Unresolved Threats

[fatihkojak 0]

Hello,

First of all i'm very new at the forum and don't have much time to check other topics so if my topic is unnecessary please delete it or move it to the right place.

I am working for a company which uses Eset Remote Administrator and Eset Endpoint Antivirus. As you can see below (or attached) screenshot we have many alerts which shown as unresolved threats in multiple clients. When i display the details i can see that an action has been done for all of them such as "deleted" or "cleaned by deleting". I can mark them resolved as far as i can see but before i do that i want to be sure about there is nothing to be worried about.

So how can i be sure about it?

Which alerts should i be worried about and what can be done to decrease the amount of them?

 

Thank you in advance.

[Marcos 5,189]

First of all, it's necessary to distinguish between active and unresolved threats. Active threats are those that could not be cleaned for some reason, e.g. if a potentially unwanted application was detected and the user selected "No action" upon detection. Active threats can only be cleaned by running a scan task from ERA using the In-depth scan profile. Prior to running the scan, you might want to apply a policy that will set strict cleaning for the In-depth scan profile so that all threats and PUAs are cleaned automatically without waiting for user's interaction.

If there are no active threats, you can mark the threats as resolved. Currently this can be done only manually but this will be improved in ERA v7 which is going to be released this year.

[j-gray 36]

On 1/16/2018 at 4:00 AM, Marcos said:

Active threats can only be cleaned by running a scan task from ERA using the In-depth scan profile. Prior to running the scan, you might want to apply a policy that will set strict cleaning for the In-depth scan profile so that all threats and PUAs are cleaned automatically without waiting for user's interaction.

Can you please clarify how/where to set this in the policy?

I would have thought that choosing the option 'Scan with cleaning' in the ERA console. Does this option automatically default to the in-depth scan profile. If not, how to specify?

Thank you.

[j-gray 36]

Does this policy need to be set at the client level?

So in the (OS X) policy, under Antivirus > On-demand computer scan, the profile must be set here to 'in-depth'?

And if not, the 'Scan with cleaning' task from ERA console will not sufficiently clean the system?

[MichalJ 434]

The important thing is, that there is no "scan with strict cleaning" that you can initiate from the system. Scan is always carried out based on the settings of the scanner on the local client, which can be set under "scanning profiles". You can even adjust the "smart scan" to use "Strict cleaning", but in this case, it would not help, as the task "scan with cleaning" from ERA, is basically "In-depth scan". So adjust the settings for the profile "in-depth scan" to use "strict cleaning". that should help you to get rid of the repeating infections (as it will remove the files), especially in case of PUAs.  We are also preparing a change of behavior, which is listed here: https://forum.eset.com/topic/14743-request-for-feedback-on-a-plan-to-change-handling-of-potentially-unwanted-unsafe-applications/

In ERA 6.5, you basically should resolve the threats "manually", by clicking "mark as resolved". This will reduce the count in the column "unresolved threats". 

 In the upcoming version 7, the ones that are handled (blocked, deleted, cleaned), will be automatically marked as resolved. When you will execute a scan on the machine, it will also mark all of the threats on the machine as resolved. 

 

[j-gray 36]

My issue then, is that I have already set in-depth scan profile to strict cleaning.

Yet full scan with cleaning completes, does not find anything new, but still does not clear threat status on systems that still show active threats.

I understand I can clear these manually, but expect the application to do this.

[MichalJ 434]

That’s a misunderstanding. It does clean the “active threats” status, however that is something related to dynamic group evaluation (if threat is not handled, it becomes considered as “active threat” and becomes a member of a dynamic group with simmilar name). Thatbis unrelated to being “unresolved”.Resolution was meant to be “acknowledgement”. This concept will change in V7, so handled will be marked as resolved automatically.

[j-gray 36]

17 hours ago, MichalJ said:

That’s a misunderstanding. It does clean the “active threats” status, however that is something related to dynamic group evaluation (if threat is not handled, it becomes considered as “active threat” and becomes a member of a dynamic group with simmilar name). Thatbis unrelated to being “unresolved”.Resolution was meant to be “acknowledgement”. This concept will change in V7, so handled will be marked as resolved automatically.

To clarify what we are experiencing; ESET detects threats and does not perform any action, nor resolve the issues. Therefore the system is flagged with Active Threats.

Subsequent full scans 'with cleaning'/strict cleaning are performed and nothing is detected.  So even though the full scans find nothing, the system is still flagged with threats that have not been remediated.

I know that I can manually mark them as resolved, but they do not appear to be truly resolved, at least by ESET.

[MichalJ 434]

@j-gray Can you please post a screenshot, of such detections?

[j-gray 36]

12 minutes ago, MichalJ said:

@j-gray Can you please post a screenshot, of such detections?

Sure. These were detected Feb. 21. The system has run at least three full scans since. I have at least 6 systems that look similar:

[MichalJ 434]

@j-gray I have discussed this with the developers. Can you please create a customer care ticket. We will work on the replication in house, to test the behavior. Maybe, to speed up the progress, what is the application, that is triggering the detection? That we should install, to replicate the issue?

