Small Question: Eset Livegrid / File Reputation

[rugk 397]

In my thinking I hit on the thing with ESET LiveGrid and the file reputation. And now there is a small thing that I don't understand.

 

Like you can e.g. see in this screenshot you can see a risk and a icon that indicates how many users are using this file.

 

But now there comes the question: How do you indicate the risk? Only of the number of users using the file? And if it's so isn't this done twice?

[Marcos 4,935]

There's no direct correlation between the number of users and the risk level of files. For instance, a file is flagged risky if it's been blacklisted in cloud (may not have been included in the signature database yet).

[rugk 397]

OK and is a notification displayed or the file execution blocked if a file is really risky (and I'm not talking about the fact that it is used by <5 users or something like this)?

[SweX 871]

OK and is a notification displayed or the file execution blocked if a file is really risky (and I'm not talking about the fact that it is used by <5 users or something like this)?

Yes if you execute a file that is blocked in LiveGrid, then you will see a notification saying "Blocked object" or "Suspicious object blocked".

[rugk 397]

OK. Thanks for the answers.

[Marcos 4,935]

Yes if you execute a file that is blocked in LiveGrid, then you will see a notification saying "Blocked object" or "Suspicious object blocked".

 

Not exactly. This doesn't work on file execution as querying cloud would take substantial time which would cause delays upon executing files. Needless to say that determining if a file is safe just based on cloud data isn't reliable as there are also updates to plethora of popular unsigned applications that would be otherwise considered suspicious. As you know, a serious false positive could have the same effect on a system as a dangerous virus.

[rugk 397]

Now I'm confused...
 

Not exactly. This doesn't work on file execution as querying cloud would take substantial time which would cause delays upon executing files.

And when will it work then?
 

Needless to say that determining if a file is safe just based on cloud data isn't reliable as there are also updates to plethora of popular unsigned applications that would be otherwise considered suspicious.

Yes I know.
 

As you know, a serious false positive could have the same effect on a system as a dangerous virus.

Ehm..., because the file will deleted and maybe something won't work?

 

 

There's no direct correlation between the number of users and the risk level of files. For instance, a file is flagged risky if it's been blacklisted in cloud (may not have been included in the signature database yet).

But again back to this: How is a file blacklisted in cloud? If it is not only the user count, what is it then?

[Marcos 4,935]

And when will it work then?

When downloading files and receiving email.

 

Ehm..., because the file will deleted and maybe something won't work?

There have been several incidents of famous competitive products that falsely reported a crucial system file as malware and removed it, rendering the system unbootable.

 

But again back to this: How is a file blacklisted in cloud? If it is not only the user count, what is it then?

There's a smart internal mechanism responsible for blacklisting files in cloud. That enabled us to blacklist several hundreds of new spammed malware variants today within seconds or minutes at most. After several hours, one of the famous av vendors added a detection for a portion of them but the rest is still undetected by all famous vendors but ESET (meaning on-demand detection). We've had a full detection covering all variants in place for several hours already, meaning that the malware is not blocked just upon the download but also by other protection modules, on-demand scanners and by products for file / mail servers.

[rugk 397]

 

And when will it work then?

When downloading files and receiving email.

Also if a new file will be created? E.g. from an unsupported email client or an browser through an SSL connection (without SSL scanning enabled)?

[Marcos 4,935]

Also if a new file will be created? E.g. from an unsupported email client or an browser through an SSL connection (without SSL scanning enabled)?

Only upon download. As long as a file is scanned by web or email protection and LiveGrid is enabled, it will be checked against cloud.

[rugk 397]

Then maybe this should be changed so that ESET also scans this files in realtime-protection. And additionally also files from external devices should be checked against ESET LiveGrid.

[Marcos 4,935]

Then maybe this should be changed so that ESET also scans this files in realtime-protection. And additionally also files from external devices should be checked against ESET LiveGrid.

