Hot Take Sirius LLM by VoodooSoft / CyberLock

[Trident]

@danb depends on the sandbox, there are certain solutions which are quite accurate.
Sandboxing and static analysis are sometimes combined together, none of them can replace the other.
Anyway, let’s see the detection names.
This now looks like a scan engine.

 

[danb]

@danb depends on the sandbox, there are certain solutions which are quite accurate.
Sandboxing and static analysis are sometimes combined together, none of them can replace the other.
Anyway, let’s see the detection names.
This now looks like a scan engine.

I think I have tried most or all of the sandboxes, can you name 2-3 that you think would give the best results? I would love to try them with our software if I have not.

Yeah, I have not started on the detection names yet, I am finishing up some of the boring stuff... I always leave the fun stuff for the end, that way it keeps me motivated. I am super curious how the detection names are going to turn out... my guess is that they are going to be super cool.

Anyway, getting close, probably another 2 long days or so, thank you!

 

[danb]

Hey guys... getting close with SiriusGPT. I decided to add a few more features, but it will be ready this week for sure. I am adding a quarantine feature and also command line blocks and anti-exploit blocks to the SiriusGPT analysis, so these items will no longer be blocked if they are determined to be Safe. And as I was saying, I am certain the efficacy will be very similar to the script blocking efficacy, so in theory they should be approaching 100% efficacy, but we will test and see soon . I was thinking about adding a feature that would utilized SiriusGPT to scan emails for scams and spam, but there are several obstacles that will probably prevent us from doing so.... at least for now. First of which is privacy... we do not want to upload every email to our API. But there is a chance that we might be able to use a local model to scan emails, but I won't start exploring this feature for at least a few weeks. We have other features we need to add, like scanning Macros. And actually, scanning macros will be super simple, the only difficult part is extracting them from all the various documents (each one is handled a little differently).

BTW, the malware name feature that @Trident suggested turned out really cool, here is how it looks...

Malware Type: Potentially Unwanted Program (PUP)
Malware Name: ElevatedApp.VBNet.Generic

Final verdict: Malicious with 75% confidence.

Also, I shutdown SiriusLLM for a couple of days while I work on the backend, but it should be up and running again in 2-3 days. I could have left it up, but there are not that many SiriusLLM users yet, and it will make it a lot easier to work on the backend without causing issues. Thank you guys!

 

[Trident]

BTW, the malware name feature that @Trident suggested turned out really cool, here is how it looks...

It does look cool. It’s these little touches that make a difference.

As to the sandboxes, Check Point, Palo Alto and Crowd Strike are the leaders on emulation, but I am not sure what APIs they offer (if they do offer).
I know Avira for sure offers emulation API but that’s gonna increase the cost of your product. You are soon gonna have to do editions.

In essence, look for emulation from an AV vendor if you wanna go down that path and don’t bother with generic sandboxes (like Cuckoo, AnyRun and so on). In addition, you can also go for third-party threat feeds if you wanna do a full-blown AV.

I like that you’re implementing anti-spam and scam features though yeah, with the GDPR this implementation will be more than tricky.

You’ll need to implement pre-scrubbing scripts.

Last but not least, maybe analyse pdf files for phishing as well.

Also, how will you reduce the performance impact of all these analysis? Even though everything happens on the cloud, I’m assuming the file is locked whilst in analysis…?

 

[danb]

I had a question and I wanted to get as many opinions as possible. You know how AV's will scan stuff in the background, and your computer seems to kinda freeze for 5-10 seconds or so, and you are just sitting there waiting for it to do whatever it is supposed to do next? I love Microsoft Defender, but it is really bad about this when it encounters a novel file, and I am certain most AV's are just as bad. With CyberLock it was easy because we would prompt either way, so the user would know that it is processing and it might take a few seconds.

Well, with SiriusGPT, there might me a few times this will happen, even though I am going to limit it as much as possible (certainly less than most AV's). But the thing is, we will not always have to display a prompt because the Ai will make the decision and auto allow what normally would be blocked (so there would be a prompt).

So my question is, this should not happen that often, but when it does, should we display a little swirling SiriusGPT circle / assistant somewhere on the desktop, similar to the CyberLock desktop gadget, and then hide the assistant once a verdict is reached? It should not happen that often, but it might be a good idea... the other option is to not show anything at all and just wait for the verdict.