[j-gray 36]

55 minutes ago, MichalJ said:

@j-gray I have discussed this with the developers. Can you please create a customer care ticket. We will work on the replication in house, to test the behavior. Maybe, to speed up the progress, what is the application, that is triggering the detection? That we should install, to replicate the issue?

Thanks.

The detected applications are:

OSX/Adware.Bundlore.AP
OSX/Adware.Bundlore.AQ
OSX/Adware.Bundlore.AR
OSX/Adware.InstallCore.IL
OSX/Adware.InstallCore.HH
Win32/DealPly.JV.gen

[j-gray 36]

Case is #124466

[Marcos 5,189]

If you download eicar from https://secure.eicar.org/eicar.com, is it detected by real-time protection and cleaned automatically? Does it appear in yellow in the ERA Console, ie. as an inactive threat?

Also please check the details of the active threats and let us know what scanner (on-demand or real-time) is listed there.

[j-gray 36]

On 3/14/2018 at 6:38 AM, Marcos said:

If you download eicar from https://secure.eicar.org/eicar.com, is it detected by real-time protection and cleaned automatically? Does it appear in yellow in the ERA Console, ie. as an inactive threat?

Also please check the details of the active threats and let us know what scanner (on-demand or real-time) is listed there.

All were detected via real-time protection.

I tested the eicar file on my Mac. I was able to successfully download the file and open it using TextEdit to view. ESET did nothing. A scheduled scan is running now, so we'll see if gets picked up.

[j-gray 36]

Should also add, at least for the Macs, these all appear under the following path:  file:////Volumes/....

[j-gray 36]

Just an update: according to support, if a full scan is run and no threats are detected,

On 3/13/2018 at 10:42 AM, MichalJ said:

@j-gray I have discussed this with the developers. Can you please create a customer care ticket. We will work on the replication in house, to test the behavior. Maybe, to speed up the progress, what is the application, that is triggering the detection? That we should install, to replicate the issue?

Any luck with the developers?

I heard from support. They think that ESET no longer detects the threats because they are no longer there (unmounted volume, etc.).

Support also stated that if a full scan runs and does not detect any threats, it will not clear the threat status.  So the client will still appear with unresolved threats even though no threats are found.  The only solution presented was to manually clear the threat status.

It seems to me that if a system scans clean, it should not be flagged critical and/or require manual intervention.

[Marcos 5,189]

There seems to be an issue with real-time protection since downloaded eicar.com must be detected. Please collect logs as per the instructions at https://support.eset.com/kb3404/. After clicking "Replication start", download eicar.com and then click "Replication stop" if eicar was not detected.

[j-gray 36]

On 3/20/2018 at 12:51 PM, Marcos said:

There seems to be an issue with real-time protection since downloaded eicar.com must be detected. Please collect logs as per the instructions at https://support.eset.com/kb3404/. After clicking "Replication start", download eicar.com and then click "Replication stop" if eicar was not detected.

I reproduced the issue and uploaded logs a few days ago, just waiting for analysis and response.

I'm still lacking clarification:  A threat is found, but not handled so appears as a Threat on the client. Subsequent full scans find no threats, but system still shows threats.  Should these not be cleared by clean full scan?

[j-gray 36]

Here's a good example: Threat is detected but not handled. Scan is later performed and same threat is detected and cleaned. ERA console shows client still with two unresolved threats in the 'Unresolved Threats' column:

[Marcos 5,189]

On 3/23/2018 at 6:31 PM, j-gray said:

I reproduced the issue and uploaded logs a few days ago, just waiting for analysis and response. I'm still lacking clarification:  A threat is found, but not handled so appears as a Threat on the client. Subsequent full scans find no threats, but system still shows threats.  Should these not be cleared by clean full scan?

If real-time protection uses strict cleaning mode, the threat must have been cleaned automatically without user's interaction or running a subsequent on-demand scan. We'll need to check the logs and config as there's something peculiar about this and things don't appear to work as supposed. Please upload the logs collected by ESET Log Collector for Mac to a safe location (OneDrive, DropBox, etc.) and drop me a message with a download link. You've probably contacted ESET LLC so I have no access to your logs currently.

[MichalJ 434]

@j-gray Concerning your last post - this is a correct behavior with the current implementation. In the V7, the behavior will be the following: 

- the first threat will be reported as "unresolved". After you execute a scan covering the target where the threat is reported, that particular instance will be "marked as resolved". The second one, that is handled (by the scanner settings), will be automatically marked as resolved, so the "unresolved threat count" for the computer will be 0. As of now, in 6.5 the only way how to "resolve them" is to manually marked them as resolved. Those threats are no longer there. 

Btw, what are your cleaning settings for both Real Time protection and your On-demand scanning profile? 

[j-gray 36]

1 hour ago, MichalJ said:

@j-gray Btw, what are your cleaning settings for both Real Time protection and your On-demand scanning profile? 

Thanks for the clarification.

Real Time is set to 'normal' and On-demand is set to 'strict'.

[MichalJ 434]

@j-gray That is consistent with the setting. When the threat is detected first time by the "real time", it is kept (threat not handled, red color). When you run the on-demand scan, it is removed, due to the strict cleaning setting. As I have mentioned, in the V7, the behavior will be changed, that after executing a scan, both entries will be "marked as resolved", and the count of "unresolved threats" will be set to 0.