TESTESET 1 Posted March 22, 2018 Share Posted March 22, 2018 Internet Security send "Send suspicious samples" even if i disable it. Where is my privacy? Or i set it wrong? Application was run locally from my PC. It was fresh build (new executable from Visual Studio) Detection Engine: 17099 (20180322) Rapid Response module: 11808 (20180322) Update module: 1014 (20180123) Antivirus and antispyware scanner module: 1535 (20180202) Advanced heuristics module: 1186 (20180309) Archive support module: 1273 (20180309) Cleaner module: 1154 (20180222) Anti-Stealth support module: 1128 (20180316) Firewall module: 1373.1 (20180103) ESET SysInspector module: 1270 (20170808) Translation support module: 1663 (20180209) HIPS support module: 1313 (20180227) Internet protection module: 1328 (20180226) Web content filter module: 1058 (20170406) Advanced antispam module: 7075 (20180322) Database module: 1096 (20180202) Configuration module (33): 1659.1 (20180315) LiveGrid communication module: 1043 (20180205) Specialized cleaner module: 1012 (20160405) Banking & payment protection module: 1126 (20180309) Rootkit detection and cleaning module: 1019 (20170825) Network protection module: 1629 (20180320) Router vulnerability scanner module: 1046 (20180314) Script scanner module: 1033 (20180228) Connected Home Network module: 1019.1 (20180220) Cryptographic protocol support module: 1025 (20171106) Link to comment Share on other sites More sharing options...
TESTESET 1 Posted March 22, 2018 Author Share Posted March 22, 2018 I looks inside logs and it's happened after update 11.1.42. I think there was message in main screen that say "Enable LiveGrid" (but i have already enabled it!) I can't remove this message so i press Enable. Look inside settings after (all looks ok, like on the screenshot) so i say: It's ok. But settings was changed and not shown on the screen. Eset start sending samples. In past i have same issue. (version 11 line) It looks like after main app update this settings is resetting somehow. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,932 Posted March 23, 2018 Administrators Share Posted March 23, 2018 I was unable to reproduce it. A malicious sample was submitted only after selecting to submit malicious samples. I assume those could be files that had been pending for submission before you disabled it. If you are able to reproduce it, we can investigate it further. Anyways, disabling submission of files is not recommended. Otherwise the more users disable it, the higher probability that we may not be able to clean possible malware that you may run into. Link to comment Share on other sites More sharing options...
TESTESET 1 Posted March 23, 2018 Author Share Posted March 23, 2018 Is there way to see pending submissions? I am professional developer / reverse engineer, i send you regularly new samples that ESET doesn't catch yet. I know what i am doing, i just want select what to send and what not. Or another approach: add settings "Confirm each submission" (Default OFF - for normal people, extended users can switch this option ON) Link to comment Share on other sites More sharing options...
Administrators Marcos 4,932 Posted March 23, 2018 Administrators Share Posted March 23, 2018 You can see files pending for submission in C:\ProgramData\ESET\ESET Security\Charon but they are in an encrypted form. However, it doesn't mean they will actually be submitted; the program will first query LiveGrid servers if they are really needed. If you want to submit only files that you want to, disable the LiveGrid feedback system and submit files manually. However, we don't recommend using the in-built form since many users submit tons of of non-malicious stuff and your submission could get lost among them. Please follow the instructions at https://support.eset.com/kb141/ to submit suspicious files. Link to comment Share on other sites More sharing options...
TESTESET 1 Posted March 23, 2018 Author Share Posted March 23, 2018 In Charon directory is only: CACHE.NDB (25kb), FND0.NFI (170b) but i can't see what is inside (as you say it's encrypted, and it's small so probably it's empty) Problem is that i have disabled Submit suspicious samples (see screen) so it should work and I want have LiveGrid enabled. LG is very powerful thing. I try also export settings to XML and look deeper if i find something suspicious but all looks ok. We will see if it will continue. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,932 Posted March 23, 2018 Administrators Share Posted March 23, 2018 LiveGrid consists of 2 systems: LiveGrid reputation system and LiveGrid feedback system for submitting files and statistics. You don't necessarily have to have both enabled if you don't want the system to submit suspicious files and you can still be protected by LiveGrid. Of course, without malicious files from systems we wouldn't be able to add proper detection / cleaning so if you happen to get infected with malware that nobody else has come across, we may not be able to clean it properly until we receive the appropriate suspicious files. Link to comment Share on other sites More sharing options...
