Jump to content

Archived

This topic is now archived and is closed to further replies.

TESTESET

Internet Security 11.1.42 LiveGrid send samples even if it's disabled in settings

Recommended Posts

Internet Security send "Send suspicious samples" even if i disable it. Where is my privacy? Or i set it wrong?

Application was run locally from my PC. It was fresh build (new executable from Visual Studio)

Detection Engine: 17099 (20180322)
Rapid Response module: 11808 (20180322)
Update module: 1014 (20180123)
Antivirus and antispyware scanner module: 1535 (20180202)
Advanced heuristics module: 1186 (20180309)
Archive support module: 1273 (20180309)
Cleaner module: 1154 (20180222)
Anti-Stealth support module: 1128 (20180316)
Firewall module: 1373.1 (20180103)
ESET SysInspector module: 1270 (20170808)
Translation support module: 1663 (20180209)
HIPS support module: 1313 (20180227)
Internet protection module: 1328 (20180226)
Web content filter module: 1058 (20170406)
Advanced antispam module: 7075 (20180322)
Database module: 1096 (20180202)
Configuration module (33): 1659.1 (20180315)
LiveGrid communication module: 1043 (20180205)
Specialized cleaner module: 1012 (20160405)
Banking & payment protection module: 1126 (20180309)
Rootkit detection and cleaning module: 1019 (20170825)
Network protection module: 1629 (20180320)
Router vulnerability scanner module: 1046 (20180314)
Script scanner module: 1033 (20180228)
Connected Home Network module: 1019.1 (20180220)
Cryptographic protocol support module: 1025 (20171106)

 

Clipboard01.png

Clipboard02.png

Share this post


Link to post
Share on other sites

I looks inside logs and it's happened after update 11.1.42. I think there was message in main screen that say "Enable LiveGrid" (but i have already enabled it!) I can't remove this message so i press Enable. Look inside settings after (all looks ok, like on the screenshot) so i say: It's ok. But settings was changed and not shown on the screen. Eset start sending samples. In past i have same issue. (version 11 line) It looks like after main app update this settings is resetting somehow. 

Share this post


Link to post
Share on other sites

I was unable to reproduce it. A malicious sample was submitted only after selecting to submit malicious samples. I assume those could be files that had been pending for submission before you disabled it. If you are able to reproduce it, we can investigate it further.

Anyways, disabling submission of files is not recommended. Otherwise the more users disable it, the higher probability that we may not be able to clean possible malware that you may run into.

Share this post


Link to post
Share on other sites

Is there way to see pending submissions?

I am professional developer / reverse engineer, i send you regularly new samples that ESET doesn't catch yet. I know what i am doing, i just want select what to send and what not.

Or another approach: add settings "Confirm each submission" (Default OFF - for normal people, extended users can switch this option ON)

Share this post


Link to post
Share on other sites

You can see files pending for submission in C:\ProgramData\ESET\ESET Security\Charon but they are in an encrypted form. However, it doesn't mean they will actually be submitted; the program will first query LiveGrid servers if they are really needed.

If you want to submit only files that you want to, disable the LiveGrid feedback system and submit files manually. However, we don't recommend using the in-built form since many users submit tons of of non-malicious stuff and your submission could get lost among them. Please follow the instructions at https://support.eset.com/kb141/ to submit suspicious files.

Share this post


Link to post
Share on other sites

In Charon directory is only: CACHE.NDB (25kb), FND0.NFI (170b) but i can't see what is inside (as you say it's encrypted, and it's small so probably it's empty)

Problem is that i have disabled Submit suspicious samples (see screen) so it should work and I want have LiveGrid enabled. LG is very powerful thing. I try also export settings to XML and look deeper if i find something suspicious but all looks ok. We will see if it will continue.

Share this post


Link to post
Share on other sites

LiveGrid consists of 2 systems: LiveGrid reputation system and LiveGrid feedback system for submitting files and statistics. You don't necessarily have to have both enabled if you don't want the system to submit suspicious files and you can still be protected by LiveGrid. Of course, without malicious files from systems we wouldn't be able to add proper detection / cleaning so if you happen to get infected with malware that nobody else has come across, we may not be able to clean it properly until we receive the appropriate suspicious files.

Share this post


Link to post
Share on other sites

LiveGrid reputation - i have ON, this is OK

LiveGrid feedback - if i have disabled Submit infected samples + Submit suspicious samples then this part of LiveGrid should be disabled, or  i miss something?

And what about my previous idea: "Confirm each submission" (Default OFF - for normal people, extended users can switch this option ON and control what to do) , you don't comment it. With this we can control privacy and sensitive data leaking, feedback functionality will continue work like now...  I know i can exclude some folders, but you can't exclude all future folders ...

Share this post


Link to post
Share on other sites
Quote

LiveGrid feedback - if i have disabled Submit infected samples + Submit suspicious samples then this part of LiveGrid should be disabled, or  i miss something?

That's correct.

Quote

And what about my previous idea: "Confirm each submission" (Default OFF - for normal people, extended users can switch this option ON and control what to do)

This doesn't make sense in the era of cloud and rapidly emerging threats when files must be submitted and analyzed within seconds or minutes in order to provide quick response to new threats. This option was removed when ThreatSense.Net evolved to LiveGrid a coupld of years ago. In v11.1, we've added more granular settings for file submission. By enabling submission, the user gives consent to submitting suspicious files which is also covered by EULA and privacy policy.

Share this post


Link to post
Share on other sites

I agree with you in all what you say, question is why it was not working in my case? :-) I will watch AV behavior if there will be next not allowed submission ...

Share this post


Link to post
Share on other sites
7 minutes ago, TESTESET said:

I agree with you in all what you say, question is why it was not working in my case? :-) I will watch AV behavior if there will be next not allowed submission ...

That is the best we can recommend at this point. We don't know how much time elapsed between changing the settings and the time the files were submitted.

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

We don't know how much time elapsed between changing the settings and the time the files were submitted.

Settings were always OFF, so there was no change ... i suspect application update process. I think, i see it in past, after update AV doesn't remember this setting or something like that... (or settings names was changed ...)

Share this post


Link to post
Share on other sites

If you upgraded from an older version, you must have been presented with a question whether you want to enable ESET LiveGrid feedback system. Enabling it would have re-enabled submission of samples (except documents like in previous versions) and statistics.

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

If you upgraded from an older version, you must have been presented with a question whether you want to enable ESET LiveGrid feedback system. Enabling it would have re-enabled submission of samples (except documents like in previous versions) and statistics.

I use always last version, so i don't suppose there was some "version incompatibility settings" break. Also there is product update that keep my Eset fresh :) Maybe eset collect suspicious files to vault (not sending) and by core application update is some moment that settings fail and send the files.

Share this post


Link to post
Share on other sites
Quote

I use always last version, so i don't suppose there was some "version incompatibility settings" break.

After upgrade to v11.1.42 you were asked in the main gui to enable or disable the LiveGrid feedback system. Consent had to be given or rejected due to compliance with GDPR even if the LiveGrid feedback system was enabled or disabled before upgrade.

Share this post


Link to post
Share on other sites
18 minutes ago, Marcos said:

After upgrade to v11.1.42 you were asked in the main gui to enable or disable the LiveGrid feedback system. Consent had to be given or rejected due to compliance with GDPR even if the LiveGrid feedback system was enabled or disabled before upgrade.

Yes, this is what i think cause problem. Before it was OFF, then Update + Question (i must press YES), but settings stay OFF, and start sending files. I think this question should set my settings visibly ON and then is all clear. I can see changes and set it back. But my settings stay OFF and on background runs like my settings are ON.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...