LiveGuard Problem

[itman 1,659]

I downloaded a portable executable from Github web site: https://github.com/Makazzz/VbsToExePortable .

It was submitted to LiveGuard:

The problem is:

1. I never received a reply from LiveGuard on file status.

2. The file was created in my download directory and remains in an unusable state:

[itman 1,659]

It gets weirder.

Deleted the two files in my download folder. Then did another download from the Github web site. Now I have the above 0 byte .exe in my downloads directory. No alert or log entry for this download in regards to a LiveGuard upload.

-EDIT- Appears for some strange reason, FireFox (assume it's Google Safe Browsing) is now blocking the download. Overriding that, the download completed sucessfully. Not a beep from Eset on the download or upload to LiveGuard. Appears LiveGuard did give a safe verdict to it.

Edited January 27, 2022 by itman

[Marcos 5,070]

On my machine I have this in the Sent files log:

Time;Hash;File;Size;Category;Reason;Sent to;User
1/27/2022 8:51:25 PM;7A159FC016989A2B8CF22D6B1A0C9C19BCC739C0;https://raw.githubusercontent.com/Makazzz/VbsToExePortable/master/VbsToExePortable/VbsToExePortable.exe;178782;Executable;Automatic;ESET LiveGuard;

The notifications pop up only if you attempt to run a file temporarily being blocked by LiveGuard proactive protection. Both notifications I received after attempting to run the file downloaded above:

 

Is your Web access protection working correctly and detects eicar from this link?
https://secure.eicar.org/eicar_com.zip

[shocked 60]

i downloaded the file, it was sent to LiveGuard as the logs report but i didn't get a notification either.

the option to notify me is enabled in the settings. also when attempting to run the app i don't get a notification that is currently blocked due to analysis

Edited January 27, 2022 by shocked

[itman 1,659]

13 minutes ago, Marcos said:

The notifications pop up only if you attempt to run a file temporarily being blocked by LiveGuard proactive protection.

On past LiveGuard submissions, I received the "Sent to Eset AV Labs for analysis" popup. Upon completion of LiveGuard analysis, I received the LiveGuard safe analysis verdict popup. I did not attempt to the file prior to the safe verdict being returned.

Again for this download posted about, I never received a LiveGuard verdict. Additionally, the file is sitting in my downloads folder in a disjointed state. If LiveGuard rendered a verdict, the file would have been returned to its original download state if safe; or deleted if malicious.

Edited January 27, 2022 by itman

[itman 1,659]

20 minutes ago, Marcos said:

Is your Web access protection working correctly and detects eicar from this link?
https://secure.eicar.org/eicar_com.zip

Yes.

[itman 1,659]

26 minutes ago, Marcos said:

On my machine I have this in the Sent files log:

Time;Hash;File;Size;Category;Reason;Sent to;User
1/27/2022 8:51:25 PM;7A159FC016989A2B8CF22D6B1A0C9C19BCC739C0;https://raw.githubusercontent.com/Makazzz/VbsToExePortable/master/VbsToExePortable/VbsToExePortable.exe;178782;Executable;Automatic;ESET LiveGuard;

I have a theory as to what happened here.

On the original file download, I missed the Firefox blocked file notification (i.e. red dot) generated by Google Safe Browsing. Firefox however proceeded with the file download resulting in creation of the .part and a 0 byte .exe file. LiveGuard "sprung into action" and uploaded the .part file which it really shouldn't have. Something for Eset to look at further.

[Marcos 5,070]

I've noticed that my VbsToExePortable.exe was substantially smaller than yours (178 kB vs 3 MB). Could you try downloading the file from my link above?

As for the notifications about submissions, they are disabled by default:

[itman 1,659]

18 hours ago, Marcos said:

I've noticed that my VbsToExePortable.exe was substantially smaller than yours (178 kB vs 3 MB). Could you try downloading the file from my link above?

If you are referring to this link: https://raw.githubusercontent.com/Makazzz/VbsToExePortable/master/VbsToExePortable, I get a "not found" message in Firefox.

18 hours ago, Marcos said:

As for the notifications about submissions, they are disabled by default:

Enable that setting some time ago.

Here's the problem in regards to FireFox as I see it.

Google Safe Browsing is built into Firefox by default. It like LiveGuard is waiting for the in-process download to complete to examine it. Excluding LiveGuard for the moment if Google Safe Browsing detects the download as malicious, it will delete both the .part file and the null .exe file in the users Downloads folder.

It appears LiveGuard is intercepting both files also at the same time as Google Safe Browsing. The result is a mess where the files are left in the users Downloads folder and LiveGuard verdict status rendering to the origin Eset installation is also borked.

Again, this will only occur if Google Safe Browsing analysis is performed on the download.

Appears the workaround for present is to disable Google Safe Browsing in Firefox if that is possible.

Edited January 28, 2022 by itman

[itman 1,659]

It appears to me that at present, these two settings need to be disabled in Firefox:

Edited January 30, 2022 by itman
update

[itman 1,659]

This explains a bit more what FireFox is doing in regards to file downloads:

Quote

When you download an application file, Firefox checks the site hosting it against a list of sites known to contain "malware". If the site is found on that list, Firefox blocks the file immediately, otherwise it asks Google’s Safe Browsing service if the software is safe by sending it some of the download’s metadata.*

* Windows users: This online check will only be performed in Firefox on Windows for those downloaded files that don’t have a known good publisher. Most of the common and safe software for Windows is signed and so this final check won’t always need to happen.

https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work?as=u&utm_source=inproduct

 

The conflict with LiveGuard to me is obvious from what I underlined.

 

I have disabled both Safe Browsing file download checks until Eset finds a resolution which I assume will take some time. This issue also might manifest in Chrome since I assume it is also using Google’s Safe Browsing service.

