cruelsister
Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
- Content source
- https://youtu.be/1X8rJG3Oy0U
Sirius LLM Observations
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Thank you very much CS! VERY interesting video, I LOVE edge cases like this. I want to link to our other conversation so that a year from now people will understand that you tested Sirius quite a bit last week, and this video is just the edge cases.
malwaretips.com
The KVRT test was super cool, and that verdict could to either way. It all depends on if Sirius believes that the file originated from Kaspersky or not. For example, I created a C:\Program Files\Kaspersky folder and tested the KVRT script with SiriusGPT (on execution) and had very consistent Safe with 95% confidence verdicts, with and without the @echo lines. I then tested with SiriusLLM (they use the exact same models), but SiriusLLM is unable to provide the parent process to the models, so the results were not quite as consistent. They were safe, but not a consistent 95% (75-90%). But your testing might have uncovered an issue because both Sirius results are stored in the same shared database, and SiriusLLM cannot provide quite as much metadata as SiriusGPT, so if a file is first tested with SiriusLLM, it might not be as accurate as if it was tested with SiriusGPT.
Having said that, this was a VERY clever and unique test, and I doubt that we will encounter issues like this normally, even with people testing both versions of Sirius. But I will look into the shared database and figure out what route we should take, thank you for uncovering this!
I downloaded the SeaMonkey stable release version, and both SmartScreen and Sirius blocked it. Sirius had an issue with SeaMonkey because it was missing a digital signature and several other security features, and in the Analysis Report it said "Major browser vendors sign installers; absence here is suspicious." I strongly believe that certain software like security software and web browsers should be signed, that way you know they are legit and not tampered with.
Sirius returned a Not Safe verdict for the modified calc app because it identified it as a modified calc app, and our prompt instructions tell Sirius to be very critical of modified files.
I had not yet tested a fork bomb on Sirius yet, but I am happy to see it returned the "correct" verdict.
Thanks again for testing and if you want more tokens for testing, please click on the Machine ID and it will copy the ID to your clipboard, then you can email or pm me the ID's for your computers and I can increase your tokens. You should try SirusGPT when you get a chance... I bet you will like it even more than SiriusLLM.
Here are the two KVRT Analysis Reports that were executed from the C:\Program Files\Kaspersky folder:
With the two @echo lines...
Without the two @echo lines...
Introducing SiriusGPT: The First Real-Time GPT / LLM AI based Antimalware Solution
Hi all Here is the wilders security forum thread of it https://www.wilderssecurity.com/threads/sirius-llm-by-voodoosoft-cyberlock.457276/ Mops21
malwaretips.com
The KVRT test was super cool, and that verdict could to either way. It all depends on if Sirius believes that the file originated from Kaspersky or not. For example, I created a C:\Program Files\Kaspersky folder and tested the KVRT script with SiriusGPT (on execution) and had very consistent Safe with 95% confidence verdicts, with and without the @echo lines. I then tested with SiriusLLM (they use the exact same models), but SiriusLLM is unable to provide the parent process to the models, so the results were not quite as consistent. They were safe, but not a consistent 95% (75-90%). But your testing might have uncovered an issue because both Sirius results are stored in the same shared database, and SiriusLLM cannot provide quite as much metadata as SiriusGPT, so if a file is first tested with SiriusLLM, it might not be as accurate as if it was tested with SiriusGPT.
Having said that, this was a VERY clever and unique test, and I doubt that we will encounter issues like this normally, even with people testing both versions of Sirius. But I will look into the shared database and figure out what route we should take, thank you for uncovering this!
I downloaded the SeaMonkey stable release version, and both SmartScreen and Sirius blocked it. Sirius had an issue with SeaMonkey because it was missing a digital signature and several other security features, and in the Analysis Report it said "Major browser vendors sign installers; absence here is suspicious." I strongly believe that certain software like security software and web browsers should be signed, that way you know they are legit and not tampered with.
Sirius returned a Not Safe verdict for the modified calc app because it identified it as a modified calc app, and our prompt instructions tell Sirius to be very critical of modified files.
I had not yet tested a fork bomb on Sirius yet, but I am happy to see it returned the "correct" verdict.
Thanks again for testing and if you want more tokens for testing, please click on the Machine ID and it will copy the ID to your clipboard, then you can email or pm me the ID's for your computers and I can increase your tokens. You should try SirusGPT when you get a chance... I bet you will like it even more than SiriusLLM.
Here are the two KVRT Analysis Reports that were executed from the C:\Program Files\Kaspersky folder:
With the two @echo lines...
Total tokens: 1552 (972 request / 580 response)
File path: c:\program files\kaspersky\b118eba8-1659-4509-aa3e-c267a1ee524d.cmd
File hash: 588308bc99db555b97c3e49e59d4516b33e9148e5588e9993dd53e179a6be89d
File size: 0.00 MB
File publisher: This file is not a signable file type.
WhitelistCloud verdict: Not Safe
Final Verdict: Safe with 95% confidence.
