Jump to content

Recommended Posts

I downloaded a portable executable from Github web site: https://github.com/Makazzz/VbsToExePortable .

It was submitted to LiveGuard:

Eset_LG_Sent.thumb.png.43c20e62d787611051ad772e8f92a753.png

The problem is:

1. I never received a reply from LiveGuard on file status.

2. The file was created in my download directory and remains in an unusable state:

Eset_LG_Part.thumb.png.2148beed90bed1f252dedc9d5cccfdfb.png

Link to comment
Share on other sites

It gets weirder.

Deleted the two files in my download folder. Then did another download from the Github web site. Now I have the above 0 byte .exe in my downloads directory. No alert or log entry for this download in regards to a LiveGuard upload.

-EDIT- Appears for some strange reason, FireFox (assume it's Google Safe Browsing) is now blocking the download. Overriding that, the download completed sucessfully. Not a beep from Eset on the download or upload to LiveGuard. Appears LiveGuard did give a safe verdict to it.

Edited by itman
Link to comment
Share on other sites

  • Administrators

On my machine I have this in the Sent files log:

Time;Hash;File;Size;Category;Reason;Sent to;User
1/27/2022 8:51:25 PM;7A159FC016989A2B8CF22D6B1A0C9C19BCC739C0;https://raw.githubusercontent.com/Makazzz/VbsToExePortable/master/VbsToExePortable/VbsToExePortable.exe;178782;Executable;Automatic;ESET LiveGuard;

The notifications pop up only if you attempt to run a file temporarily being blocked by LiveGuard proactive protection. Both notifications I received after attempting to run the file downloaded above:

image.png

image.png

 

Is your Web access protection working correctly and detects eicar from this link?
https://secure.eicar.org/eicar_com.zip

Link to comment
Share on other sites

  • Most Valued Members

i downloaded the file, it was sent to LiveGuard as the logs report but i didn't get a notification either.

the option to notify me is enabled in the settings. also when attempting to run the app i don't get a notification that is currently blocked due to analysis

Edited by shocked
Link to comment
Share on other sites

13 minutes ago, Marcos said:

The notifications pop up only if you attempt to run a file temporarily being blocked by LiveGuard proactive protection.

On past LiveGuard submissions, I received the "Sent to Eset AV Labs for analysis" popup. Upon completion of LiveGuard analysis, I received the LiveGuard safe analysis verdict popup. I did not attempt to the file prior to the safe verdict being returned.

Again for this download posted about, I never received a LiveGuard verdict. Additionally, the file is sitting in my downloads folder in a disjointed state. If LiveGuard rendered a verdict, the file would have been returned to its original download state if safe; or deleted if malicious.

Edited by itman
Link to comment
Share on other sites

26 minutes ago, Marcos said:

On my machine I have this in the Sent files log:

Time;Hash;File;Size;Category;Reason;Sent to;User
1/27/2022 8:51:25 PM;7A159FC016989A2B8CF22D6B1A0C9C19BCC739C0;https://raw.githubusercontent.com/Makazzz/VbsToExePortable/master/VbsToExePortable/VbsToExePortable.exe;178782;Executable;Automatic;ESET LiveGuard;

I have a theory as to what happened here.

On the original file download, I missed the Firefox blocked file notification (i.e. red dot) generated by Google Safe Browsing. Firefox however proceeded with the file download resulting in creation of the .part and a 0 byte .exe file. LiveGuard "sprung into action" and uploaded the .part file which it really shouldn't have. Something for Eset to look at further.

Link to comment
Share on other sites

  • Administrators

I've noticed that my VbsToExePortable.exe was substantially smaller than yours (178 kB vs 3 MB). Could you try downloading the file from my link above?

As for the notifications about submissions, they are disabled by default:

image.png

Link to comment
Share on other sites

18 hours ago, Marcos said:

I've noticed that my VbsToExePortable.exe was substantially smaller than yours (178 kB vs 3 MB). Could you try downloading the file from my link above?