TESTESET 1 Posted March 23, 2018 Author Share Posted March 23, 2018 (edited) LiveGrid reputation - i have ON, this is OK LiveGrid feedback - if i have disabled Submit infected samples + Submit suspicious samples then this part of LiveGrid should be disabled, or i miss something? And what about my previous idea: "Confirm each submission" (Default OFF - for normal people, extended users can switch this option ON and control what to do) , you don't comment it. With this we can control privacy and sensitive data leaking, feedback functionality will continue work like now... I know i can exclude some folders, but you can't exclude all future folders ... Edited March 23, 2018 by TESTESET Link to comment Share on other sites More sharing options...
Administrators Marcos 4,932 Posted March 23, 2018 Administrators Share Posted March 23, 2018 Quote LiveGrid feedback - if i have disabled Submit infected samples + Submit suspicious samples then this part of LiveGrid should be disabled, or i miss something? That's correct. Quote And what about my previous idea: "Confirm each submission" (Default OFF - for normal people, extended users can switch this option ON and control what to do) This doesn't make sense in the era of cloud and rapidly emerging threats when files must be submitted and analyzed within seconds or minutes in order to provide quick response to new threats. This option was removed when ThreatSense.Net evolved to LiveGrid a coupld of years ago. In v11.1, we've added more granular settings for file submission. By enabling submission, the user gives consent to submitting suspicious files which is also covered by EULA and privacy policy. Link to comment Share on other sites More sharing options...
TESTESET 1 Posted March 23, 2018 Author Share Posted March 23, 2018 I agree with you in all what you say, question is why it was not working in my case? :-) I will watch AV behavior if there will be next not allowed submission ... Link to comment Share on other sites More sharing options...
Administrators Marcos 4,932 Posted March 23, 2018 Administrators Share Posted March 23, 2018 7 minutes ago, TESTESET said: I agree with you in all what you say, question is why it was not working in my case? :-) I will watch AV behavior if there will be next not allowed submission ... That is the best we can recommend at this point. We don't know how much time elapsed between changing the settings and the time the files were submitted. Link to comment Share on other sites More sharing options...
TESTESET 1 Posted March 23, 2018 Author Share Posted March 23, 2018 (edited) 1 hour ago, Marcos said: We don't know how much time elapsed between changing the settings and the time the files were submitted. Settings were always OFF, so there was no change ... i suspect application update process. I think, i see it in past, after update AV doesn't remember this setting or something like that... (or settings names was changed ...) Edited March 23, 2018 by TESTESET Link to comment Share on other sites More sharing options...
Administrators Marcos 4,932 Posted March 23, 2018 Administrators Share Posted March 23, 2018 If you upgraded from an older version, you must have been presented with a question whether you want to enable ESET LiveGrid feedback system. Enabling it would have re-enabled submission of samples (except documents like in previous versions) and statistics. Link to comment Share on other sites More sharing options...
TESTESET 1 Posted March 23, 2018 Author Share Posted March 23, 2018 2 hours ago, Marcos said: If you upgraded from an older version, you must have been presented with a question whether you want to enable ESET LiveGrid feedback system. Enabling it would have re-enabled submission of samples (except documents like in previous versions) and statistics. I use always last version, so i don't suppose there was some "version incompatibility settings" break. Also there is product update that keep my Eset fresh Maybe eset collect suspicious files to vault (not sending) and by core application update is some moment that settings fail and send the files. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,932 Posted March 23, 2018 Administrators Share Posted March 23, 2018 Quote I use always last version, so i don't suppose there was some "version incompatibility settings" break. After upgrade to v11.1.42 you were asked in the main gui to enable or disable the LiveGrid feedback system. Consent had to be given or rejected due to compliance with GDPR even if the LiveGrid feedback system was enabled or disabled before upgrade. Link to comment Share on other sites More sharing options...
TESTESET 1 Posted March 23, 2018 Author Share Posted March 23, 2018 (edited) 18 minutes ago, Marcos said: After upgrade to v11.1.42 you were asked in the main gui to enable or disable the LiveGrid feedback system. Consent had to be given or rejected due to compliance with GDPR even if the LiveGrid feedback system was enabled or disabled before upgrade. Yes, this is what i think cause problem. Before it was OFF, then Update + Question (i must press YES), but settings stay OFF, and start sending files. I think this question should set my settings visibly ON and then is all clear. I can see changes and set it back. But my settings stay OFF and on background runs like my settings are ON. Edited March 23, 2018 by TESTESET Link to comment Share on other sites More sharing options...
Recommended Posts