Another option is to show the simple mini prompt with the SiriusGPT assistant, and then auto close this prompt if it is safe.

Anyway, just curious which way you guys think we should go on this. Thank you!

 

[danb]

It does look cool. It’s these little touches that make a difference.

As to the sandboxes, Check Point, Palo Alto and Crowd Strike are the leaders on emulation, but I am not sure what APIs they offer (if they do offer).
I know Avira for sure offers emulation API but that’s gonna increase the cost of your product. You are soon gonna have to do editions.

In essence, look for emulation from an AV vendor if you wanna go down that path and don’t bother with generic sandboxes (like Cuckoo, AnyRun and so on). In addition, you can also go for third-party threat feeds if you wanna do a full-blown AV.

I like that you’re implementing anti-spam and scam features though yeah, with the GDPR this implementation will be more than tricky.

You’ll need to implement pre-scrubbing scripts.

Last but not least, maybe analyse pdf files for phishing as well.

Also, how will you reduce the performance impact of all these analysis? Even though everything happens on the cloud, I’m assuming the file is locked whilst in analysis…?

Yes, but the email feature is a very long way off. More than anything, it is just an example of what we can do with this tech. But yeah, I did not think about GDPR, but that might be tricky... either way it would have to be a local model. I just hope the local model will have enough parameters to be useful. It certainly did not for the other analysis that we are doing... but AI is still young, so who knows what is going to happen.

Yeah, each document type is going to involve some preprocessing. Once we are able to convert it to text, it is super simple.

Yeah, the file is certainly locked during analysis. I will check out the sandboxes you mentioned, one of those is one that I had serious issues with . But I have not tried 2 of the others in quite some time, thank you!

 

[Trident]

Yeah, each document type is going to involve some preprocessing. Once we are able to convert it to text, it is super simple.

You can convert anything to text, there are all sorts of parsing libraries online. In this case not sure if it’s a good idea to normalise the text as some poor capitalisation can also be indicative of spam/scam, phishing and so on.

As a general UI practice, everything that takes a few seconds or more should have progress indicator.

 

[danb]

You can convert anything to text, there are all sorts of parsing libraries online. In this case not sure if it’s a good idea to normalise the text as some poor capitalisation can also be indicative of spam/scam, phishing and so on.

As a general UI practice, everything that takes a few seconds or more should have progress indicator.

Yeah, but the ones for macros, for example, are not super straightforward... I think the other file types will be a lot easier.

I wish Microsoft Defender had some kind of progress indicator... it drives me absolutely crazy when I have to wait 10-20 seconds for it finish analyzing a file.

 

[Trident]

Yeah, but the ones for macros, for example, are not super straightforward... I think the other file types will be a lot easier.

I wish Microsoft Defender had some kind of progress indicator... it drives me absolutely crazy when I have to wait 10-20 seconds for it finish analyzing a file.

I forgot to mention Sophos as well offers cloud sandbox on sophos.com/oem.
They combine static analysis with dynamic one, and it seems to be very standard integration via Restful API but I am not sure of the costs.

Yeah, but the ones for macros, for example, are not super straightforward... I think the other file types will be a lot easier.

For parsing of macros oletools has been the standard for quite some time and it can also extract macros in the cases where the project is password protected (not the whole file encrypted).

GitHub - decalage2/oletools: oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging. - decalage2/oletools

github.com

But I am not sure what’s your policy on third-party code in your products.

If you are trying to build a parser from scratch, it will indeed take you some time and loads of trial and error.

 

[danb]

Hey guys, I just finished up the work on the backend, so that part is good to go.

SiriusGPT will be ready this week, but in the meantime, here is the portable SiriusLLM version. The old versions will not work since there were so many changes on the server. This version includes the @Trident suggestion for malware names, they are at the bottom of the LLM response, just above the verdict. BTW, here is a funny one I noticed earlier .

## Malware Type: Potentially Unwanted Program (PUP)
## Malware Name: Annoyware.ScriptTrickster
Final verdict: Malicious with 85% confidence.

SiriusLLM 0.63

https://www.cyberlock.global/downloads/SiriusLLM.exe

SHA-256: 72423756df690e10578656fb6d093cae44c67afea4e98c11262a07bdfac6f3cd

 

[danb]

I forgot to mention Sophos as well offers cloud sandbox on sophos.com/oem.
They combine static analysis with dynamic one, and it seems to be very standard integration via Restful API but I am not sure of the costs.


