Jump to content

Continuous submission of suspicious files


Recommended Posts

  • ESET Insiders

Since the upgrade to the new Internet Security Build 14.2.19.0, suspicious files are constantly being sent to Eset's virus lab, but these temp files do not exist.

 

Time; component; event; user 07/07/2021 2:23:28 PM; ESET kernel; file "bc997e7d-1252-420f-bf2f-2ff2f73d629c.tmp" has been sent to the ESET virus laboratory for analysis.; SYSTEM

Time; component; event; user 07/04/2021 6:31:42 PM; ESET kernel; file "egui_19eb128d_4028.mdmp" has been sent to the ESET virus laboratory for analysis.; SYSTEM

Time; component; event; user 07/04/2021 6:31:28 pm; ESET kernel; file "egui_19ea763d_2560.mdmp" has been sent to the ESET virus laboratory for analysis.; SYSTEM

Link to comment
Share on other sites

  • ESET Insiders

Yes, where the Gui was sent to the Eset virus laboratory, the Eset Gui crashed twice, but not afterwards.

Link to comment
Share on other sites

  • Administrators

Please provide logs collected with ELC if you want us to check what is being submitted from your machine.

Link to comment
Share on other sites

  • ESET Insiders

When can I expect the log files to be evaluated?

Link to comment
Share on other sites

  • Administrators

There's nothing unusual. 77% of files submitted this month were obfuscated JS from filecrypt.co.

Link to comment
Share on other sites

  • ESET Insiders

Marcos I will tell you the Eset problem and because the cause of the whole thing, Eset a Eset problem with OpenVPN, because the NetBios is required for Open VPN, which is blocked by Eset and you release it via Eset, or try to then greases the gui and also does not recognize Eset even the VPN connection and that is the problem of the whole and therefore I ask to fix the problem, thanks!

Link to comment
Share on other sites

  • Administrators

This topic was about submission of suspicious files. If you are having a problem with Open VPN, please narrow it down by disabling particular settings and features, such as the firewall, protocol filtering, HIPS, etc. Does the issue go away at all after temporarily uninstalling ESET? If so, please open a support ticket with your local ESET distributor for further troubleshooting.

Link to comment
Share on other sites

  • ESET Insiders

Yes, but this triggers the event from Eset, because as you can see there is also a report of a temp file, which has nothing to do with Open VPN and no crash of the Eset Gui and if Eset's firewall has a problem with OpenVPN and only Eset, then the problem is probably on Eset's side, especially since the error only occurs in the said Eset build, because previous Eset builds had zero problems with Eset and VPN, the matter is not clear where the problem is, yes that is it, namely on Eset side, or how else do you explain the fact that this event has only existed since the latest Eset build? And as you can see, temp files are also sent to Eset's virus lab.

Link to comment
Share on other sites

  • Administrators

If there's an issue with Open VPN there is no connection with submission of samples. Therefore I would strongly recommend trying what I suggested and if temporarily uninstalling ESET makes a difference, open a support ticket with your local ESET distributor for further troubleshooting.

Link to comment
Share on other sites

  • ESET Insiders

This problem only happens when I want to enable the NetBios for the VPN connection in the Eset firewall, that has nothing to do with Open VPN, or what does Open VPN have to do with it, when I want to enable the NEtBios for the VPN connection in Eset in Eset's firewall ?

Link to comment
Share on other sites

  • ESET Insiders

What's going on with this build, now the good old eMule is already being sent to the virus lab, please finally fix this bug !!!

 

Time; component; event; user 07/13/2021 5:34:59 PM; ESET kernel; eMule.exe file has been sent to the ESET virus laboratory for analysis.; SYSTEM

Link to comment
Share on other sites

  • Administrators

Maybe you were among the first to receive an update of emule. Had such file already been submitted by someone else, it wouldn't have been submitted from your machine.

Link to comment
Share on other sites

  • ESET Insiders

No, this eMule was written for me personally in 2016, so that can't be!

Link to comment
Share on other sites

  • Administrators

That explains it - nobody else has it so it was it was submitted because it fulfilled certain criteria for submission.

Link to comment
Share on other sites

  • ESET Insiders

But not if the eMuli just like Eset that I have been running since the v2, knows this mule, that's still absurt! Because Eset already knows this eMule

Link to comment
Share on other sites

  • ESET Insiders

Why did I know that it was the same game again, if you didn't have Itman here, then the forum would look very old, because the boy at least has something on the box! Because you don't really get help.

Link to comment
Share on other sites

  • Administrators

Your question was already answered. The file was submitted because it met certain conditions for submission and the file had not been submitted by another user yet. 

Link to comment
Share on other sites

On 7/13/2021 at 1:28 PM, SlashRose said:

What's going on with this build, now the good old eMule is already being sent to the virus lab, please finally fix this bug !!!

Time; component; event; user 07/13/2021 5:34:59 PM; ESET kernel; eMule.exe file has been sent to the ESET virus laboratory for analysis.; SYSTEM

i have seen this same activity with test malware I use. Eset will appear to be submitting the same file detection over and over again. However when I open Eset Quarantine, I see the count field being incremented for a previous same file detection.

My take is the file is not actually being physically being resubmitted to Eset despite what the Eset Event log shows.

Also from prior Eset versions actual bork activity in regards to LiveGrid activity, I have learned to monitor what is in this directory, C:\ProgramData\ESET\ESET Security\Charon, which is where Eset stores submitted files pending LiveGrid analysis feedback.

Edited by itman
Link to comment
Share on other sites

  • Administrators
10 minutes ago, itman said:

Eset will appear to be submitting the same file detection over and over again.

If you enable logging of submitted files, you should not see in the log that a particular file has been repeatedly submitted unless it has changed in the mean time. Is it like that or you have submission of the very same file logged repeatedly?

Link to comment
Share on other sites

34 minutes ago, Marcos said:

If you enable logging of submitted files, you should not see in the log that a particular file has been repeatedly submitted unless it has changed in the mean time. Is it like that or you have submission of the very same file logged repeatedly?

Unfortunately, my Event og was wiped due to a recent reinstall.

I did find this but again no Event log entries to support it:

Eset_Quaratine.png.84957c699cb04b3fca1ec35778392ee2.png

The file I was specifically thinking of when I posted was my infamous .Net based PowerShell global keylogger that Eset only stated detecting after residing on my device for over a year. Appears I have removed it from Eset Quarrantine. BTW - I used this to test if Eset B&PP was scrambling keystrokes as claimed.

Edited by itman
Link to comment
Share on other sites

  • Administrators

ELC logs would be required for troubleshooting in case you'd see the same file with the same hash continually being submitted. However, that should not normally happen.

Link to comment
Share on other sites

  • ESET Insiders

Itman, can it really be that Eset only find a file that has been on pc for 6 years? I would find that very strange, but can this really be Itman?

Link to comment
Share on other sites

3 hours ago, SlashRose said:

Itman, can it really be that Eset only find a file that has been on pc for 6 years? I

I posted a year; not 6 years.

Also the source code for this keylogger was posted in clear text on a pen-tester web site since 2016.

Finally, Eset only starting detecting it after it finally flagged something suspicious in the code and uploaded it to LiveGrid servers for a full sandbox scan and full sig. creation.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...