Jump to content

More LiveGuard Concerns


Recommended Posts

Posted (edited)
4 minutes ago, Marcos said:

Please provide also the corresponding records from the Sent files log.

Time;Hash;File;Size;Category;Reason;Sent to;User
4/8/2022 9:47:49 AM;ED07F92C19125F0B8A80E2C5F3EDAB3CFA4A8344;C:\Users\xxxxxx\Downloads\registry_guard_service\32-bit\RegGuardSvc\install.bat;236;Script;Automatic;ESET LiveGuard;xxxxxxx
4/8/2022 9:47:51 AM;1B389A5F83C8DFE69180E549E0A6020873DD13FE;C:\Users\xxxxxx\Downloads\registry_guard_service\32-bit\RegGuardSvc\uninstall.bat;177;Script;Automatic;ESET LiveGuard;xxxxxxx

Edited by itman
Link to comment
Share on other sites

I will also note that both these .bat scripts have 0 detections at VirusTotal.

This again leads me to believe that LiveGuard is again operating in "LiveGrid mode" in certain instances. That is, data harvesting activities are being performed for locally detected benign, but potentially dangerous unknown files. If this is the case, Eset should publicly state this.

Link to comment
Share on other sites

  • Administrators

On my machine one of the batch files was sent, the other was evaluated by heuristics and rejected by the server from submission:

image.png

Link to comment
Share on other sites

Posted (edited)
2 hours ago, Marcos said:

On my machine one of the batch files was sent, the other was evaluated by heuristics and rejected by the server from submission:

I assume the rejection was due to the submission to LiveGuard previously from my device; i.e. file hash previously submitted to LiveGuard.

As far the other script that was sent to LiveGuard, was it blocked on your device? Did you receive a safe verdict rendering from LiveGuard? Also, this file should not have been sent to LiveGuard since its file hash is already known to LiveGuard from my previous submission of it.

The question still remains that when these scripts were sent to LiveGuard from my device, expected LiveGuard behavior did not occur. That is again, the files were not blocked and LiveGuard safe verdict received.

Edited by itman
Link to comment
Share on other sites

Posted (edited)

@Marcos, it appears it was the install.bat script that was submitted to LiveGuard on your device. Here's the code in that script:

Quote

:: Open current directory
cd %~dp0

:: Install the service
sc create RegGuardSvc binPath= "C:\RegGuardSvc\Service\RegGuardSvc.exe" DisplayName= "RegGuardSvc Service" start= auto

:: Start the service
sc start RegGuardSvc

pause

This code result;

cd %~dp0

would vary based on what device it was executed on. It appears this alone is enough to have Eset determine there is something suspicous about it.

Edited by itman
Link to comment
Share on other sites

Posted (edited)

I believe I know what the issue is with Eset in regards this RegGuard app download and its local heuristic scanning,

This app contains dual install/uninstall scripts; one for Win x(86) OS and one for Win x(64) OS. Note that the code within the x(86) scripts is identical to that in the x(64) scripts. It appears that Eset hueristics goes "bonkers" on this. Most likely its running both sets of scripts in the local heuristic sandbox and afterwards saying to itself:

"Err ......... what?"

"That can't be; multiple scripts creating/deleting the same service."

"Definitely suspicious."

"I'll upload the first of the duplicate scripts I scanned to LiveGuard."

"But, I won't block these scripts since there is nothing in them malicious."

The problem here is Eset VirusLab scan won't find anything since there is nothing malicious about any of the scripts uploaded to it. Additionally since not all scripts were uploaded to the cloud, not enough data exists to make a definitive decision.

The bigger problem here is how the hell does one determine if LiveGuard is functioning properly and as described in Eset documentation?

Edited by itman
Link to comment
Share on other sites

Hello,

Also, when a file is went to LiveGuard,I received only a notfication for this action and never a notification to say "the fila is safe" or "the file is malicious".

That's very frustrating.

Link to comment
Share on other sites

  • Administrators
9 hours ago, Leonardo said:

Hello,

Also, when a file is went to LiveGuard,I received only a notfication for this action and never a notification to say "the fila is safe" or "the file is malicious".

