Jump to content
j-gray

PUP not handled

Recommended Posts

Posted (edited)

On OS X clients, lately I've been seeing a lot of unhandled PUP's with little information to go on. This is the result of Full scan with cleaning:

image.png.368ff86e600d4f84ef67d67c07d7b961.png

 

Policies are set for 'Strict Cleaning' on both real-time and on-demand scans. I'd like to understand what's (not) happening here.

I'm seeing similar on Windows clients, though it typically says, "action selection postponed until scan completion" but never takes any action even after the scan completes.

Edited by j-gray

Share this post


Link to post
Share on other sites

The " action selection postponed until scan completion" doesn't occurs with PUAs if detected in a managed environment with the ESMC Agent installed. We've also made sure that the same applies to Mac products too.

Please provide logs collected with ESET Log Collector for a start.

Share this post


Link to post
Share on other sites
On 6/4/2019 at 12:38 AM, Marcos said:

The " action selection postponed until scan completion" doesn't occurs with PUAs if detected in a managed environment with the ESMC Agent installed. We've also made sure that the same applies to Mac products too.

Please provide logs collected with ESET Log Collector for a start.

Yes, I should have clarified. On the Windows clients I see this for items typically flagged as Trojans.

It's odd to me that a Trojan gets flagged with severity 'Warning', where a PUP gets flagged with severity 'Critical'. This seems backwards.

I also don't understand why those that get flagged with 'Critical' and 'Active Threats' show up in the console with a green check mark indicating healthy status. See below:

image.png.54b6cf025613c26bae1dd4c3352b4f45.png

Share this post


Link to post
Share on other sites

It's active threats which are reported with critical severity, hence we'd like to get ELC logs to get more information about the location of the detected object / file, action and possible error that was logged on such client.

We'll check how cleaning of PUAs works on Mac in a managed environment. On Windows, they are cleaned automatically but there's a chance that on Mac strict cleaning mode may be still required to prevent users from selecting an action manually.

Share this post


Link to post
Share on other sites

I would like to add to Marcos - Computers table includes the "computer status". As of now, the security status is in the page "Threats" and it does not currently affect the Computer status. We are tracking a change request to change this behavior. 

With regards to the "PUP" flagged as "critical", this is incorrect behavior, and it should not happen. You can eventually solve this by setting cleaning settings to "strict cleaning", however it would be interesting for us to know the product, the version, OS, and also the particular PUP, as this behavior was meant to be changed, so you might have identified some issue in the current implementation. 

Share this post


Link to post
Share on other sites
8 hours ago, MichalJ said:

I would like to add to Marcos - Computers table includes the "computer status". As of now, the security status is in the page "Threats" and it does not currently affect the Computer status. We are tracking a change request to change this behavior. 

With regards to the "PUP" flagged as "critical", this is incorrect behavior, and it should not happen. You can eventually solve this by setting cleaning settings to "strict cleaning", however it would be interesting for us to know the product, the version, OS, and also the particular PUP, as this behavior was meant to be changed, so you might have identified some issue in the current implementation. 

@MichalJ The PUPs flagged as critical are JS/Mindspark.G, JS/Spigot.B, JS/Visicom.A, OSX/Mackeeper.DL, and on Windows, Win32/AirAdInstaller.A, JS/Visicom.A, JS/Spigot.B.  Both Real-time and On-demand set for strict cleaning have been unable to clean.

This a recent occurrence where nothing from PUPs to trojans and other malware are not getting successfully cleaned with 'strict cleaning' enabled, causing a high count of active threats.

OS X is a mix of 10.12.6 and 10.13.6 running ESET version 6.7.654.0

Windows is a mix of 7 and 10 running ESET version 7.0.2100.4 and 7.1.2045.5

Share this post


Link to post
Share on other sites

Could you please provide ELC logs from the client so that we know what application was creating the PUA files that were detected but could not be cleaned?

Share this post


Link to post
Share on other sites
Posted (edited)

My "two cents" observation in regards to PUA Chrome extensions and the like is Eset is excellent at detecting and eliminating then at attempted installation time.

If however they get installed through either lack of detection, user allowing the install, etc, then it's an entirely different matter removing them when subsequently later detected via Realtime scanning. Even Eset's own KB articles on the same indicate that manual removal of the extension/s is required.

Edited by itman

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

Could you please provide ESET Log Collector logs from the client so that we know what application was creating the PUA files that were detected but could not be cleaned?

@Marcos @MichalJ Where may I upload log files? I'd prefer not to post in the forum.

Thank you.

Share this post


Link to post
Share on other sites
1 hour ago, j-gray said:

@Marcos @MichalJ Where may I upload log files? I'd prefer not to post in the forum.

Thank you.

Forum attachments can only be read by Eset moderators. If that that doesn't suffice, upload logs to a file share of your choice and PM both the link to the logs on the file share service.

Share this post


Link to post
Share on other sites

Today we've released a fixed version of the Antivirus and antispyware module 1552.3 which addresses cleaning issues on Mac. Could you please check if PUAs are now cleaned properly?

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

Today we've released a fixed version of the Antivirus and antispyware module 1552.3 which addresses cleaning issues on Mac. Could you please check if PUAs are now cleaned properly?

@Marcos Yes, PUA's have been cleaned properly on the problematic systems.  Thank you!!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...