Jump to content

LiveGuard not working for me !


Recommended Posts

There is a problem with LiveGuard feature, which is when I download a new "malicious" file from the Internet and run it, it is not sent to LiveGuard as shown in the attached images.

1.png

2.png

3.png

4.png

5.png

Link to comment
Share on other sites

1 hour ago, Marcos said:

as well as logs collected with ESET Log Collector.

Sorry Marcos, it was a virtual machine, and I reset it "by mistake" before you asked me to.
But when I installed ESSP again, I found that the problem was no longer there As shown in the attached screenshots, perhaps it was a problem with the virtual machine I was testing on.
But I will test LiveGuard again, and if I encounter any problem with it, I will inform you about it with the attached logs collected data, again I apologize for that.


 

But is it normal for the LiveGuard report to tell me that the file is safe to use?
I know that this may be because the sample detects that it is in the sandbox environment and does not perform any suspicious activity during the analysis, but aren't most of the new and sophisticated attacks able to avoid detection through the sandbox?... So there must be a solution to this, For example, an advanced behavior detection system, similar to those that can detect ransomware infection and rollback changes.

I know that LiveGuard will be very useful, but this must be kept in mind.

new_01.png

new_02.png

new_03.png

Edited by AZ Tech
Link to comment
Share on other sites

15 minutes ago, AZ Tech said:

I know that this may be because the sample detects that it is in the sandbox environment and does not perform any suspicious activity during the analysis, but aren't most of the new and sophisticated attacks able to avoid detection through the sandbox?...

One way to confirm sandbox aware malware is to submit it to one of the cloud sandbox services such as Hybrid-Analysis, anyrun.com, or Joe's Cloud Sandbox. Based on my experience with these, most in their detailed analysis will show if a malware is employing detection evasion tactics such as being VM or sandbox aware.

It could very well be that LiveGuard cloud analysis does not consider a sandbox aware status sufficient to label the sample as malicious. On the other hand, it should be returning a suspicious verdict noting this finding.

Edited by itman
Link to comment
Share on other sites

Let's talk about LiveGuard cloud suspicious detection in the context of ESSP.

First, EDTD most definitely will return a suspicious detection. But the assumption is its results are being reviewed by corp. IT security trained personnel. Then, there is Eset's recommendations of further review actions for example, submit the file to VirusTotal for further analysis. Give me a break ........

However, the last thing you want in a home based security product is for the user to be making a decision in regards to a suspicious detection. Long established research has shown that at best, he will make the wrong decision at least 50% of the time. 

Bottom line in regards to LiveGrid use in ESSP is it may very well not be returning a suspicious verdict; at least one that is not a highly suspicious one. 

Anyway, do keep up your "stress testing" of LiveGuard in ESSP. It is the only way the rest of us will know its full capability.

Edited by itman
Link to comment
Share on other sites

2 hours ago, itman said:

On the other hand, it should be returning a suspicious verdict noting this finding.

I agree with that

 

56 minutes ago, itman said:

Let's talk about LiveGuard cloud suspicious detection in the context of ESSP.

I totally agree with you and I think the LiveGuard reports need to be more detailed.
Also, an option should be added that allows the user to send the file directly to LiveGuard, and to avoid sending many files that are already known, the software can do a quick verification of the files before sending them at the request of the user, and notify him of this if the file was sent or not sent with an explanation Reason .

Link to comment
Share on other sites

On 10/19/2021 at 2:04 PM, Marcos said:

Please provide me with step-by-step instructions as well as logs collected with ESET Log Collector.


Hi Marcos, Now LiveGuard is working fine, the problem was importing settings from a previous version.

Now the problem is that LiveGuard uploads everything I download even before the download is complete it even sends browser cache files related to the download !!

How can I solve this problem I want to use LiveGuard but only when I try to run a new file because the current situation is very annoying.

eset_01.png

eset_02.png

Screenshot 2021-10-23 164831.png

Link to comment
Share on other sites

  • Administrators

Maybe excluding the cache folder from submission could help but I'm not entirely sure if it's 100% safe and if the final file would be eventually uploaded for analysis.

