Jump to content

PUP not handled


Recommended Posts

On OS X clients, lately I've been seeing a lot of unhandled PUP's with little information to go on. This is the result of Full scan with cleaning:

image.png.368ff86e600d4f84ef67d67c07d7b961.png

 

Policies are set for 'Strict Cleaning' on both real-time and on-demand scans. I'd like to understand what's (not) happening here.

I'm seeing similar on Windows clients, though it typically says, "action selection postponed until scan completion" but never takes any action even after the scan completes.

Edited by j-gray
Link to comment
Share on other sites

  • Administrators

The " action selection postponed until scan completion" doesn't occurs with PUAs if detected in a managed environment with the ESMC Agent installed. We've also made sure that the same applies to Mac products too.

Please provide logs collected with ESET Log Collector for a start.

Link to comment
Share on other sites

On 6/4/2019 at 12:38 AM, Marcos said:

The " action selection postponed until scan completion" doesn't occurs with PUAs if detected in a managed environment with the ESMC Agent installed. We've also made sure that the same applies to Mac products too.

Please provide logs collected with ESET Log Collector for a start.

Yes, I should have clarified. On the Windows clients I see this for items typically flagged as Trojans.

It's odd to me that a Trojan gets flagged with severity 'Warning', where a PUP gets flagged with severity 'Critical'. This seems backwards.

I also don't understand why those that get flagged with 'Critical' and 'Active Threats' show up in the console with a green check mark indicating healthy status. See below:

image.png.54b6cf025613c26bae1dd4c3352b4f45.png

Link to comment
Share on other sites

  • Administrators

It's active threats which are reported with critical severity, hence we'd like to get ELC logs to get more information about the location of the detected object / file, action and possible error that was logged on such client.

We'll check how cleaning of PUAs works on Mac in a managed environment. On Windows, they are cleaned automatically but there's a chance that on Mac strict cleaning mode may be still required to prevent users from selecting an action manually.

Link to comment
Share on other sites

  • ESET Staff

I would like to add to Marcos - Computers table includes the "computer status". As of now, the security status is in the page "Threats" and it does not currently affect the Computer status. We are tracking a change request to change this behavior. 

With regards to the "PUP" flagged as "critical", this is incorrect behavior, and it should not happen. You can eventually solve this by setting cleaning settings to "strict cleaning", however it would be interesting for us to know the product, the version, OS, and also the particular PUP, as this behavior was meant to be changed, so you might have identified some issue in the current implementation. 

Link to comment
Share on other sites

8 hours ago, MichalJ said:

I would like to add to Marcos - Computers table includes the "computer status". As of now, the security status is in the page "Threats" and it does not currently affect the Computer status. We are tracking a change request to change this behavior. 

With regards to the "PUP" flagged as "critical", this is incorrect behavior, and it should not happen. You can eventually solve this by setting cleaning settings to "strict cleaning", however it would be interesting for us to know the product, the version, OS, and also the particular PUP, as this behavior was meant to be changed, so you might have identified some issue in the current implementation. 

@MichalJ The PUPs flagged as critical are JS/Mindspark.G, JS/Spigot.B, JS/Visicom.A, OSX/Mackeeper.DL, and on Windows, Win32/AirAdInstaller.A, JS/Visicom.A, JS/Spigot.B.  Both Real-time and On-demand set for strict cleaning have been unable to clean.

This a recent occurrence where nothing from PUPs to trojans and other malware are not getting successfully cleaned with 'strict cleaning' enabled, causing a high count of active threats.

OS X is a mix of 10.12.6 and 10.13.6 running ESET version 6.7.654.0

Windows is a mix of 7 and 10 running ESET version 7.0.2100.4 and 7.1.2045.5

Link to comment
Share on other sites

  • Administrators

Could you please provide ELC logs from the client so that we know what application was creating the PUA files that were detected but could not be cleaned?

Link to comment
Share on other sites

My "two cents" observation in regards to PUA Chrome extensions and the like is Eset is excellent at detecting and eliminating then at attempted installation time.

If however they get installed through either lack of detection, user allowing the install, etc, then it's an entirely different matter removing them when subsequently later detected via Realtime scanning. Even Eset's own KB articles on the same indicate that manual removal of the extension/s is required.

Edited by itman
Link to comment
Share on other sites

2 hours ago, Marcos said:

Could you please provide ESET Log Collector logs from the client so that we know what application was creating the PUA files that were detected but could not be cleaned?

@Marcos @MichalJ Where may I upload log files? I'd prefer not to post in the forum.

Thank you.

Link to comment
Share on other sites

1 hour ago, j-gray said:

@Marcos @MichalJ Where may I upload log files? I'd prefer not to post in the forum.

Thank you.

Forum attachments can only be read by Eset moderators. If that that doesn't suffice, upload logs to a file share of your choice and PM both the link to the logs on the file share service.

Link to comment
Share on other sites

  • Administrators

Today we've released a fixed version of the Antivirus and antispyware module 1552.3 which addresses cleaning issues on Mac. Could you please check if PUAs are now cleaned properly?

Link to comment
Share on other sites

2 hours ago, Marcos said:

Today we've released a fixed version of the Antivirus and antispyware module 1552.3 which addresses cleaning issues on Mac. Could you please check if PUAs are now cleaned properly?

@Marcos Yes, PUA's have been cleaned properly on the problematic systems.  Thank you!!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...