 

No, we will not make anything that could potentially cause serious troubles to our users or have noticeable impact on system performance. Our aim is to provide state-of-the-art protection to our users that they can depend on and we will never go in the wrong direction. I'm saying this because I see things behind the scene although I realize that for users things may look differrently and thus they may come up with easy ideas that are not safe to implement, however.

QA tests before updates are extremely important and there's no way to skip them without jeopardizing our users' computers and systems. We will always strive for keeping false positives away which was proven both by tests and users' experience.

[Octavian 5]

At Eset Smart Security 7 in Advanced Settings> Tools> Eset Live Grid> Advanced Settings is a option to enter an email address. I introduce my email address but never received any information from Live Grid. How can I receive Live Grid statistics or information?

Edited August 27, 2014 by Octavian

[rugk 397]

OK, but if this scanning with ESET LiveGrid is already done during downloading files, e-mail scans and on-demand scans there it can also produce FPs. And again I'm not talking about the fact if a file is used by less than 5 users or so, I'm talking of the risk interpretation of the file in ESET LiveGrid. And I understand that this LiveGrid risk interpretation also can produce false-positive, but then you should make maybe a "very risky" for files that are quite clear to be risky, or so.

 

But at the end you have of course to know how good your LiveGrid system works and what files should be blocked based on LiveGrid.

 

And I also noticed that the default setting for realtime-protection is "LiveGrid enabled", but you are saying here it won't scan in realtime-protection, so what is this?

 

@Octavaian: They only contact you if they need additionally information about files or something else that were submitted with ESET LiveGrid. You won't get ESET LiveGrid statistics through this.

But I here you can see some LiveGrid statistics: hxxp://www.eset.com/us/home/whyeset/livegrid/

But I think this statistic can be improved. At first there is missing a good legend ("low" and "high" .... ehm what is low or high?) . And I think an explanation what the glowing means would also nice.

 

BTW: More statistics you can also find on virustotal.

Edited August 27, 2014 by rugk

[Arakasi 549]

ESET Live Grid will collect information about your computer related to newly-detected threats. This information may include a sample or copy of the file in which the threat appeared, the path to that file, the filename, the date and time, the process by which the threat appeared on your computer and information about your computer‘s operating system.

By default, ESET Smart Security is configured to submit suspicious files to the ESET Virus Lab for detailed analysis.

 

The e-mail address would be used to identify you in these submissions and should they need to contact you about certain submissions only.

 

On the other hand you can jump down to "alerts and notifications" under tools and have info sent to you about certain warnings etc via email or SMTP.

[SweX 871]

 

Yes if you execute a file that is blocked in LiveGrid, then you will see a notification saying "Blocked object" or "Suspicious object blocked".

 

Not exactly. This doesn't work on file execution as querying cloud would take substantial time which would cause delays upon executing files. Needless to say that determining if a file is safe just based on cloud data isn't reliable as there are also updates to plethora of popular unsigned applications that would be otherwise considered suspicious. As you know, a serious false positive could have the same effect on a system as a dangerous virus.

 

Heh oh right sorry, well its not the easiest thing in the world trying to figure out how some ESET features works, or how features interact with each other, as access to details are usually very sparse. So excuse me for that. 

 

But then I must ask, if it does not work on execution, then where from does the info come when I see blocked object or suspicious object blocked when it comes to the execution moment, as I have seen such detection on samples before.

Is there no connection at all to LiveGrid on execution?

[rugk 397]

Heh oh right sorry, well its not the easiest thing in the world trying to figure out how some ESET features works, or how features interact with each other, as access to details are usually very sparse. So excuse me for that. 

Exactly! But we all of course now what's the reason for it and for this case it's quite good.

But on the other hand it's quite difficult to provide a detailed feedback (or suggestions) or even to answer such a question I asked with this limitated information.

Edited August 27, 2014 by rugk

[Marcos 4,935]

But then I must ask, if it does not work on execution, then where from does the info come when I see blocked object or suspicious object blocked when it comes to the execution moment, as I have seen such detection on samples before.

Is there no connection at all to LiveGrid on execution?

 

Probably the application attempted to download payload which was blocked.