Jump to content

ESSP keeps sending many "*.exe.part" files to Live Guard/Virus Lab


Recommended Posts

  • Most Valued Members

since setting the "protection" sections in "Real-time & Machine learning protection" as aggressive, i've noticed that many files are being sent to Eset for analysis.
most of them seem to be "*.part" files from like a browser cache or something judging by their name. 
for example, 08tJ3cwD.exe.part

the weird thing is that when checking the AppData\Local\Temp folder can't find them, unless they're also removed by the antivirus before being sent. an in-depth scan comes completely clean. i've done a clean install of my OS two days before for other reasons. i'm kinda confused.

 

Time;Hash;File;Size;Category;Reason;Sent to;User
31/10/2021 11:07:39 μμ;0A05AB6FD488B3929A19D1710E7C52738837224A;C:\Users\******\AppData\Local\Temp\08tJ3cwD.exe.part;9027584;Executable;Automatic;LiveGuard;DESKTOP-\******\
1/11/2021 1:26:33 πμ;CB82D19065216BA7FA67A411B4E84BA1E4563964;C:\Users\******\AppData\Local\Temp\uNiMPuam.exe.part;11728742;Executable;Automatic;LiveGuard;DESKTOP-\******\
1/11/2021 2:32:12 πμ;96D6BB3A0B46BE749162DEB3A5CA5130A2326911;C:\Users\******\Downloads\52f5a657-b783-406f-a0e4-5e13107f9997.tmp;16384;Executable;Automatic;LiveGuard;DESKTOP-\******\
2/11/2021 12:41:07 πμ;06501D7A40FC112590804050C7AF972443C289CD;C:\Users\******\AppData\Local\Temp\VVgoccCi.exe.part;9462296;Executable;Automatic;LiveGuard;DESKTOP-\******\
2/11/2021 12:41:29 πμ;4AB52B2D24107C3FAD16BF1A50FDC26FEC8763B6;C:\Users\******\AppData\Local\Temp\P0UcL4nK.exe.part;9566040;Executable;Automatic;LiveGuard;DESKTOP-\******\
2/11/2021 1:41:38 μμ;A80E6875C9617AEB6EA0874EBC749DC745D6F5D1;C:\Users\******\AppData\Local\Temp\Bi_Khh32.exe.part;11383032;Executable;Automatic;LiveGuard;DESKTOP-\******\

_____________________________________________________________________

Time;Component;Event;User
31/10/2021 11:07:39 μμ;ESET Kernel;File '08tJ3cwD.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM
1/11/2021 1:26:33 πμ;ESET Kernel;File 'uNiMPuam.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM
2/11/2021 12:41:07 πμ;ESET Kernel;File 'VVgoccCi.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM
2/11/2021 12:41:29 πμ;ESET Kernel;File 'P0UcL4nK.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM
2/11/2021 1:41:38 μμ;ESET Kernel;File 'Bi_Khh32.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM

 

Capture.PNG

Link to comment
Share on other sites

  • Administrators

There should be no correlation between the reporting / detection level and the number of files submitted to LiveGuard. Those partial files are submitted because they were downloaded from the Internet and were closed by the browser after write. This invokes a scan as well a submission in case of LiveGuard.

Link to comment
Share on other sites

49 minutes ago, shocked said:

most of them seem to be "*.part" files from like a browser cache or something judging by their name. 
for example, 08tJ3cwD.exe.part

the weird thing is that when checking the AppData\Local\Temp folder can't find them,

FYI:

Quote

A PART file is a partially downloaded file from the Internet used for downloads that are in progress or have been stopped. Some PART files can be resumed at a later time using the same program that started the download. PART files are typically used by Mozilla Firefox and several file transfer programs, such as Go!Zilla, eMule, and the discontinued eDonkey program.

When downloading a file with Firefox, the web browser creates a PART file in the "Downloads" folder on your computer. You may see the PART file if the file is currently downloading or if the download was interrupted before completion. A download interruption could be due to a lost Internet connection, the Firefox browser or computer crashing, or to you pausing the download.

