j-gray 44 Posted June 3, 2019 Posted June 3, 2019 (edited) On OS X clients, lately I've been seeing a lot of unhandled PUP's with little information to go on. This is the result of Full scan with cleaning: Policies are set for 'Strict Cleaning' on both real-time and on-demand scans. I'd like to understand what's (not) happening here. I'm seeing similar on Windows clients, though it typically says, "action selection postponed until scan completion" but never takes any action even after the scan completes. Edited June 3, 2019 by j-gray
itman 1,806 Posted June 3, 2019 Posted June 3, 2019 See this thread: https://forum.eset.com/topic/19081-jsspigotb/ . Also refer to the Eset knowledgebase article link I posted in the thread. j-gray 1
Administrators Marcos 5,462 Posted June 4, 2019 Administrators Posted June 4, 2019 The " action selection postponed until scan completion" doesn't occurs with PUAs if detected in a managed environment with the ESMC Agent installed. We've also made sure that the same applies to Mac products too. Please provide logs collected with ESET Log Collector for a start.
j-gray 44 Posted June 5, 2019 Author Posted June 5, 2019 On 6/4/2019 at 12:38 AM, Marcos said: The " action selection postponed until scan completion" doesn't occurs with PUAs if detected in a managed environment with the ESMC Agent installed. We've also made sure that the same applies to Mac products too. Please provide logs collected with ESET Log Collector for a start. Yes, I should have clarified. On the Windows clients I see this for items typically flagged as Trojans. It's odd to me that a Trojan gets flagged with severity 'Warning', where a PUP gets flagged with severity 'Critical'. This seems backwards. I also don't understand why those that get flagged with 'Critical' and 'Active Threats' show up in the console with a green check mark indicating healthy status. See below:
Administrators Marcos 5,462 Posted June 5, 2019 Administrators Posted June 5, 2019 It's active threats which are reported with critical severity, hence we'd like to get ELC logs to get more information about the location of the detected object / file, action and possible error that was logged on such client. We'll check how cleaning of PUAs works on Mac in a managed environment. On Windows, they are cleaned automatically but there's a chance that on Mac strict cleaning mode may be still required to prevent users from selecting an action manually.
ESET Staff MichalJ 434 Posted June 6, 2019 ESET Staff Posted June 6, 2019 I would like to add to Marcos - Computers table includes the "computer status". As of now, the security status is in the page "Threats" and it does not currently affect the Computer status. We are tracking a change request to change this behavior. With regards to the "PUP" flagged as "critical", this is incorrect behavior, and it should not happen. You can eventually solve this by setting cleaning settings to "strict cleaning", however it would be interesting for us to know the product, the version, OS, and also the particular PUP, as this behavior was meant to be changed, so you might have identified some issue in the current implementation.
j-gray 44 Posted June 6, 2019 Author Posted June 6, 2019 8 hours ago, MichalJ said: I would like to add to Marcos - Computers table includes the "computer status". As of now, the security status is in the page "Threats" and it does not currently affect the Computer status. We are tracking a change request to change this behavior. With regards to the "PUP" flagged as "critical", this is incorrect behavior, and it should not happen. You can eventually solve this by setting cleaning settings to "strict cleaning", however it would be interesting for us to know the product, the version, OS, and also the particular PUP, as this behavior was meant to be changed, so you might have identified some issue in the current implementation. @MichalJ The PUPs flagged as critical are JS/Mindspark.G, JS/Spigot.B, JS/Visicom.A, OSX/Mackeeper.DL, and on Windows, Win32/AirAdInstaller.A, JS/Visicom.A, JS/Spigot.B. Both Real-time and On-demand set for strict cleaning have been unable to clean. This a recent occurrence where nothing from PUPs to trojans and other malware are not getting successfully cleaned with 'strict cleaning' enabled, causing a high count of active threats. OS X is a mix of 10.12.6 and 10.13.6 running ESET version 6.7.654.0 Windows is a mix of 7 and 10 running ESET version 7.0.2100.4 and 7.1.2045.5
Administrators Marcos 5,462 Posted June 6, 2019 Administrators Posted June 6, 2019 Could you please provide ELC logs from the client so that we know what application was creating the PUA files that were detected but could not be cleaned?
itman 1,806 Posted June 6, 2019 Posted June 6, 2019 (edited) My "two cents" observation in regards to PUA Chrome extensions and the like is Eset is excellent at detecting and eliminating then at attempted installation time. If however they get installed through either lack of detection, user allowing the install, etc, then it's an entirely different matter removing them when subsequently later detected via Realtime scanning. Even Eset's own KB articles on the same indicate that manual removal of the extension/s is required. Edited June 6, 2019 by itman
j-gray 44 Posted June 6, 2019 Author Posted June 6, 2019 2 hours ago, Marcos said: Could you please provide ESET Log Collector logs from the client so that we know what application was creating the PUA files that were detected but could not be cleaned? @Marcos @MichalJ Where may I upload log files? I'd prefer not to post in the forum. Thank you.
itman 1,806 Posted June 6, 2019 Posted June 6, 2019 1 hour ago, j-gray said: @Marcos @MichalJ Where may I upload log files? I'd prefer not to post in the forum. Thank you. Forum attachments can only be read by Eset moderators. If that that doesn't suffice, upload logs to a file share of your choice and PM both the link to the logs on the file share service.
Administrators Marcos 5,462 Posted June 7, 2019 Administrators Posted June 7, 2019 Today we've released a fixed version of the Antivirus and antispyware module 1552.3 which addresses cleaning issues on Mac. Could you please check if PUAs are now cleaned properly? MartinK and j-gray 2
j-gray 44 Posted June 7, 2019 Author Posted June 7, 2019 2 hours ago, Marcos said: Today we've released a fixed version of the Antivirus and antispyware module 1552.3 which addresses cleaning issues on Mac. Could you please check if PUAs are now cleaned properly? @Marcos Yes, PUA's have been cleaned properly on the problematic systems. Thank you!!
Recommended Posts