Cleaning behavior is odd

[AMbit 1]

I'm running v13.0.22.0, and I'm getting some odd behavior.

So, here's the preliminary information:

• I have all scans set to "No cleaning".
• A scheduled scan ran and a post-scan alert came up showing me the detections it found (all in archives).  I chose "No Action" for all of them.

So far, so good.  However, then I noticed this:

• Under the "Computer Scan" tab, the log entry shows "Scan completed:  All detections cleaned".
• The Quarantine shows all of the files where detections occurred.

The above items would indicate that ESET cleaned files that I explicitly told it not to touch.  For ESET to modify/delete files I told it to leave alone, that would be bad.

And yet, as far as I can tell, all of the files still exist in the file system and haven't been deleted.

This is very confusing to me.

If ESET correctly did as I instructed and ignored the detections, then I would expect that the log entry would show that detections were ignored, not cleaned.  In addition, I would not expect anything to be added to the Quarantine.

And yet, if ESET *did* clean all the files, then why are they still in the file system?

 

Can anyone explain this odd behavior?

[Marcos 5,074]

We'll look into it, however, if you want to run a scheduled scan without cleaning, we recommend checking the "Scan without cleaning" box:

[AMbit 1]

I appreciate that you're going to look into it.

However, how is the "Scan without cleaning" checkbox different then choosing "No cleaning" under the scan's Threatsense parameters?  Wouldn't they both accomplish the same thing?

The desired behavior is that I do want an alert to come up after the scan finishes that lets me choose what to do. What I don't want is for ESET to clean/delete anything automatically, nor do I want a silent scan where there is no post-scan alert and I wouldn't even know about any detections unless I manually checked the log afterwards.

[itman 1,659]

1 hour ago, AMbit said:

However, how is the "Scan without cleaning" checkbox different then choosing "No cleaning" under the scan's Threatsense parameters?  Wouldn't they both accomplish the same thing?

No. The ThreatSense settings apply to real-time scan behavior. Do as @Marcos posted previously and you will have no cleaning issues with your manually created scheduled scan.

[AMbit 1]

1 hour ago, itman said:

No. The ThreatSense settings apply to real-time scan behavior. Do as @Marcos posted previously and you will have no cleaning issues with your manually created scheduled scan.

 

How is that the case, given that that setting exists under the configuration options for On-Demand scans?

 

 

[Swamp Yankee 4]

@AMbit There should have been 4 'Advance Options' in the lower left of the detection popup, they might have been 'collapsed' and you had to 'expand' them to see them. 'Copy to Quarantine' is one of them, so whats in your Quarantine is probably just copies, as its checked by default, along with 'Submit for Analysis'.

Restore everything and re-run the scan, and check for that.

See page 44 for the pop up shown in a Real-time detection with the Advanced Options expanded, yours was probably similar.

[itman 1,659]

1 hour ago, AMbit said:

How is that the case, given that that setting exists under the configuration options for On-Demand scans?

To begin, you originally posted:

7 hours ago, AMbit said:

So, here's the preliminary information:

• I have all scans set to "No cleaning".
• A scheduled scan ran and a post-scan alert came up showing me the detections it found (all in archives).  I chose "No Action" for all of them.

We assume you are referring to a manually created scheduled scan. There is no option there to control cleaning other the option not clean per the above posted screen shot.

A manual scan initialed via the Eset GUI "Computer Scan" option likewise has no options.

What I believe you are referring to is the "Malware scans" settings accessed via Advanced Settings option. Those configuration options only apply to the scans specifically referenced in that section as far as cleaning option is concerned. Again as posted in the above screen shot, you must specifically state the No cleaning option for scheduled or on demand scanning.

 

Edited November 24, 2019 by itman

[AMbit 1]

27 minutes ago, itman said:

What I believe you are referring to is the "Malware scans" settings accessed via Advanced Settings option. Those configuration options only apply to the scans specifically referenced in that section as far as cleaning option is concerned. Again as posted in the above screen shot, you must specifically state the No cleaning option for scheduled or on demand scanning.

 

Right.  However, those are On-Demand profiles.  And since the scheduled scans I'm referring to all have a specific Profile specified as part of their configuration, I would expect that the profile settings (which includes the Threatsense Parameters configured for that profile) would apply.

 

This understanding seems to be confirmed though the ESET documentation here, under the blue Note, where it says:

Suppose that you want to create your own scan profile and the Scan your computer configuration is partially suitable, but you do not want to scan runtime packers or potentially unsafe applications and you also want to apply Strict cleaning. Enter the name of your new profile in the Profile manager window and click Add. Select your new profile from the Selected profile drop-down menu and adjust the remaining parameters to meet your requirements, and then click OK to save your new profile.

 

To me, that part of the documentation indicates that the Cleaning section of the Threatsense Parameters configured for a given On-Demand profile will be honored when a scan is run using that profile.

If that assumption is correct, then when I configure those profiles for "No cleaning", should it not behave the same as if I use the "Scan without cleaning" checkbox?

 

[AMbit 1]

2 hours ago, Swamp Yankee said:

@AMbit There should have been 4 'Advance Options' in the lower left of the detection popup, they might have been 'collapsed' and you had to 'expand' them to see them. 'Copy to Quarantine' is one of them, so whats in your Quarantine is probably just copies, as its checked by default, along with 'Submit for Analysis'.

Restore everything and re-run the scan, and check for that.

See page 44 for the pop up shown in a Real-time detection with the Advanced Options expanded, yours was probably similar.

 

Thank you.  You're right that I probably did not have that section expanded.  Although I would not expect anything to be copied to quarantine if they weren't actually modified or deleted. 

If you're right, then this setting is being applied even when the action is to Ignore a threat - which is unusual, and I would argue should not be how ESET behaves under these circumstances.

[Marcos 5,074]

If you want to select an action for each detected threat after the scan, use "No cleaning" in the ThreatSense setup for the on-demand scan profile used in the scheduled scan. Selecting "Scan without cleaning" while scheduling a scan task will run the scan in scan-only mode, ie. it will not ask you for an action at the end of the scan and will only report detected threats in a log.

[AMbit 1]

21 minutes ago, Marcos said:

If you want to select an action for each detected threat after the scan, use "No cleaning" in the ThreatSense setup for the on-demand scan profile used in the scheduled scan. Selecting "Scan without cleaning" while scheduling a scan task will run the scan in scan-only mode, ie. it will not ask you for an action at the end of the scan and will only report detected threats in a log.

Thank you, Marcos.  That's exactly the information I needed!