Edited January 30, 2022 by itman
update

[itman 1,659]

I came across this article: https://security.googleblog.com/2021/06/new-protections-for-enhanced-safe.html on how enhanced Safe Browser protection works in Chrome.

Eset needs to test if a LiveGuard conflict exists with Safe Browsing in Chrome.

Edited January 30, 2022 by itman
update

[itman 1,659]

I did some additional testing using this download: https://raw.githubusercontent.com/Makazzz/VbsToExePortable/master/VbsToExePortable and it was multiple tests. I have also definitely identified what is the LiveGuard issue.

First, I updated my prior posting in this thread that both Safe Browsing download settings need to be disabled till this issue is resolved by Eset.

The issue is Safe Browsing will first download a "metadata" version of the file for initial analysis in the Google cloud. It then deletes that file and subsequently will download the full version of the file. What LiveGuard is capturing is the metadata version of the file for Eset cloud analysis. The problem is the metadata version of the file doesn't contain all file data and no longer exists in the user's Downloads folder resulting in both the download being borked along with LiveGuard's subsequent processing of it.

Edited January 30, 2022 by itman

[peteyt 393]

3 hours ago, itman said:

I did some additional testing using this download: https://raw.githubusercontent.com/Makazzz/VbsToExePortable/master/VbsToExePortable and it was multiple tests. I have also definitely identified what is the LiveGuard issue.

First, I updated my prior posting in this thread that both Safe Browsing download settings need to be disabled till this issue is resolved by Eset.

The issue is Safe Browsing will first download a "metadata" version of the file for initial analysis in the Google cloud. It then deletes that file and subsequently will download the full version of the file. What LiveGuard is capturing is the metadata version of the file for Eset cloud analysis. The problem is the metadata version of the file doesn't contain all file data and no longer exists in the user's Downloads folder resulting in both the download being borked along with LiveGuard's subsequent processing of it.

Good findings. @MarcosAny thoughts?

[shocked 60]

16 hours ago, itman said:

both Safe Browsing download settings need to be disabled

you're referring to these options, right?

[itman 1,659]

3 minutes ago, shocked said:

you're referring to these options, right?

Correct.

[Marcos 5,070]

I could not find anything wrong while downloading the file in question:

[itman 1,659]

Some additional points to discuss in regards to this download: VbsToExePortable_3.2_Dev_Test_1.paf.exe.

In summary, should Google Safe Browsing downloading analysis be used at all when using Eset?

It turns out this download has a 35/68 malicious score at VirusTotal. Most likely due to the following behavior:

Of the major AV vendors, only Eset, F-Secure, and TrendMicro rated it as safe.

For reference, wuapihost.exe is a deprecated Win system process, (W)indows (U)pdate (API)(Host). Assumed this was deployed for remote communication purposes.

Now it turns out that VbsToExePortable_3.2_Dev_Test_1.paf.exe is a legit PortableApps.com sourced process and deploys their "mini-installer" to create VbsToExePortable.exe in its own directory in the Downloads folder. I analyzed VbsToExePortable_3.2_Dev_Test_1.paf.exe and didn't observe any malicious system modification activity from it. So I conclude Eset's safe verdict is correct in this case and the other AV's rating it malicious are false positives.

This gets us to the question of what Google Safe Browsing is using for its "supposed" cloud scanning analysis. It appears this is nothing more that a VT status lookup. As such, it has a high likelihood of blocking a legit download as a false positive.

Edited January 31, 2022 by itman

[itman 1,659]

5 minutes ago, Marcos said:

I could not find anything wrong while downloading the file in question

Here we go again, denial and denial.

On my ESSP installation, LiveGrid captured the Safe Browsing download and created a file in my %Temp% directory:

I received the Eset Virus Lab submission status popup. Also a entry was created in the Sent log:

Time;Hash;File;Size;Category;Reason;Sent to;User
1/30/2022 2:18:50 PM;A14E958B81D91C1CB0590B565832E6CC626A5A3D;C:\Users\18436\AppData\Local\Temp\59KxjSl9.exe.part;3127106;Executable;Automatic;ESET LiveGuard;xxxxxxx

That was it for for LiveGuard interaction with my device. I was left with the file in my %Temp% directory and also the following in the Downloads folder:

FYI - I am not wasting my time anymore reporting on this issue.

 

[itman 1,659]

Looks like the problem has been resolved, folks!

Since the screen shots posted in my last posting were for illustrative purposes only and not chronologically synced to a specific test instance, I decided to repeat the test and post new screen shots.

When I started to retest, Firefox updated to ver. 96.0.3. After that update, I can no longer duplicate what was happening previously.

From everything I am observing when testing after this latest update, Firefox was the "culprit." Prior to the update when Google Safe Browsing blocked a download, Firefox was downloading a .part version of the file to the Downloads folder. LiveGuard then attempted to process this .part file and "everything went downhill" Firefox and LiveGuard wise thereafter. After the Firefox update, no .part file is being downloaded to the Downloads folder when Google Safe Browsing blocks a download and no subsequent LiveGuard processing occurs.

A note of interest here is Firefox still is downloading a .part file to the %Temp% directory. If you manually in FireFox don't remove the Google Safe Browsing blocked download or navigate immediately to another web site, that .part file remains in the %Temp% directory:

Appears LiveGuard is "oblivious" to the existence of this file.

Edited January 31, 2022 by itman

[itman 1,659]

BTW - I did verify at VT the the above .part file is just a renamed version of VbsToExePortable_3.2_Dev_Test_1.paf.exe.

Since it appears LiveGuard is triggering off the download to the %Temp% directory, this brings up LiveGuard bypass possibilities. Something along the lines of a simultaneous payload download to both the Downloads and %Temp% directories?

Edited January 31, 2022 by itman