itman 1,756 Posted May 18, 2018 Share Posted May 18, 2018 A couple of days ago, I did a full Win 10 1803 installed drive scan with Admin privleges. When the scan ended, I observed a FND6 file present in C:\ProgramData\ESET\ESET Security\Charon directory. This indicates at least 5 other FND files were created and submitted to LiveGrid for analysis since they are numbered in sequence. Eset's Event log had no entries present for file submissions. And yes, LiveGrid's event logging option is enabled. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted May 19, 2018 Administrators Share Posted May 19, 2018 How do you know they were actually submitted? If someone else has submitted them, then the submission was rejected and the files in the cache were deleted. Link to comment Share on other sites More sharing options...
itman 1,756 Posted May 19, 2018 Author Share Posted May 19, 2018 7 hours ago, Marcos said: How do you know they were actually submitted? If someone else has submitted them, then the submission was rejected and the files in the cache were deleted. Yes, that is entirely possible. It all depends on how you define "submission." For me, it means when the files are transmitted regardless of acceptance status. Implied from what you stated is that a status from LiveGrid server would be sent back to the submitter device that the file was accepted. Then the submission would be logged. A "bit of a stretch" on that one I believe as follows. At least one file, FND6, did remain in the cache directory for an extended period of time which would be indicative of acceptance. There was no log entry for this file which was appox. 24K in size. An enhancement to this feature would be a status indicator in the log entry along the lines of numerical value for example: 1. Submitted but previously analyzed. 2. Submitted and accepted for further analysis. 3. Submitted and analysis completed. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted May 20, 2018 Administrators Share Posted May 20, 2018 I don't know what the response from LiveGrid servers was, however, regardless of the response the cached file would have been either deleted or submitted. If it was deleted and nothing was logged, it had to be rejected by LiveGrid servers. Next time you can make a backup copy of such file so that we can investigate it further. Link to comment Share on other sites More sharing options...
Recommended Posts