Jump to content

Web access protection Issue


Recommended Posts

12 minutes ago, itman said:

Some malware are sandbox aware. If they detect a sandbox environment, the malware won't execute.

Yes, I am aware of this, what I mean is that to the best of my knowledge that any new file you download from the Internet “in the form of a zip file in my case” before it works on the device, eset will send it to the sandbox, and then notify the user of that and wait until he receives the result of the analysis .
But what happened is that eset did not send the file to the sandbox in the first place, and this is what I am asking about.
The sample was not sent to the sandbox and it failed to detect it. On the contrary, it was not sent in the first place!

Link to comment
Share on other sites

  • Administrators
43 minutes ago, AZ Tech said:

But what happened is that eset did not send the file to the sandbox in the first place, and this is what I am asking about.

Maybe it was already detected with higher detection sensitivity level than what you have configured for malware. I didn't scan the file with ESSP and aggressive settings so I can't tell if that was the case. If the file was dowloaded from the Internet and then executed, it should have been sent out for analysis.

Link to comment
Share on other sites

5 minutes ago, Marcos said:

If the file was dowloaded from the Internet and then executed, it should have been sent out for analysis.

Yes, this should happen!!

 

6 minutes ago, Marcos said:

Maybe it was already detected with higher detection sensitivity level than what you have configured for malware.

I already set all setting to aggressive , As shown in the picture "If these settings are what you mean"

Screenshot 2021-10-18 223044.png

Link to comment
Share on other sites

12 minutes ago, AZ Tech said:

I already set all setting to aggressive , As shown in the picture "If these settings are what you mean"

The question is how do those settings; I assume here were are only referring to the suspicious category, equate to confidence levels which are  expressed as percentages? Note that EDTD uses confidence levels that can be manually set as required.

Edited by itman
Link to comment
Share on other sites

49 minutes ago, Marcos said:

Maybe it was already detected with higher detection sensitivity level than what you have configured for malware.

 

49 minutes ago, Marcos said:

If the file was dowloaded from the Internet and then executed, it should have been sent out for analysis.

I think if you add the ability to send the file directly to LiveGuard by right-clicking then advanced settings "Send to LiveGuard" or whatever the name of the option is, that will be more effective.
In order to avoid sending a lot of files that are already known by eset, the software can do a quick check of the file if it is known or already detected with higher detection sensitivity level, just block it or leave it according to whether it is dangerous or not, with notification to the user in both cases, And if it is a new file already and meets the requirements for sending to LiveGuard, the software will send it.
I think this will be more effective .

Link to comment
Share on other sites

9 minutes ago, AZ Tech said:

I think if you add the ability to send the file directly to LiveGuard by right-clicking then advanced settings "Send to LiveGuard" or whatever the name of the option is, that will be more effective.

Of course I don't mean by this that you abandon LiveGuard's current working mechanism, but I do mean that it could be more effective.

Link to comment
Share on other sites

  • Administrators
3 hours ago, AZ Tech said:

Blocked now. Also blocking of redirectors has been improved too. After unpacking the sfx exe and upon running it, it was sent to LiveGuard with a positive result:

image.png

The sfx archive contains a bunch of various malware which would be detected anyways upon extraction or running the file without LG analysis.

image.png

3 hours ago, AZ Tech said:

Finally , I have a question related to LiveGuard, when I ran the aforementioned sample even though it was new and undetected from the eset database, the LiveGuard feature didn't work as I expected, even though eset did detect the malicious file after running it with the Advanced Memory Scanner, This means that the malicious file was not sent via LiveGuard, so what's wrong here?

Screenshot 2021-10-18 203819.png

I assume that the sample didn't do anything suspicious during replication in sandbox. E.g. it could expect certain user's input in order to drop a malicious payload which may be tricky to simulate.

Link to comment
Share on other sites

14 minutes ago, Marcos said:

I assume that the sample didn't do anything suspicious during replication in sandbox

But the sample was not sent to the sandbox in the first place!!
Note: I am not using the beta version , As shown in the pictures .
Does this have an effect, or is there a problem with the version I used?

 

21 minutes ago, Marcos said:

Blocked now. Also blocking of redirectors has been improved too.

Thanks, that's good, I just hope to improve the response speed of the reports through the user interface, excuse me, I do a lot of reports about similar sites and malicious files and this is very difficult if I have to send a separate email for each report!!

Screenshot 2021-10-19 003429.png

Screenshot 2021-10-19 003525.png

Link to comment
Share on other sites

27 minutes ago, AZ Tech said:

But the sample was not sent to the sandbox in the first place!!

Check the original download file name as to hidden status; e.g. crackware.sfx.docx, etc..

Edited by itman
Link to comment
Share on other sites

2 hours ago, Marcos said:

After unpacking the sfx exe and upon running it, it was sent to LiveGuard with a positive result:

image.png

After unpacking the sfx exe what file did you run that was sent to LiveGuard?!

Because when I unpacking the sfx all the dumped files were detected by eset in real time !!

 

2 hours ago, Marcos said:

The sfx archive contains a bunch of various malware which would be detected anyways upon extraction or running the file without LG analysis.

So again, what file did you run ?!
 

 

1 hour ago, itman said:

Check the original download file name as to hidden status; e.g. crackware.sfx.docx, etc..

I'm talking about the sample that I sent to eset, which was not detected by the database and which was supposed to be sent directly to LiveGuard when trying to run it.
Instead, it was not sent but was detected by the Advanced Memory Scanner after it was run.

