More LiveGuard Concerns

[itman 1,659]

4 minutes ago, Marcos said:

Please provide also the corresponding records from the Sent files log.

Time;Hash;File;Size;Category;Reason;Sent to;User
4/8/2022 9:47:49 AM;ED07F92C19125F0B8A80E2C5F3EDAB3CFA4A8344;C:\Users\xxxxxx\Downloads\registry_guard_service\32-bit\RegGuardSvc\install.bat;236;Script;Automatic;ESET LiveGuard;xxxxxxx
4/8/2022 9:47:51 AM;1B389A5F83C8DFE69180E549E0A6020873DD13FE;C:\Users\xxxxxx\Downloads\registry_guard_service\32-bit\RegGuardSvc\uninstall.bat;177;Script;Automatic;ESET LiveGuard;xxxxxxx

Edited April 8, 2022 by itman

[itman 1,659]

I will also note that both these .bat scripts have 0 detections at VirusTotal.

This again leads me to believe that LiveGuard is again operating in "LiveGrid mode" in certain instances. That is, data harvesting activities are being performed for locally detected benign, but potentially dangerous unknown files. If this is the case, Eset should publicly state this.

[Marcos 5,069]

On my machine one of the batch files was sent, the other was evaluated by heuristics and rejected by the server from submission:

[itman 1,659]

2 hours ago, Marcos said:

On my machine one of the batch files was sent, the other was evaluated by heuristics and rejected by the server from submission:

I assume the rejection was due to the submission to LiveGuard previously from my device; i.e. file hash previously submitted to LiveGuard.

As far the other script that was sent to LiveGuard, was it blocked on your device? Did you receive a safe verdict rendering from LiveGuard? Also, this file should not have been sent to LiveGuard since its file hash is already known to LiveGuard from my previous submission of it.

The question still remains that when these scripts were sent to LiveGuard from my device, expected LiveGuard behavior did not occur. That is again, the files were not blocked and LiveGuard safe verdict received.

Edited April 8, 2022 by itman

[itman 1,659]

@Marcos, it appears it was the install.bat script that was submitted to LiveGuard on your device. Here's the code in that script:

Quote

:: Open current directory
cd %~dp0

:: Install the service
sc create RegGuardSvc binPath= "C:\RegGuardSvc\Service\RegGuardSvc.exe" DisplayName= "RegGuardSvc Service" start= auto

:: Start the service
sc start RegGuardSvc

pause

This code result;

cd %~dp0

would vary based on what device it was executed on. It appears this alone is enough to have Eset determine there is something suspicous about it.

Edited April 8, 2022 by itman

[itman 1,659]

I believe I know what the issue is with Eset in regards this RegGuard app download and its local heuristic scanning,

This app contains dual install/uninstall scripts; one for Win x(86) OS and one for Win x(64) OS. Note that the code within the x(86) scripts is identical to that in the x(64) scripts. It appears that Eset hueristics goes "bonkers" on this. Most likely its running both sets of scripts in the local heuristic sandbox and afterwards saying to itself:

"Err ......... what?"

"That can't be; multiple scripts creating/deleting the same service."

"Definitely suspicious."

"I'll upload the first of the duplicate scripts I scanned to LiveGuard."

"But, I won't block these scripts since there is nothing in them malicious."

The problem here is Eset VirusLab scan won't find anything since there is nothing malicious about any of the scripts uploaded to it. Additionally since not all scripts were uploaded to the cloud, not enough data exists to make a definitive decision.

The bigger problem here is how the hell does one determine if LiveGuard is functioning properly and as described in Eset documentation?

Edited April 8, 2022 by itman

[Leonardo 11]

Hello,

Also, when a file is went to LiveGuard,I received only a notfication for this action and never a notification to say "the fila is safe" or "the file is malicious".

That's very frustrating.

[Marcos 5,069]

9 hours ago, Leonardo said:

Hello,

Also, when a file is went to LiveGuard,I received only a notfication for this action and never a notification to say "the fila is safe" or "the file is malicious".

That's very frustrating.

You won't receive any notification unless you attempt to run a file that has been submitted and is temporarily blocked.

[itman 1,659]

There is also another detail about the unzipped scripts for this RegGuard app download I forgot to mention.

