Jump to content

LiveGuard not working for me !


Recommended Posts

  • Administrators
4 hours ago, czesetfan said:

Then even "Highly suspicious" are allowed? (With the understanding that the sample is further investigated in VirusLab.)

Those are detected / blocked.

Link to comment
Share on other sites

9 hours ago, czesetfan said:

"Highly suspicious" and "Malicious" are already blocked

Proof of @Marcos statement of highly suspicious being detected as malicious is shown in this posting: https://malwaretips.com/threads/nod32-antivirus-eset-internet-security-eset-smart-security-premium-15-0-16-0.110527/#post-961628 . Open the last screen shot which is the analysis from Virus Total. A number of behavior based solutions detected this 0-day malware.

The question is if LiveGuard is factoring VT results in its rendering of a highly suspicious detection? Appears this is the case.

Edited by itman
Link to comment
Share on other sites

  • Administrators
8 minutes ago, itman said:

The question is if LiveGuard is factoring VT results in its rendering of a highly suspicious detection? Appears this is the case.

Not at all. Even if we wanted to, flooding VT with hundreds of thousands queries on a daily basis would be impossible.

Link to comment
Share on other sites

1 hour ago, itman said:

Prova de @Marcos declaração de altamente suspeito sendo detectado como malicioso é mostrado nesta postagem: https://malwaretips.com/threads/nod32-antivirus-eset-internet-security-eset-smart-security-premium-15-0-16-0.110527/#post-961628 . Abra a última captura de tela que é a análise do Virus Total. Uma série de soluções baseadas em comportamento detectaram esse malware de 0 dias.

A questão é se o LiveGuard está fatorando vt resulta em sua renderização de uma detecção altamente suspeita? Parece que esse é o caso.

From what I understand there are several products that detected zero-day malware, even free products, with this eset's liveguard and just one way for eset to make money with this feature that other products already exist, even though they are free products?

Link to comment
Share on other sites

On 10/26/2021 at 10:21 PM, itman said:

There really is no change in Eset processing of suspicious files in LiveGuard that currently exists in the other Eset home versions. That is suspicious files are being marked as Safe by LiveGuard and allowed to run.

For me, after Marcos completely ignored my questions about the delayed analysis of LiveGuard results, here is another 28 minutes waiting for the results of the analysis, during which time I was able to analyze the file on all the free options that give more detailed results.

By the way, it doesn't matter if I misunderstand the reason for all the time it takes to get the results of the analysis, I don't think that there is a home user who will wait between 15 to 30 minutes and of course he will run the file even if it is harmful in the end, even if I am wrong in understanding things, I must The process is faster than that.

So I wouldn't pay for a feature that's so slow, for the same price as ESSP I can get an alternative like Kaspersky which provides Advanced Behavioral Detection System with Ransomware Remediation and rolls back the changes made by malicious applications.
By the way, Kaspersky provides a free cloud sandbox service for an unlimited number of files with the ability to obtain detailed analysis results for one file every 24 hours, and this for the home user is more than enough, not to mention the good and cheaper alternatives.
If I continue with eset it will be EIS and not ESSP, and basically I think EIS should have LiveGuard feature.

Unfortunately, I think that eset is more concerned with profits and how to collect the largest amount of money more than the requirements and complaints of customers.
this is really sad .

Screenshot 2021-10-28 200029.png

Screenshot 2021-10-28 200610.png

Screenshot 2021-10-28 202826.png

Link to comment
Share on other sites

  • Administrators
10 minutes ago, AZ Tech said:

For me, after Marcos completely ignored my questions about the delayed analysis of LiveGuard results, here is another 28 minutes waiting for the results of the analysis, during which time I was able to analyze the file on all the free options that give more detailed results.

On Tuesday there was a 1,5 window when the sandbox queue grew a bit and the analysis could take a bit longer. Other than that we are not aware of any delays. For investigation we would need to know SHA1 of the files which took longer to analyze. Results are typically available in 2-3 minutes, hence 5 minutes is set as the default time for blocking files.

Link to comment
Share on other sites

10 minutes ago, Marcos said:

For investigation we would need to know SHA1 of the files which took longer to analyze.

MD5 8B1A607FFB0FC28A2CFC74782C86639E
SHA-1 : A806A148512D7DCF8A3D5578BC8F76D8408DDC50
SHA-256 : 07C670B4AE43186E7E56124048946BA2F7324226359C10E344241E633773E6F0

https://www.virustotal.com/gui/file/07c670b4ae43186e7e56124048946ba2f7324226359c10e344241e633773e6f0

Link to comment
Share on other sites

2 hours ago, AZ Tech said:

MD5 8B1A607FFB0FC28A2CFC74782C86639E
SHA-1 : A806A148512D7DCF8A3D5578BC8F76D8408DDC50
SHA-256 : 07C670B4AE43186E7E56124048946BA2F7324226359C10E344241E633773E6F0

https://www.virustotal.com/gui/file/07c670b4ae43186e7e56124048946ba2f7324226359c10e344241e633773e6f0

The thing most disconcerting is 23/67 at VT detected this as malicious when I just checked via re-scan including Avast/AVG, BitDefender, Emsisoft, GData, Kaspersky, McAfee, and even TrendMicro-HouseCall. But, LiveGuard returned a safe verdict.