If you are referring to this link: https://raw.githubusercontent.com/Makazzz/VbsToExePortable/master/VbsToExePortable, I get a "not found" message in Firefox.

18 hours ago, Marcos said:

As for the notifications about submissions, they are disabled by default:

Enable that setting some time ago.

Here's the problem in regards to FireFox as I see it.

Google Safe Browsing is built into Firefox by default. It like LiveGuard is waiting for the in-process download to complete to examine it. Excluding LiveGuard for the moment if Google Safe Browsing detects the download as malicious, it will delete both the .part file and the null .exe file in the users Downloads folder.

It appears LiveGuard is intercepting both files also at the same time as Google Safe Browsing. The result is a mess where the files are left in the users Downloads folder and LiveGuard verdict status rendering to the origin Eset installation is also borked.

Again, this will only occur if Google Safe Browsing analysis is performed on the download.

Appears the workaround for present is to disable Google Safe Browsing in Firefox if that is possible.

Edited by itman
Link to comment
Share on other sites

It appears to me that at present, these two settings need to be disabled in Firefox:

Eset_Safe.thumb.png.bc229211a9d53c4579c585c7380154ed.png

Edited by itman
update
Link to comment
Share on other sites

This explains a bit more what FireFox is doing in regards to file downloads:

Quote

When you download an application file, Firefox checks the site hosting it against a list of sites known to contain "malware". If the site is found on that list, Firefox blocks the file immediately, otherwise it asks Google’s Safe Browsing service if the software is safe by sending it some of the download’s metadata.*

* Windows users: This online check will only be performed in Firefox on Windows for those downloaded files that don’t have a known good publisher. Most of the common and safe software for Windows is signed and so this final check won’t always need to happen.
 
The conflict with LiveGuard to me is obvious from what I underlined.
 
I have disabled both Safe Browsing file download checks until Eset finds a resolution which I assume will take some time. This issue also might manifest in Chrome since I assume it is also using Google’s Safe Browsing service.
Edited by itman
update
Link to comment
Share on other sites

I came across this article: https://security.googleblog.com/2021/06/new-protections-for-enhanced-safe.html on how enhanced Safe Browser protection works in Chrome.

Eset needs to test if a LiveGuard conflict exists with Safe Browsing in Chrome.

Edited by itman
update
Link to comment
Share on other sites

I did some additional testing using this download: https://raw.githubusercontent.com/Makazzz/VbsToExePortable/master/VbsToExePortable and it was multiple tests. I have also definitely identified what is the LiveGuard issue.

First, I updated my prior posting in this thread that both Safe Browsing download settings need to be disabled till this issue is resolved by Eset.

The issue is Safe Browsing will first download a "metadata" version of the file for initial analysis in the Google cloud. It then deletes that file and subsequently will download the full version of the file. What LiveGuard is capturing is the metadata version of the file for Eset cloud analysis. The problem is the metadata version of the file doesn't contain all file data and no longer exists in the user's Downloads folder resulting in both the download being borked along with LiveGuard's subsequent processing of it.

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
3 hours ago, itman said:

I did some additional testing using this download: https://raw.githubusercontent.com/Makazzz/VbsToExePortable/master/VbsToExePortable and it was multiple tests. I have also definitely identified what is the LiveGuard issue.

First, I updated my prior posting in this thread that both Safe Browsing download settings need to be disabled till this issue is resolved by Eset.

The issue is Safe Browsing will first download a "metadata" version of the file for initial analysis in the Google cloud. It then deletes that file and subsequently will download the full version of the file. What LiveGuard is capturing is the metadata version of the file for Eset cloud analysis. The problem is the metadata version of the file doesn't contain all file data and no longer exists in the user's Downloads folder resulting in both the download being borked along with LiveGuard's subsequent processing of it.

Good findings. @MarcosAny thoughts?

Link to comment
Share on other sites

  • Most Valued Members
16 hours ago, itman said:

both Safe Browsing download settings need to be disabled

you're referring to these options, right?