Link to comment
Share on other sites

14 minutes ago, Marcos said:

Maybe excluding the cache folder from submission could help but I'm not entirely sure if it's 100% safe and if the final file would be eventually uploaded for analysis.

But what is the point of sending cache files , as they are non-executable files and also downloads that have not yet completed, for example, if the file is malicious in the end, will eset determine this through the cache files or does it need to send the files after completing the download in order to Can it run in a sandbox and thus analyze the behavior of the program?

Link to comment
Share on other sites

2 hours ago, AZ Tech said:

Now the problem is that LiveGuard uploads everything I download even before the download is complete it even sends browser cache files related to the download !!

Based on the LiveGuard popup, it appears an executable download has been created in Chrome cache. In other words, it hasn't started downloading to your Windows download folder. If this is the case, it can't see a problem with what LiveGuard is doing.

On the other hand if LiveGuard is submitting the the Chrome cache executable and this same file resident in your Windows download folder, that is a problem since its a duplicate submission of the same file.

Link to comment
Share on other sites

  • Administrators

Same files are not submitted multiple times. What is the url from which you download the file?

Link to comment
Share on other sites

1 hour ago, Marcos said:

Same files are not submitted multiple times. What is the url from which you download the file?

I was downloading the VirtualBox update through the link that appears in the VirtualBox UI, when the software notified me that an update was available.

Link : https://download.virtualbox.org/virtualbox/6.1.28/VirtualBox-6.1.28-147628-Win.exe

Link to comment
Share on other sites

24 minutes ago, AZ Tech said:

That download is 103MB. Although ESSP on-line documentation doesn't state a maximum file size for uploading to LiveGuard, the maximum size for LiveGrid is 64MB. So at this point, I am assuming this also applies to LiveGuard.

What might be going on here is LiveGuard detects executable code in the in-process download and is submitting that as encountered. In other words, "chucks" of the download are being uploaded.

Link to comment
Share on other sites

6 minutes ago, itman said:

What might be going on here

I don't know exactly what is happening, but when I clicked on the download link after I posted it here this is what happened !!

Note: Downloaded via IDM
Download location is Desktop

eset_03.png

Link to comment
Share on other sites

50 minutes ago, AZ Tech said:

I was downloading the VirtualBox update through the link that appears in the VirtualBox UI, when the software notified me that an update was available.

 

9 minutes ago, AZ Tech said:

Note: Downloaded via IDM
Download location is Desktop

 

eset_04.png

Link to comment
Share on other sites

On 10/19/2021 at 2:04 PM, Marcos said:

Please provide me with step-by-step instructions as well as logs collected with ESET Log Collector.

Hi Marcos, I have a delay issue with LiveGuard , up to 15 minutes and maybe more from the moment any file is run / extract .

I only noticed this problem since yesterday, I have collected logs and I will send them to you .

Also, I checked the Internet connection and speed, because at first I thought it was a problem with the uploading speed .

eset_01.png

eset_02.png

eset_03.png

eset_04.png

Link to comment
Share on other sites

1 hour ago, AZ Tech said:

Hi Marcos, I have a delay issue with LiveGuard , up to 15 minutes and maybe more from the moment any file is run / extract .

What is notable about the screen shots you posted is they show that Eset detected a suspicious file and it was sent to Eset Virus Lab for further detailed analysis. I assume this is the reason for the extended analysis period.

 

Link to comment
Share on other sites

18 minutes ago, itman said:

What is notable about the screen shots

I'm not talking about the period from 5:17 "screenshot #3" to 5:21 "screenshot #4" which is a normal period for file analysis.

What I'm talking about is the time taken by LiveGuard from the moment  the file is run/extracted "Screenshot 1" until it is sent "Screenshot 3", which is a very long time compared to the time required to upload a  98.6 kb

20 minutes ago, itman said:

Eset detected a suspicious file and it was sent to Eset Virus Lab for further detailed analysis.