Edited by itman
Link to comment
Share on other sites

  • Administrators
10 hours ago, AZ Tech said:

MD5 8B1A607FFB0FC28A2CFC74782C86639E
SHA-1 : A806A148512D7DCF8A3D5578BC8F76D8408DDC50
SHA-256 : 07C670B4AE43186E7E56124048946BA2F7324226359C10E344241E633773E6F0

https://www.virustotal.com/gui/file/07c670b4ae43186e7e56124048946ba2f7324226359c10e344241e633773e6f0

The file is benign and not subject to detection. Those who flagged it have FP on the file. It's just a sort of packer which was also confirmed by our malware analysts:

image.png

As for the delay, how did you find out there was a delay with this particular file? It appears that this file was analyzed in 2-3 minutes.

image.png

Link to comment
Share on other sites

8 hours ago, itman said:

The thing most disconcerting is 23/67 at VT detected this as malicious when I just checked via re-scan including Avast/AVG, BitDefender, Emsisoft, GData, Kaspersky, McAfee, and even TrendMicro-HouseCall. But, LiveGuard returned a safe verdict.

I'm getting pretty worried about the results. eset is not doing well, several antivirus even gratis detected.

Link to comment
Share on other sites

  • Administrators
17 minutes ago, New_Style_xd said:

I'm getting pretty worried about the results. eset is not doing well, several antivirus even gratis detected.

The results above are good for ESET. Since the file is benign, all AVs that detected the file failed and reported a false positive.

Link to comment
Share on other sites

5 hours ago, Marcos said:

As for the delay, how did you find out there was a delay with this particular file? It appears that this file was analyzed in 2-3 minutes.

Does this mean I'm lying??
Well I'm doing the test while I'm taking screenshots of everything that's going on, and if that's not enough, well I'm going to send you the logs now, and I think you can look at them and decide if I'm lying or if I'm actually narrating what's happening in front of my eyes.

 

15 hours ago, Marcos said:

For investigation we would need to know SHA1 of the files which took longer to analyze.

Please note that when you asked me for this , I extracted the zip file on my device “not the VM I tested the file on which I attached screenshots of” When I extracted the file to my device LiveGuard analyzed the file again and it only took 2 to 3 minutes , and this was also strange for me, it is assumed that the files are not sent more than once!!

Finally I am not lying, of course when many tests are done they are done quickly even those that come back with positive result, and I do not deny it, also I am not lying about the delay I capture everything in real time with collecting logs

Screenshot 2021-10-29 141238.png

Link to comment
Share on other sites

6 hours ago, Marcos said:

how did you find out there was a delay with this particular file? It appears that this file was analyzed in 2-3 minutes.

I am now sending the logs to you with all transparency even I deliberately not to hide the username of the virtual machine, I work very transparently and I have no interest in lying.

Screenshot 2021-10-29 144428.png

Link to comment
Share on other sites

  • Administrators

We did not blame you of lying whatsoever. Quite the contrary, we are interested in working with you on finding out why the delay occurred. We are preparing more detailed logging into a module which should help better analyze the delays.

In the mean time, please check the Sent files logs to find out when files were actually sent out. It could be that it takes some time until they are sent which may cause the delays you observed and this is what we would like to investigate. If you are still experiencing the issue, please:
- measure the time between you unpack a file from an archive to the desktop until it's logged in the Sent files log
- measure the time between the file is logged in the Sent files log and when it becomes unlocked

We look forward to hearing from you about your findings.

Link to comment
Share on other sites

9 minutes ago, Marcos said:

Quite the contrary, we are interested in working with you on finding out why the delay occurred.

I have an idea as to why the extended delay occurred for this suspicious file.

LiveGuard sends the file to Eset Virus Lab for analysis with instructions to return the verdict to LiveGuard. Normally, submissions to the Eset Virus Lab are one way; i.e. they are sent only. It seems reasonable to me to assume that submissions to Eset Virus Lab w/feedback are going to result in an extended delay for verdict being returned to the originating device. It is also assumed that the Eset Virus Lab server capacity doesn't come close to that which exists on the Microsoft Azure server network.

Finally, I suspect that interactive submissions to Eset Virus Lab are prioritized with EDTD submissions receiving higher priority than LiveGrid submissions.

Link to comment
Share on other sites

Quote

MD5 8B1A607FFB0FC28A2CFC74782C86639E
SHA-1 : A806A148512D7DCF8A3D5578BC8F76D8408DDC50
SHA-256 : 07C670B4AE43186E7E56124048946BA2F7324226359C10E344241E633773E6F0

As far as this file being safe, here's Joe's Cloud Sandbox analysis of it: https://www.joesandbox.com/analysis/511181/0/html . Of note is this analyzed file contains "sleeper" capability which is specifically designed to wait out any sandbox/VM analysis of it. I have seen malware capable of waiting out sandbox analysis for more than an hour.