For parsing of macros oletools has been the standard for quite some time and it can also extract macros in the cases where the project is password protected (not the whole file encrypted).

GitHub - decalage2/oletools: oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging. - decalage2/oletools

github.com

But I am not sure what’s your policy on third-party code in your products.

If you are trying to build a parser from scratch, it will indeed take you some time and loads of trial and error.

Thank you for the info... yeah, there is a lot more to parsing macros then I ever would have imagined. It is certainly doable, but it is not super straightforward.

 

[danb]

So I was 98-99% finished, then it dawned on me the best way to handle the question I had in post #105 .

After thinking about this for quite some time, I think the best way to handle this is to have a dropdown option so the user can choose one of three options for the user prompts.

1) Do not show prompts / show only info on the prompts but do not let the user allow new items. We need to come up with a great name for this option that is not too long.
2) Show only Block prompts
3) Show Block and Allow prompts

The default setting will be #2, which I think most people will use. But #1 will come in handy for happy clickers and #3 will be cool for advanced users who are wanting to be alerted for the items that Sirius is auto allowing. Essentially, if the 3rd option is selected and Sirius auto allows something, it will give you a quick "info" prompt saying "Hey, this was auto allowed". Then you can click on the details button to see the Sirius analysis.

So this is the best of both worlds... I think it is going to turn out great. The bad news is that it is going to take quite a bit of time to implement this new feature, but I am hoping it does not take over 4-5 days. This is by far the most difficult coding I have ever done... my brain hurts, but I think it is going to turn out super cool. I am also making sure it will be relatively easy to implement into our other products, so that takes some time too. Thank you guys!

 

[Trident]

1) Do not show prompts / show only info on the prompts but do not let the user allow new items. We need to come up with a great name for this option that is not too long.

Sirius Zero-Touch?

Aligns with Zero-Trust and you can come up with a host of “zero-stuff”, maintaining some consistency.

Idea 2: Active Response?
Idea 3: AI Lock.
Idea 4: Sentinel Mode.
Idea 5: Advanced Threat Sense (ATS).

 

[Trident]

This is how I envision prompts

 

[danb]

This is how I envision prompts

That is really cool, thank you, I appreciate your help!

BTW, they are current red and blue, should we make them red and green instead? I mean, what are the international standards for these colors?

 

[Trident]

That is really cool, thank you, I appreciate your help!

No worries, the font there is Poppins.

 

[Shadowra]

So I was 98-99% finished, then it dawned on me the best way to handle the question I had in post #105 .

After thinking about this for quite some time, I think the best way to handle this is to have a dropdown option so the user can choose one of three options for the user prompts.

1) Do not show prompts / show only info on the prompts but do not let the user allow new items. We need to come up with a great name for this option that is not too long.
2) Show only Block prompts
3) Show Block and Allow prompts

The default setting will be #2, which I think most people will use. But #1 will come in handy for happy clickers and #3 will be cool for advanced users who are wanting to be alerted for the items that Sirius is auto allowing. Essentially, if the 3rd option is selected and Sirius auto allows something, it will give you a quick "info" prompt saying "Hey, this was auto allowed". Then you can click on the details button to see the Sirius analysis.

So this is the best of both worlds... I think it is going to turn out great. The bad news is that it is going to take quite a bit of time to implement this new feature, but I am hoping it does not take over 4-5 days. This is by far the most difficult coding I have ever done... my brain hurts, but I think it is going to turn out super cool. I am also making sure it will be relatively easy to implement into our other products, so that takes some time too. Thank you guys!

I'm waiting for your mail for SiriusGPT

 

[Trident]

BTW, they are current red and blue, should we make them red and green instead? I mean, what are the international standards for these colors?

I think psychologically-wise, users get along better with the traffic-light system. So maybe you can have both - brand and create a logo for Sirius LLM that is the colours you want it to be. And still maintain the notifications in the traffic light colour scheme.

 

[ForgottenSeer 94738]

That is really cool, thank you, I appreciate your help!

BTW, they are current red and blue, should we make them red and green instead? I mean, what are the international standards for these colors?

Definitely not red-green. I have a color-recognition disability for red-green and could distinguish red and blue much better.

 

[danb]

Definitely not red-green. I have a color-recognition disability for red-green and could distinguish red and blue much better.

This is great to know... thank you for the info!