When the message appeared in Screenshot #2, the file had not yet been sent, and therefore no file analysis had actually started.

Link to comment
Share on other sites

3 minutes ago, AZ Tech said:

When the message appeared in Screenshot #2, the file had not yet been sent, and therefore no file analysis had actually started.

I don't agree.

LiveGuard performs no local device sandbox analysis; all that is done in the cloud. Therefore when the first screen shot appears, the file is in process of being uploaded to the Eset cloud.

Link to comment
Share on other sites

There is also the question of how LiveGuard is blocking the process execution while LiveGuard cloud analysis is underway.

Have you checked what the process status is while LiveGuard cloud analysis in underway? If the process is in a suspended status, have you tried to resume its execution via Win Task Manager, Process Explorer, etc.? If this can be done, it can also be done by other malware on the device which might have received a safe rating or that is running remotely.

Link to comment
Share on other sites

49 minutes ago, itman said:

I don't agree.

Until I receive official information from eset saying that the analysis began before a notification appears that the file has been sent, "Screenshot No. 3", I am of the opinion that the analysis did not start until after that, which took approximately 4 minutes.

 

22 minutes ago, itman said:

There is also the question of how LiveGuard is blocking the process execution while LiveGuard cloud analysis is underway.

Practically the blocking starts from the moment the file is extracted if it was downloaded in the form of a zip file, and therefore when you try to run it, it does not work from the ground up and therefore does not perform any process execution , At least that's what I know so far !

Link to comment
Share on other sites

53 minutes ago, itman said:

Have you checked what the process status is while LiveGuard cloud analysis in underway?

Yes, I did .

22 minutes ago, AZ Tech said:

Practically the blocking starts from the moment the file is extracted if it was downloaded in the form of a zip file,

For example this is a new sample, I did not even try to run it, and as shown in the screenshot it is actually blocked, so if the user tries to run the file , only then eset will show a notification saying " File blocked due to analysis "

e.png

Link to comment
Share on other sites

1 hour ago, itman said:

LiveGuard performs no local device sandbox analysis

I know this, I guess the notification "File still in analysis" screenshot #2 and, looking at the chronological order, it shows when the waiting period specified in the settings has elapsed which in my case was the default 5 minutes, regardless of whether the file was sent for analysis or The sending or analysis process... “ in the event that a notice appears that the file has been sent before this notice appears ” ...is in progress, what matter here that the period has elapsed and the results of the analysis have not been received, "whatever the reason is."

Link to comment
Share on other sites

3 hours ago, AZ Tech said:

Until I receive official information from eset saying that the analysis began before a notification appears that the file has been sent, "Screenshot No. 3", I am of the opinion that the analysis did not start until after that, which took approximately 4 minutes.

Again, you're misinterpreting the alert.

What the alert is stating is the file currently being analyzed by LiveGuard processing in the cloud has completed it initial analysis. That is the verdict being returned from the Azure servers is one without a high enough confidence level to rate the file malicious, but high enough to rate it suspicious. LiveGuard will then submit the file to Eset Virus Lab for scanning on its servers to determine if the suspicious behavior is indeed malicious in nature. In other words, the submission activity to Eset Virus Lab by LiveGuard is identical that performed by LiveGrid in other Eset home versions. You are just being informed that the file was submitted for further detailed analysis by Eset.

I will also state this based on your postings. There really is no change in Eset processing of suspicious files in LiveGuard that currently exists in the other Eset home versions. That is suspicious files are being marked as Safe by LiveGuard and allowed to run.

Edited by itman
Link to comment
Share on other sites

8 hours ago, itman said:

What Detection threshold is set in ESSP for "clean", execute enable?
I'm assuming a level of "Clean" and "Suspicious"? 
"Highly suspicious" and "Malicious" are already blocked. 
I think the ability to set this will come to ESSP in time, similar to setting the "Machine Learning Kernel" level.

 

 

Then even "Highly suspicious" are allowed? (With the understanding that the sample is further investigated in VirusLab.)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...