First, the scripts are not code signed.

When I tried to view the scripts content via Win Explorer Edit option, I immediately received a Win 10 native SmartScreen alert about the script not being downloaded from the Microsoft Store. This was a revelation to me since I thought SmartScreen only monitored .exe downloads. 

LiveGuard via ekrn.exe has to obviously access files to lock them and them upload them to the cloud. To do so, it has to interact with Smartscreen to bypass its file processing. Is it possible that his activity is not being performed correctly and is the cause for file uploads to LiveGuard not being blocked?

Edited April 9, 2022 by itman

[Leonardo 11]

6 hours ago, Marcos said:

You won't receive any notification unless you attempt to run a file that has been submitted and is temporarily blocked.

Thanks @Marcos

I tried to run a file and I got the "has been submitted" notification and after some minutes the file was unlockednot but I did not receive any notification mentioning "safe file" notification.

Another concern for me, when I look at logfiles, "sent files" only shows an old event but "Events" shows the current event (file sent and analysed by LiveGuard). Is it normal or an issue on my ESSP ?

[itman 1,659]

2 minutes ago, Leonardo said:

I tried to run a file and I got the "has been submitted" notification and after some minutes the file was unlockednot but I did not receive any notification mentioning "safe file" notification.

Assumed here is the LiveGuard did not complete its cloud scanning activities within the ESSP LiveGuard default scan time limit of 5 mins.. In this instance, the file will be unblocked after 5 mins. and no safe Event log entry will be generated.

You can increase ESSP LiveGuard default scan time limit.

[Marcos 5,069]

8 minutes ago, Leonardo said:

This file was sent to LiveGrid, ie. access to it was not blocked. It could be that the file is either trusted or has already been submitted to LiveGuard before and was evaluated as clean. ELC logs could shed more light.

[itman 1,659]

2 minutes ago, Marcos said:

This file was sent to LiveGrid, ie. access to it was not blocked. It could be that the file is either trusted or has already been submitted before and was evaluated by LiveGuard as clean. ELC logs could shed more light.

Also, locally detected malicious file are sent to the Eset cloud via LiveGrid; not LiveGuard.

[Leonardo 11]

16 minutes ago, itman said:

Assumed here is the LiveGuard did not complete its cloud scanning activities within the ESSP LiveGuard default scan time limit of 5 mins.. In this instance, the file will be unblocked after 5 mins. and no safe Event log entry will be generated.

You can increase ESSP LiveGuard default scan time limit.

Thanks @itman

As you mentioned the time limit value in one of your previous posts I had yet tweaked it at 30 minutes.

[Leonardo 11]

17 minutes ago, Marcos said:

This file was sent to LiveGrid, ie. access to it was not blocked. It could be that the file is either trusted or has already been submitted to LiveGuard before and was evaluated as clean. ESET Log Collector logs could shed more light.

Thanks @Marcos

OK but my main problem is to understand why and event listed in "Events" logfiles was not listed in "Files sent" logfiles ?

I think that "ESET Log Collector logs" are necessary for the support but I don't know how I can collect it ?

[Leonardo 11]

11 minutes ago, Leonardo said:

Thanks @Marcos

OK but my main problem is to understand why and event listed in "Events" logfiles was not listed in "Files sent" logfiles ?

I think that "ESET Log Collector logs" are necessary for the support but I don't know how I can collect it ?

Just found the "ESET Log Collector logs" KB https://support.eset.com/en/kb3466-how-do-i-use-eset-log-collector

[Leonardo 11]

I have done ESET Log Collector but what I will do with the collected logs ?

[itman 1,659]

55 minutes ago, Leonardo said:

I have done ESET Log Collector but what I will do with the collected logs ?

You can add them as an attachment to your next reply. Only Eset moderators can access file attachments.

[itman 1,659]

2 hours ago, itman said:

To do so, it has to interact with Smartscreen to bypass its file processing. Is it possible that his activity is not being performed correctly and is the cause for file uploads to LiveGuard not being blocked?

SmartScreen is not the reason for non-blocking.