## Analysis Summary
The provided .cmd script appears to be a cleanup script related to Kaspersky's Virus Removal Tool (KVRT). It attempts to remove a specific directory from the Temp folder, and upon successful removal, it deletes a registry entry and then removes its own directory. The script's behavior and location suggest it is likely related to a legitimate Kaspersky operation.
## Detailed Analysis
1. **Script Purpose**: The script is labeled as a "KVRT cleanup script," indicating its purpose is related to cleanup operations after using Kaspersky's Virus Removal Tool.
2. **Location**: The script is located in "C:\Program Files\Kaspersky," a directory associated with Kaspersky software, further suggesting it is part of a legitimate Kaspersky operation.
3. **Behavior**:
- The script attempts to remove the directory "C:\Users\Voodoo\AppData\Local\Temp\{03350a2c-e9b9-4fb3-8532-2a87f3b55672}" in a loop, waiting until it is successfully deleted.
- Upon successful deletion, it deletes a registry entry from "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" related to the script's GUID.
- Finally, it removes its own directory.
4. **Indicators of Maliciousness**:
- The script is not digitally signed, but this is expected since .cmd files are not typically signable.
- The script's actions could be considered potentially malicious if they were not contextualized within a known security product's operation. However, the removal of a specific Temp directory and a registry entry related to its own execution does not inherently suggest malware behavior, especially given its association with Kaspersky.
5. **Legitimate Enterprise Scripting Practices**: The script follows a straightforward and simple structure, typical of cleanup or uninstallation scripts used by software vendors.
## Conclusion
Given the script's purpose, location, and behavior, it is reasonable to conclude that this script is part of Kaspersky's legitimate operations, likely used for cleanup after running their Virus Removal Tool. The actions taken by the script are consistent with expected behavior for a cleanup or uninstallation process.
Malware type: Not Applicable
Malware name: Not Applicable
Final verdict: Safe with 95% confidence.
File path: c:\program files\kaspersky\b118eba8-1659-4509-aa3e-c267a1ee524d.cmd
File hash: 588308bc99db555b97c3e49e59d4516b33e9148e5588e9993dd53e179a6be89d
File size: 0.00 MB
File publisher: This file is not a signable file type.
WhitelistCloud verdict: Not Safe
Final Verdict: Safe with 95% confidence.
## Analysis Summary
The provided .cmd script appears to be a cleanup script related to Kaspersky's Virus Removal Tool (KVRT). It attempts to remove a specific directory from the Temp folder, and upon successful removal, it deletes a registry entry and then removes its own directory. The script's behavior and location suggest it is likely related to a legitimate Kaspersky operation.
## Detailed Analysis
1. **Script Purpose**: The script is labeled as a "KVRT cleanup script," indicating its purpose is related to cleanup operations after using Kaspersky's Virus Removal Tool.
2. **Location**: The script is located in "C:\Program Files\Kaspersky," a directory associated with Kaspersky software, further suggesting it is part of a legitimate Kaspersky operation.
3. **Behavior**:
- The script attempts to remove the directory "C:\Users\Voodoo\AppData\Local\Temp\{03350a2c-e9b9-4fb3-8532-2a87f3b55672}" in a loop, waiting until it is successfully deleted.
- Upon successful deletion, it deletes a registry entry from "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" related to the script's GUID.
- Finally, it removes its own directory.
4. **Indicators of Maliciousness**:
- The script is not digitally signed, but this is expected since .cmd files are not typically signable.
- The script's actions could be considered potentially malicious if they were not contextualized within a known security product's operation. However, the removal of a specific Temp directory and a registry entry related to its own execution does not inherently suggest malware behavior, especially given its association with Kaspersky.
5. **Legitimate Enterprise Scripting Practices**: The script follows a straightforward and simple structure, typical of cleanup or uninstallation scripts used by software vendors.
## Conclusion
Given the script's purpose, location, and behavior, it is reasonable to conclude that this script is part of Kaspersky's legitimate operations, likely used for cleanup after running their Virus Removal Tool. The actions taken by the script are consistent with expected behavior for a cleanup or uninstallation process.
Malware type: Not Applicable
Malware name: Not Applicable
Final verdict: Safe with 95% confidence.
Without the two @echo lines...
Total tokens: 1564 (956 request / 608 response)
File path: c:\program files\kaspersky\b118eba8-1659-4509-aa3e-c267a1ee524d.cmd
File hash: 70cee24cf2603c9d22f23e4941a7dd0af14cce579373724e81e2445509e38aa2
File size: 0.00 MB
File publisher: This file is not a signable file type.
WhitelistCloud verdict: Not Safe
Final Verdict: Safe with 95% confidence.
## Analysis Summary
The provided .cmd script appears to be a cleanup script associated with a Kaspersky installation. It attempts to remove a specific directory from the Temp folder, and if successful, it deletes a registry entry related to its own execution. The script is not obfuscated and performs actions that are consistent with legitimate system maintenance tasks.
## Detailed Analysis
1. **Script Purpose**: The script is designed to remove a directory named `{03350a2c-e9b9-4fb3-8532-2a87f3b55672}` from the Temp folder of a user named "Voodoo". It attempts this removal up to 1000 times, waiting briefly between attempts, until the directory no longer exists.