As Firefox downloads the file, the program creates a PART file to store the data being downloaded. Firefox replaces the name of the file with a string of characters and appends the .part extension to the extension of the file. For example, the file example.mov would have the name ZT5KR1EL.mov.part when it is being downloaded. Once the download is complete, Firefox removes the .part extension and the file is ready to be used.

https://fileinfo.com/extension/part

It is of interest that these files are being submitted to LiveGuard since in many instances, they are incomplete downloads.

Of note is when the AMTSO Cloudcar test is performed using Firefox, Eset will detect the .part download:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
11/1/2021 3:45:19 PM;Real-time file system protection;file;C:\Users\xxxxxx\AppData\Local\Temp\_vlYIL6j.exe.part;Suspicious Object;cleaned by deleting;XXXXXXXX;Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe (6923508844E6FE0C1DEDD684FE299EBC26D778F3).;F4053231135502B4E8EA2B4D2E32ABEFE3A08765;10/16/2021 6:39:03 PM

Technically, this is not the correct detection for this test since Eset real-time scanning is detecting and deleting the file on the disk versus it being detected via cloud scanning prior to being created on the disk.

Quote

Detection of the CloudCar test file should only occur when the file is queried in a cloud-based reputation system, and it should not be flagged by local detection databases or other non-cloud-based methods of detection.

https://www.amtso.org/feature-settings-check-cloud-lookups/

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members

the most peculiar thing is that whenever the notification appears that the file was sent to Eset, i wasn't downloading anything that time or before the notification. sometimes it just pops out of the blue.

could it be that another program tries to download something, eg. Adobe Acrobat checking for update or whatever, and it also uses the part extension? and that triggers the program to send them to Live Guard?

Edited by shocked
Link to comment
Share on other sites

  • ESET Insiders

It happened to me to find a few *.part files in my dl directory, those where attemps by a 3rd party software which tried to update and failed for unkown reasons

Link to comment
Share on other sites

  • Administrators

In the Sent files log you should see the full path to files that were submitted. You can provide SHA1 of some of such files and I'll try to find out what they are.

Link to comment
Share on other sites

  • ESET Insiders

Also this error we already had in the v14, that is what I already wrote in my error message post of the v15, there are always errors taken over into the new build / version!

Link to comment
Share on other sites

  • Administrators
12 minutes ago, SlashRose said:

Also this error we already had in the v14, that is what I already wrote in my error message post of the v15, there are always errors taken over into the new build / version!

What errors were mentioned above that you are referring to?

Link to comment
Share on other sites

  • ESET Insiders
6 hours ago, Marcos said:

What errors were mentioned above that you are referring to?

Who is talking about a mistake that is above? Nobody, I wrote that this already happened in the v14!

Link to comment
Share on other sites

I'll explain what's going on here in regards to these .part files by again referring to the AMTSO Cloudcar test .

When I go to their web site and immediately download the clouldcar.exe file, it does indeed end up in my download folder. However, the file contains 0 bytes. Eset later displays an alert it blocked and deleted the file. But the file it processed is a .part file resident in my %AppData%\Temp folder.

First, note that the cloudcar.exe file is 7K bytes in size. The download by Firefox on my 1 Gb Ethernet network connection would be almost instantaneous. Therefore, conclude that any .part file creation is not being done by Firefox. So what's going on here? Eset is capturing the data contained in the cloudcar.exe via its Web Filtering processing. It is then creating a .part file in %AppData%\Temp folder for further processing. Assumed is that file is locked from outside access other than for Eset processes and processing such as LiveGuard? Finally in this cloudcar.exe example, Eset leaves the 0 byte clouldcar.exe file my download file instead of deleting it after the %AppData%\Temp folder detection.

So why is Eset performing this file detection "gyration?" Eset does not contain local file sandboxing capability in regards to Internet downloads. Something bitched about for sometime. If this sandbox existed, Eset could direct file downloads to it. Then perform further processing on the sandboxed file. If the file was determined to be safe, it then would be created in its intended target directory.

Edited by itman
Link to comment
Share on other sites

  • Administrators
14 minutes ago, SlashRose said:

Who is talking about a mistake that is above? Nobody, I wrote that this already happened in the v14!

This topic is about LiveGuard submissions which didn't exist in v14. Please create a new topic describing the issue or post in an existing one which pertains to the alleged issue.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...