I excluded original .bat file downloads from Eset real-time scanning. Modified the .bat files to change their hash value. Created a new .zip archive of the original file download. Uploaded the new .zip archive to a file sharing web site. I also disabled SmartScreen file and app checking.

Upon download of this new .zip archive and extraction of it, exact same behavior from LiveGuard as originally reported. Same two .bat file were uploaded to LiveGuard and they were not blocked.

-EDIT- BTW with SmartScreen app and file checking disabled, I still get a Win warning popup when accessing the ,bat files via Win Explorer Edit option about not being from a Trusted Publisher; i.e. unsigned. Wonder if that could be a factor?

Edited April 9, 2022 by itman

[itman 1,659]

One last test.

This is to rule out Eset archive scanning after .zip file extraction as the reason for these .bat files not being blocked by LiveGuard.

Repeated same procedure as above with the exception that only the previous archive .bat files triggering LiveGuard uploads to the Eset cloud were uploaded to a file sharing site.

Upon download of these files from the file sharing web site, the exact same LiveGuard behavior occurred. The file was uploaded to Eset VirusLab and the .bat script download was not blocked from execution by LiveGuard. Nor was any LiveGuard safe verdict received on the local device.

It therefore can be concluded that LiveGuard is not properly processing script file downloads. Or, not processing script file downloads per Eset published documentation.

The remaining question is if other non-.exe file downloads are also not being properly processed by LiveGuard.

Edited April 9, 2022 by itman

[New_Style_xd 69]

1 hour ago, itman said:

One last test.

This is to rule out Eset archive scanning after .zip file extraction as the reason for these .bat files not being blocked by LiveGuard.

Repeated same procedure as above with the exception that only the previous archive .bat files triggering LiveGuard uploads to the Eset cloud were uploaded to a file sharing site.

Upon download of these files from the file sharing web site, the exact same LiveGuard behavior occurred. The file was uploaded to Eset VirusLab and the .bat script download was not blocked from execution by LiveGuard. Nor was any LiveGuard safe verdict received on the local device.

It therefore can be concluded that LiveGuard is not properly processing script file downloads. Or, not processing script file downloads per Eset published documentation.

The remaining question is if other non-.exe file downloads are also not being properly processed by LiveGuard. .

If the test you really come to the conclusion that LiveGuard has some problem I get very worried, because I made some downloads did not return anything. oh I thought either that it was not detected or the file is clean. I always have this doubt.

[Leonardo 11]

4 hours ago, itman said:

You can add them as an attachment to your next reply. Only Eset moderators can access file attachments.

Thanks @itman

I'll attach the logs monday because they are on my office desktop.

[itman 1,659]

In regards to an early posting in this thread: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=148794 about Eset's own LiveGuard functionality test not working, I decided to test that.

Upon download from a filesharing web site of the previous PowerShell modified EdtdTestFile.exe file, not a peep from LiveGuard. No Eset local heuristics detection of the file and no upload to LiveGuard.

However upon execution of the file:

 

Edited April 9, 2022 by itman

[itman 1,659]

@Marcos, the problem with the LiveGuard functionality test described here: https://help.eset.com/elga/en-US/test_functionality.html is this PowerShell code;

Add-Content .\EdtdTestFile.exe date

is not adding the current date stamp to the end of the file. All I see is "date" at the end of the file.

Assumed is since this code has already been submitted once to LiveGuard, this is why its not been resent.

-EDIT- appears the code should be;

Add-Content .\EdtdTestFile.exe  "date! $(Get-Date)"

Edited April 9, 2022 by itman

[Marcos 5,069]

7 hours ago, itman said:

@Marcos, the problem with the LiveGuard functionality test described here: https://help.eset.com/elga/en-US/test_functionality.html is this PowerShell code;

Add-Content .\EdtdTestFile.exe date

is not adding the current date stamp to the end of the file. All I see is "date" at the end of the file.

Assumed is since this code has already been submitted once to LiveGuard, this is why its not been resent.

-EDIT- appears the code should be;

Add-Content .\EdtdTestFile.exe  "date! $(Get-Date)"

Obviously the command was amended only in one section on the page and in the "ESET Cloud Office Security users" it was left intact. Will notify the documentation team about it. Thanks for the heads-up.

Add-Content .\EdtdTestFile.exe $(date)