Link to comment
Share on other sites

 

On 10/19/2021 at 12:15 AM, Marcos said:

Also blocking of redirectors has been improved too.

 

On 10/19/2021 at 12:15 AM, Marcos said:

After unpacking the sfx exe and upon running it, it was sent to LiveGuard



Hi Marcos, First of all, thank you very much for responding to reports of suspicious sites and improving the blocking of redirectors, a really great job.

I have a question related to LiveGuard, are " sfx exe " files a target for LiveGuard?
For example, if I download a new sfx exe file from the Internet, when I run it, will it be sent directly to LiveGuard, or do I have to unpack / extract the files inside?
And please, can you clarify the file formats that are excluded from sending to LiveGuard ? ... For example, when I download Word or Excel files, will they be sent, or is LiveGuard limited to executable files only ?

Link to comment
Share on other sites

  • Administrators
40 minutes ago, AZ Tech said:

For example, if I download a new sfx exe file from the Internet, when I run it, will it be sent directly to LiveGuard, or do I have to unpack / extract the files inside?

It should be sent for analysis. At least I'm not aware of a reason why it wouldn't be with default settings.

As to what is submitted, you configure it in the advanced setup. By default documents are not submitted:

image.png

Link to comment
Share on other sites

1 hour ago, AZ Tech said:

And please, can you clarify the file formats that are excluded from sending to LiveGuard ? ... For example, when I download Word or Excel files, will they be sent, or is LiveGuard limited to executable files only ?

You should check ESSP on-line help first for questions like this.

My understanding is everything is sent to the cloud by LiveGuard that hasn't been previously cloud scanned or is whitelisted by other means; e.g. Microsoft code signed files. Only detected files would be retained by Eset for further processing; e,g. full signature creation, blacklist dissemination, etc.. 

Quote

Automatic submission of detected samples

Select what kind of samples will be submitted to ESET for analysis and to improve future detection (the default maximum sample size is 64MB). The following options are available:

All detected samples – All objects detected by the Detection engine (including potentially unwanted applications when enabled in the scanner settings).

All samples except documents – All detected objects except Documents (see below).

Do not submit – Detected objects will not be sent to ESET.

Automatic submission of suspicious samples

These samples will also be sent to ESET if the detection engine does not detect them. For example, samples that nearly missed the detection or one of the ESET Smart Security Premium protection modules consider these samples suspicious or behaving unclear (the default maximum sample size is 64MB).

Executables – Includes executable files like .exe, .dll, .sys.

Archives – Includes archive filetypes like .zip, .rar, .7z, .arch, .arj, .bzip, .gzip, .ace, .arc, .cab.

Scripts – Includes script filetypes like .bat, .cmd, .hta, .js, .vbs, .ps1.

Other – Includes filetypes like .jar, .reg, .msi, .sfw, .lnk.

Possible Spam emails – Allows sending possible spam parts or whole possible spam emails with attachments to ESET for further analysis. Enabling this option improves global spam detection, including improvements to future spam detection.

Delete executables, archives, scripts, other samples and possible spam emails from ESET's servers – Defines when to delete samples submitted for analysis by LiveGuard.

Documents – Includes Microsoft Office or PDF documents with or without active content.

Delete documents from ESET's servers – Defines when to delete documents submitted for analysis by LiveGuard.
hmtoggle_plus0Expand for a list of all included document file types

ACCDB, ACCDT, DOC, DOC_OLD, DOC_XML, DOCM, DOCX, DWFX, EPS, IWORK_NUMBERS, IWORK_PAGES, MDB, MPP, ODB, ODF, ODG, ODP, ODS, ODT, OLE2, OLE2_ENCRYPTED, OLE2_MACRO, OLE2_PROTECTED, ONE, ONEPKG, PDF, PPT, PPT_XML, PPTM, PPTX, PS, PSD, RTF, SYLK, THMX, VSD, VSD_XML, WPC, WPS, XLS, XLS_XML, XLSB, XLSM, XLSX, XPS

 

https://help.eset.com/essp/15/en-US/idh_config_charon.html

Edited by itman
Link to comment
Share on other sites

1 hour ago, Marcos said:

It should be sent for analysis. At least I'm not aware of a reason why it wouldn't be with default settings.

As to what is submitted, you configure it in the advanced setup. By default documents are not submitted:

 

47 minutes ago, itman said:

My understanding is everything is sent to the cloud by LiveGuard that hasn't been previously cloud scanned or is whitelisted by other means; e.g. Microsoft code signed files. Only detected files would be retained by Eset for further processing; e,g. full signature creation, blacklist dissemination, etc.. 

Thanks for the clarification guys .

 

48 minutes ago, itman said:

You should check ESSP on-line help first for questions like this.

yeah i think 😅

Link to comment
Share on other sites

  • 2 weeks later...
On 10/19/2021 at 12:15 AM, Marcos said:

Blocked now.

Hi Marcos, I reported a new set of malicious sites via email (samples[at]eset.com) and ESSP UI, I even sent a message to you, but no response yet !! 
So, what is the problem ?

Link to comment
Share on other sites

2 minutes ago, Marcos said:

I should have access to my machine tomorrow, will check it out then.

Well, no problem, but isn't someone else supposed to check email reports ?
I don't have a problem waiting for you, it's just a question .

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...