Cadddpture.PNG.dbd2adc6d5f82cdea79a2367902321fb.PNG

Link to comment
Share on other sites

3 minutes ago, shocked said:

you're referring to these options, right?

Correct.

Link to comment
Share on other sites

Some additional points to discuss in regards to this download: VbsToExePortable_3.2_Dev_Test_1.paf.exe.

In summary, should Google Safe Browsing downloading analysis be used at all when using Eset?

It turns out this download has a 35/68 malicious score at VirusTotal. Most likely due to the following behavior:

Eset_VT.png.ab00722c1e66d9c490296656c029f5eb.png

Of the major AV vendors, only Eset, F-Secure, and TrendMicro rated it as safe.

For reference, wuapihost.exe is a deprecated Win system process, (W)indows (U)pdate (API)(Host). Assumed this was deployed for remote communication purposes.

Now it turns out that VbsToExePortable_3.2_Dev_Test_1.paf.exe is a legit PortableApps.com sourced process and deploys their "mini-installer" to create VbsToExePortable.exe in its own directory in the Downloads folder. I analyzed VbsToExePortable_3.2_Dev_Test_1.paf.exe and didn't observe any malicious system modification activity from it. So I conclude Eset's safe verdict is correct in this case and the other AV's rating it malicious are false positives.

This gets us to the question of what Google Safe Browsing is using for its "supposed" cloud scanning analysis. It appears this is nothing more that a VT status lookup. As such, it has a high likelihood of blocking a legit download as a false positive.

Edited by itman
Link to comment
Share on other sites

5 minutes ago, Marcos said:

I could not find anything wrong while downloading the file in question

Here we go again, denial and denial.

On my ESSP installation, LiveGrid captured the Safe Browsing download and created a file in my %Temp% directory:

Eset_Part.thumb.png.f29e4738c33ea866509b986a5a869fd5.png

I received the Eset Virus Lab submission status popup. Also a entry was created in the Sent log:

Time;Hash;File;Size;Category;Reason;Sent to;User
1/30/2022 2:18:50 PM;A14E958B81D91C1CB0590B565832E6CC626A5A3D;C:\Users\18436\AppData\Local\Temp\59KxjSl9.exe.part;3127106;Executable;Automatic;ESET LiveGuard;xxxxxxx

That was it for for LiveGuard interaction with my device. I was left with the file in my %Temp% directory and also the following in the Downloads folder:

Eset_LG_Part.thumb.png.2148beed90bed1f252dedc9d5cccfdfb.png

FYI - I am not wasting my time anymore reporting on this issue.


 

Link to comment
Share on other sites

Looks like the problem has been resolved, folks!

Since the screen shots posted in my last posting were for illustrative purposes only and not chronologically synced to a specific test instance, I decided to repeat the test and post new screen shots.

When I started to retest, Firefox updated to ver. 96.0.3. After that update, I can no longer duplicate what was happening previously.

From everything I am observing when testing after this latest update, Firefox was the "culprit." Prior to the update when Google Safe Browsing blocked a download, Firefox was downloading a .part version of the file to the Downloads folder. LiveGuard then attempted to process this .part file and "everything went downhill" Firefox and LiveGuard wise thereafter. After the Firefox update, no .part file is being downloaded to the Downloads folder when Google Safe Browsing blocks a download and no subsequent LiveGuard processing occurs.

A note of interest here is Firefox still is downloading a .part file to the %Temp% directory. If you manually in FireFox don't remove the Google Safe Browsing blocked download or navigate immediately to another web site, that .part file remains in the %Temp% directory:

FF_Temp.thumb.png.e8c18801592208711c5ed488f32d33a8.png

Appears LiveGuard is "oblivious" to the existence of this file.

Edited by itman
Link to comment
Share on other sites

BTW - I did verify at VT the the above .part file is just a renamed version of VbsToExePortable_3.2_Dev_Test_1.paf.exe.

Since it appears LiveGuard is triggering off the download to the %Temp% directory, this brings up LiveGuard bypass possibilities. Something along the lines of a simultaneous payload download to both the Downloads and %Temp% directories?

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...