the output. It's a bit like adjusting how "bold" or "cautious" the model should be when generating responses.Just checked out this great program paired with Cyber Lock.
1. When analyzing a file, the program, or rather the AI, gives a long verdict. Is it systematized (standard) or does the AI itself "write" its opinion each time with different phrases? This question is important if you are going to translate the program into other languages.
2. Do you plan to merge CyberLock and Sirius LLM into one program? I think, sorry to jump in with my opinion, that all your (three, if I'm not mistaken) programs should be merged into one.
To avoid confusion and workload, you can make a choice of interface and functions on the principle of "Beginner", "Advanced User" and "Expert" and depending on this show the functionality and settings of the interface. Of course, AI and CyberLock analysis should be used in any of the modes.
0.0 | Deterministic: The model will always pick the most likely next word. Responses are focused, factual, and consistent.
~0.5 | Balanced: A mix of creativity and reliability. You get some variability without going off the rails.
1.0 | Creative: The model takes more risks. It might choose less likely words to generate more imaginative or diverse output.
>1.0 | Highly Random: Responses can be unexpected, quirky, or even incoherent at times. Useful for brainstorming or surreal humor.
We currently have the Temperature set to 0 for both models because we want it to be deterministic, and to give the same result each time. It usually gives the same result and a very similar response, but every once in a great while, it will change more than expected. But keep in mind, there is still a lot of tweaking we can do, and the next gen models are going to be released soon, so for now it is best to keep things as they are.
I have not figured out the translations to other languages yet, but we will probably just need to auto translate them on the fly... that should be pretty simple to implement.
Yes, the whole point of SiriusLLM is to be merged into CyberLock, DefenderUI Pro and WDAC Lockdown. Initially I was not even going to release a standalone version of SiriusLLM... but I had to build a GUI in order to develop the SiriusLLM engine. Then one day during development, I was thinking "This would be a fun / informative app for people who test malware, and if we release it as a standalone app, that might help further refine the engine." So I added the Snapshot Scan and released it as a portable app. We will probably keep adding features to SiriusLLM so that it eventually becomes a standalone AV. Thank you!
I understand your point of view. If I posted saying that I had an executable file located on the desktop after a scan with Sirius LLM and it detected it as unsafe, why would I make all that up?
Yes, that's correct, that's Sirius' concept of analyzing active processes and specifically executable files. Did you read my post #66? I was on my physical machine and not on a VM. How would I run malware on my production computer?
I understand, but with me, believe it or not, Sirius flagged the static executable file on my desktop as unsafe, just like that.
@danb has already explained how the Sirius LLM program works. It is still in the development phase, but it is gradually maturing.
Thanks for the reply. see @danb post above #71, a snapshot only scans running apps, so if the malware file you downloaded to your desktop was scanned by a snapshot scan then ithat malware file was running. (or the beta needs more testing
) (unless I'm misunderstanding both Sirius instructions and danb's clarification post)(& since Sirius is all about LLM, this is also how ChatGPT (4o paid) understands Sirius -- fwiw -- sometimes ChatGPT is amazing accurate & helpful and sometimes NOT imo)EDIT @piquiteco just read your post 78, so your experience seems to be outside the normal operation of Sirius beta. good to know
(PS I never thought you were making it up -- just seeking clarification which I got privately and from post 71).
Last edited:
@danb IIRC, WhiteListCloud WLC has scan portal URL, when Sirius is finalized will it also have a URL scan portal, I ask as sometimes I am running linux and DL windows files in linux before putting them on my windows computers...
You may also like...
-
Introducing SiriusGPT: The First Real-Time GPT / LLM AI based Antimalware Solution- Started by danb
- Replies: 241
-
Introducing VoodooSoft's RansomGuard EDR - Streamlined EDR for Consumers and SMB
- Started by danb
- Replies: 37
-
-
SOpera One R3 arrives with new AI, Google integrations, and more
- Started by Santiago Benavides García
- Replies: 0
-