-EDIT- Here's Hybrid-Analysis analysis of the file: https://www.hybrid-analysis.com/sample/07c670b4ae43186e7e56124048946ba2f7324226359c10e344241e633773e6f0 . Result - 100/100 malicious.

It should be noted that when initially submiitted, Clouldstrike Falcon returned a clean rating via static and M/L methods. However, later full sandbox analysis returned the 100/100 malicious verdict.

Edited by itman
Link to comment
Share on other sites

  • Administrators
15 minutes ago, NewbyUser said:

So which is it? Missed detection by Eset or FP by everyone else?

The verdict was the file is clean and should not be detected, otherwise it'd be FP.

Link to comment
Share on other sites

34 minutes ago, NewbyUser said:

So which is it? Missed detection by Eset or FP by everyone else?

Make your own decision based on the following.

Latest detection rate on VT is 31/69. Add to this Cloudstrike Falcon's noted detection; remember that VT detection is only using security vendors base static engine detection. As such, assume more detection's by AI based security vendors such as Cylance and the like.

Finally, review the cloud sandbox analysis reports I posted links to. Joe's Cloud Sandbox recorded keylogger activity capability. Hybrid-Analysis recorded credential stealing capability.

Edited by itman
Link to comment
Share on other sites

13 hours ago, itman said:

EDIT- Here's Hybrid-Analysis analysis of the file: https://www.hybrid-analysis.com/sample/07c670b4ae43186e7e56124048946ba2f7324226359c10e344241e633773e6f0 . Result - 100/100 malicious.


I'm not here to defend eset, and this is not a judgment on the previous sample, but this is an example of how a clean file can get a Threat Score: 100/100 .

By the way, this is the official installation file for AdGuard .


https://www.hybrid-analysis.com/sample/1113bb0795c1f2e5ff6cb1d71ec1392ce74bf20bd68209328b108159f979c6e2/617ca9770b50b948565a23ce

Link to comment
Share on other sites

11 hours ago, AZ Tech said:

The file that Hybrid-Analysis flagged as malicious was setup.exe.617CB530.bin. If I recollect correctly, this file has been flagged previously by other security scanners.

Now what are the differences between the Adguard installer and the above file Eset marked as safe.

1. It is validly signed.

2.  It has good reputation due to its wide spread use.

3. All AV scanners except one gave it a safe rating.

Personally, I never would consider installing Adguard since it is a Russian based product.

Edited by itman
Link to comment
Share on other sites

4 minutes ago, itman said:

Now what are the differences between the Adguard installer and the above file Eset marked as safe.

I understand all those things, and of course I'm not saying the previous sample is safe, I didn't even say it was harmful, I just reported it.
I hope you don't get me wrong.

Link to comment
Share on other sites

Lets's talk theoretically about this recent file Eset cloud processing determined to be safe.

Again, it has keylogger and other credential stealing plus RDP capability. As such, it could be spyware.

A more likely possibility is it could be "sleeper" malware. Sleeper malware is designed to lay dormant in a device and its malicious code executed at a later date. This could be a week, a month, and even years later. There was a case a while back where such malware lay dormant for two years before activating. A common element of sleeper malware is a backdoor which in its simplest form is a reverse shell. It is virtually impossible to detect a backdoor prior to use without a specific signature for it. 

The above is why suspicious detection verdict needs to be returned to a user along with the malware characteristics found. He can then perform further analysis as noted previously using Virus Total, the public web based cloud sandboxes, and his own local based analysis using a VM, sandbox, or stand-alone test device. As for the average home computer user who is oblivious to the previous analysis methods, a warning message can be displayed stating to proceed with caution if this file is allowed to run. Additional verbiage can be displayed that if this app is of an optional install nature, it would be advisable to seek additional assistance on the web based security forums and the like as to the safe status of this app.

Hence, the need for two LiveGuard versions.

Edited by itman
Link to comment
Share on other sites

19 minutes ago, itman said:

Lets's talk theoretically about this recent file Eset cloud processing determined to be safe.

 

Similar to your last response to me regarding the ransomware sample, there is no problem. eset has "Web Filtering detection's" so anyone who is asking for any development of a behavior detection system, or also a review of LiveGuard analysis results, doesn't know that eset can block access to malicious websites, "preventing any download activity."
your logic !!

Link to comment
Share on other sites

18 minutes ago, AZ Tech said:

Similar to your last response to me regarding the ransomware sample, there is no problem. eset has "Web Filtering detection's" so anyone who is asking for any development of a behavior detection system, or also a review of LiveGuard analysis results, doesn't know that eset can block access to malicious websites, "preventing any download activity."
your logic !!

Here's one you can check out.

Summary here: https://threatpost.com/chrome-deliver-malware-as-legit-win-10-app/175884/

Details here: https://www.rapid7.com/blog/post/2021/10/28/sneaking-through-windows-infostealer-malware-masquerades-as-windows-application/

Checking on VT, Eset doesn't detect the malware .exe, HoxLuSfo.exe, used in this attack.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...