2. **Directory Removal**: The script uses `rmdir /s /q` to forcibly and silently remove the specified directory. This is a common command used in Windows batch scripts for deleting directories.
3. **Registry Modification**: After successfully removing the directory, the script deletes a registry entry under `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` with the value name `b118eba8-1659-4509-aa3e-c267a1ee524d`. This suggests that the script was previously set to run once upon system startup, and it is now removing its own RunOnce entry, indicating it has completed its task.
4. **Self-Deletion**: The script attempts to remove its own containing directory using `rmdir /s /q "%~dp0"`. This is a common technique used by installers or scripts to clean up after themselves.
5. **Legitimacy**: The script is located in `C:\Program Files\Kaspersky`, which suggests it is related to Kaspersky antivirus software. The filename `b118eba8-1659-4509-aa3e-c267a1ee524d.cmd` appears to be a GUID, which is often used by software installers or uninstallers for unique identification.
6. **Obfuscation and Encoding**: The script is not obfuscated or encoded. It uses straightforward batch commands, which is typical for legitimate scripts.
7. **Maliciousness Indicators**: There are no clear indicators of malicious intent. The actions performed by the script are consistent with cleanup or uninstallation tasks.
## Conclusion
Given the script's location, actions, and lack of obfuscation, it is reasonable to conclude that this script is legitimate and part of a Kaspersky software installation or removal process.
Malware type:
Malware name:
Final verdict: Safe with 95% confidence.
File path: c:\program files\kaspersky\b118eba8-1659-4509-aa3e-c267a1ee524d.cmd
File hash: 70cee24cf2603c9d22f23e4941a7dd0af14cce579373724e81e2445509e38aa2
File size: 0.00 MB
File publisher: This file is not a signable file type.
WhitelistCloud verdict: Not Safe
Final Verdict: Safe with 95% confidence.
## Analysis Summary
The provided .cmd script appears to be a cleanup script associated with a Kaspersky installation. It attempts to remove a specific directory from the Temp folder, and if successful, it deletes a registry entry related to its own execution. The script is not obfuscated and performs actions that are consistent with legitimate system maintenance tasks.
## Detailed Analysis
1. **Script Purpose**: The script is designed to remove a directory named `{03350a2c-e9b9-4fb3-8532-2a87f3b55672}` from the Temp folder of a user named "Voodoo". It attempts this removal up to 1000 times, waiting briefly between attempts, until the directory no longer exists.
2. **Directory Removal**: The script uses `rmdir /s /q` to forcibly and silently remove the specified directory. This is a common command used in Windows batch scripts for deleting directories.
3. **Registry Modification**: After successfully removing the directory, the script deletes a registry entry under `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` with the value name `b118eba8-1659-4509-aa3e-c267a1ee524d`. This suggests that the script was previously set to run once upon system startup, and it is now removing its own RunOnce entry, indicating it has completed its task.
4. **Self-Deletion**: The script attempts to remove its own containing directory using `rmdir /s /q "%~dp0"`. This is a common technique used by installers or scripts to clean up after themselves.
5. **Legitimacy**: The script is located in `C:\Program Files\Kaspersky`, which suggests it is related to Kaspersky antivirus software. The filename `b118eba8-1659-4509-aa3e-c267a1ee524d.cmd` appears to be a GUID, which is often used by software installers or uninstallers for unique identification.
6. **Obfuscation and Encoding**: The script is not obfuscated or encoded. It uses straightforward batch commands, which is typical for legitimate scripts.
7. **Maliciousness Indicators**: There are no clear indicators of malicious intent. The actions performed by the script are consistent with cleanup or uninstallation tasks.
## Conclusion
Given the script's location, actions, and lack of obfuscation, it is reasonable to conclude that this script is legitimate and part of a Kaspersky software installation or removal process.
Malware type:
Malware name:
Final verdict: Safe with 95% confidence.
Last edited by a moderator:
cruelsister
Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Hi Dan! Thank you for your understanding. I felt that the typical way of creating a critique would be by just utilizing the typical riff-raff of available malware (in copious amounts), but this would give no Joy as we both know the AI would dispatch them with malicious verdicts.
So although I ran the risk of being viewed as a total Schmuck I thought it best to snipe at the periphery by concentrating on total trivia.
But thanks again for viewing and responding to the video, as the channel is a lonely place (boohoo...whine...nobody understands me 'cept Ophelia).
M
So although I ran the risk of being viewed as a total Schmuck I thought it best to snipe at the periphery by concentrating on total trivia.
But thanks again for viewing and responding to the video, as the channel is a lonely place (boohoo...whine...nobody understands me 'cept Ophelia).
M
You may also like...
-
-
-
Introducing SiriusGPT: The First Real-Time GPT / LLM AI based Antimalware Solution
- Started by danb
- Replies: 241
-
iDefender Pro (Présentation & Reviews)
- Started by Shadowra
- Replies: 8
-
