Continuous submission of suspicious files

[SlashRose 25]

Since the upgrade to the new Internet Security Build 14.2.19.0, suspicious files are constantly being sent to Eset's virus lab, but these temp files do not exist.

 

Time; component; event; user 07/07/2021 2:23:28 PM; ESET kernel; file "bc997e7d-1252-420f-bf2f-2ff2f73d629c.tmp" has been sent to the ESET virus laboratory for analysis.; SYSTEM

Time; component; event; user 07/04/2021 6:31:42 PM; ESET kernel; file "egui_19eb128d_4028.mdmp" has been sent to the ESET virus laboratory for analysis.; SYSTEM

Time; component; event; user 07/04/2021 6:31:28 pm; ESET kernel; file "egui_19ea763d_2560.mdmp" has been sent to the ESET virus laboratory for analysis.; SYSTEM

[Marcos 5,070]

Please provide logs collected with ESET Log Collector. Looks like your ESET gui is crashing at times.

[SlashRose 25]

Yes, where the Gui was sent to the Eset virus laboratory, the Eset Gui crashed twice, but not afterwards.

[Marcos 5,070]

Please provide logs collected with ELC if you want us to check what is being submitted from your machine.

[SlashRose 25]

Here please the complete log file.

eis_logs.zip

[SlashRose 25]

When can I expect the log files to be evaluated?

[Marcos 5,070]

There's nothing unusual. 77% of files submitted this month were obfuscated JS from filecrypt.co.

[SlashRose 25]

Marcos I will tell you the Eset problem and because the cause of the whole thing, Eset a Eset problem with OpenVPN, because the NetBios is required for Open VPN, which is blocked by Eset and you release it via Eset, or try to then greases the gui and also does not recognize Eset even the VPN connection and that is the problem of the whole and therefore I ask to fix the problem, thanks!

[Marcos 5,070]

This topic was about submission of suspicious files. If you are having a problem with Open VPN, please narrow it down by disabling particular settings and features, such as the firewall, protocol filtering, HIPS, etc. Does the issue go away at all after temporarily uninstalling ESET? If so, please open a support ticket with your local ESET distributor for further troubleshooting.

[SlashRose 25]

Yes, but this triggers the event from Eset, because as you can see there is also a report of a temp file, which has nothing to do with Open VPN and no crash of the Eset Gui and if Eset's firewall has a problem with OpenVPN and only Eset, then the problem is probably on Eset's side, especially since the error only occurs in the said Eset build, because previous Eset builds had zero problems with Eset and VPN, the matter is not clear where the problem is, yes that is it, namely on Eset side, or how else do you explain the fact that this event has only existed since the latest Eset build? And as you can see, temp files are also sent to Eset's virus lab.

[Marcos 5,070]

If there's an issue with Open VPN there is no connection with submission of samples. Therefore I would strongly recommend trying what I suggested and if temporarily uninstalling ESET makes a difference, open a support ticket with your local ESET distributor for further troubleshooting.

[SlashRose 25]

This problem only happens when I want to enable the NetBios for the VPN connection in the Eset firewall, that has nothing to do with Open VPN, or what does Open VPN have to do with it, when I want to enable the NEtBios for the VPN connection in Eset in Eset's firewall ?

[SlashRose 25]

What's going on with this build, now the good old eMule is already being sent to the virus lab, please finally fix this bug !!!

 

Time; component; event; user 07/13/2021 5:34:59 PM; ESET kernel; eMule.exe file has been sent to the ESET virus laboratory for analysis.; SYSTEM

[Marcos 5,070]

Maybe you were among the first to receive an update of emule. Had such file already been submitted by someone else, it wouldn't have been submitted from your machine.

[SlashRose 25]

No, this eMule was written for me personally in 2016, so that can't be!

[Marcos 5,070]

That explains it - nobody else has it so it was it was submitted because it fulfilled certain criteria for submission.

[SlashRose 25]

But not if the eMuli just like Eset that I have been running since the v2, knows this mule, that's still absurt! Because Eset already knows this eMule

[SlashRose 25]

Why did I know that it was the same game again, if you didn't have Itman here, then the forum would look very old, because the boy at least has something on the box! Because you don't really get help.

[Marcos 5,070]

Your question was already answered. The file was submitted because it met certain conditions for submission and the file had not been submitted by another user yet. 

[itman 1,659]

On 7/13/2021 at 1:28 PM, SlashRose said:

What's going on with this build, now the good old eMule is already being sent to the virus lab, please finally fix this bug !!!

Time; component; event; user 07/13/2021 5:34:59 PM; ESET kernel; eMule.exe file has been sent to the ESET virus laboratory for analysis.; SYSTEM

i have seen this same activity with test malware I use. Eset will appear to be submitting the same file detection over and over again. However when I open Eset Quarantine, I see the count field being incremented for a previous same file detection.

My take is the file is not actually being physically being resubmitted to Eset despite what the Eset Event log shows.

Also from prior Eset versions actual bork activity in regards to LiveGrid activity, I have learned to monitor what is in this directory, C:\ProgramData\ESET\ESET Security\Charon, which is where Eset stores submitted files pending LiveGrid analysis feedback.

Edited July 14, 2021 by itman

[Marcos 5,070]

10 minutes ago, itman said:

Eset will appear to be submitting the same file detection over and over again.

If you enable logging of submitted files, you should not see in the log that a particular file has been repeatedly submitted unless it has changed in the mean time. Is it like that or you have submission of the very same file logged repeatedly?

[itman 1,659]

34 minutes ago, Marcos said:

If you enable logging of submitted files, you should not see in the log that a particular file has been repeatedly submitted unless it has changed in the mean time. Is it like that or you have submission of the very same file logged repeatedly?

Unfortunately, my Event og was wiped due to a recent reinstall.

I did find this but again no Event log entries to support it:

The file I was specifically thinking of when I posted was my infamous .Net based PowerShell global keylogger that Eset only stated detecting after residing on my device for over a year. Appears I have removed it from Eset Quarrantine. BTW - I used this to test if Eset B&PP was scrambling keystrokes as claimed.

Edited July 14, 2021 by itman

[Marcos 5,070]

ELC logs would be required for troubleshooting in case you'd see the same file with the same hash continually being submitted. However, that should not normally happen.

[SlashRose 25]

Itman, can it really be that Eset only find a file that has been on pc for 6 years? I would find that very strange, but can this really be Itman?

[itman 1,659]

3 hours ago, SlashRose said:

Itman, can it really be that Eset only find a file that has been on pc for 6 years? I

I posted a year; not 6 years.

Also the source code for this keylogger was posted in clear text on a pen-tester web site since 2016.

Finally, Eset only starting detecting it after it finally flagged something suspicious in the code and uploaded it to LiveGrid servers for a full sandbox scan and full sig. creation.