That's very frustrating.

You won't receive any notification unless you attempt to run a file that has been submitted and is temporarily blocked.

Link to comment
Share on other sites

Posted (edited)

There is also another detail about the unzipped scripts for this RegGuard app download I forgot to mention.

First, the scripts are not code signed.

When I tried to view the scripts content via Win Explorer Edit option, I immediately received a Win 10 native SmartScreen alert about the script not being downloaded from the Microsoft Store. This was a revelation to me since I thought SmartScreen only monitored .exe downloads. 

LiveGuard via ekrn.exe has to obviously access files to lock them and them upload them to the cloud. To do so, it has to interact with Smartscreen to bypass its file processing. Is it possible that his activity is not being performed correctly and is the cause for file uploads to LiveGuard not being blocked?

Edited by itman
Link to comment
Share on other sites

6 hours ago, Marcos said:

You won't receive any notification unless you attempt to run a file that has been submitted and is temporarily blocked.

Thanks @Marcos

I tried to run a file and I got the "has been submitted" notification and after some minutes the file was unlockednot but I did not receive any notification mentioning "safe file" notification.

Another concern for me, when I look at logfiles, "sent files" only shows an old event but "Events" shows the current event (file sent and analysed by LiveGuard). Is it normal or an issue on my ESSP ?

1.thumb.PNG.105ac266c7828d0097b2ae079229acd6.PNG2.thumb.PNG.08a4f1b8cdd34dd6cce4251fc7261414.PNG

Link to comment
Share on other sites

2 minutes ago, Leonardo said:

I tried to run a file and I got the "has been submitted" notification and after some minutes the file was unlockednot but I did not receive any notification mentioning "safe file" notification.

Assumed here is the LiveGuard did not complete its cloud scanning activities within the ESSP LiveGuard default scan time limit of 5 mins.. In this instance, the file will be unblocked after 5 mins. and no safe Event log entry will be generated.

You can increase ESSP LiveGuard default scan time limit.

Link to comment
Share on other sites

  • Administrators
8 minutes ago, Leonardo said:

1.thumb.PNG.105ac266c7828d0097b2ae079229acd6.PNG

This file was sent to LiveGrid, ie. access to it was not blocked. It could be that the file is either trusted or has already been submitted to LiveGuard before and was evaluated as clean. ELC logs could shed more light.

Link to comment
Share on other sites

2 minutes ago, Marcos said:

This file was sent to LiveGrid, ie. access to it was not blocked. It could be that the file is either trusted or has already been submitted before and was evaluated by LiveGuard as clean. ELC logs could shed more light.

Also, locally detected malicious file are sent to the Eset cloud via LiveGrid; not LiveGuard.

Link to comment
Share on other sites

16 minutes ago, itman said:

Assumed here is the LiveGuard did not complete its cloud scanning activities within the ESSP LiveGuard default scan time limit of 5 mins.. In this instance, the file will be unblocked after 5 mins. and no safe Event log entry will be generated.

You can increase ESSP LiveGuard default scan time limit.

Thanks @itman

As you mentioned the time limit value in one of your previous posts I had yet tweaked it at 30 minutes.

Link to comment
Share on other sites

17 minutes ago, Marcos said:

This file was sent to LiveGrid, ie. access to it was not blocked. It could be that the file is either trusted or has already been submitted to LiveGuard before and was evaluated as clean. ESET Log Collector logs could shed more light.

Thanks @Marcos

OK but my main problem is to understand why and event listed in "Events" logfiles was not listed in "Files sent" logfiles ?

I think that "ESET Log Collector logs" are necessary for the support but I don't know how I can collect it ?

Link to comment
Share on other sites

11 minutes ago, Leonardo said:

Thanks @Marcos

OK but my main problem is to understand why and event listed in "Events" logfiles was not listed in "Files sent" logfiles ?

I think that "ESET Log Collector logs" are necessary for the support but I don't know how I can collect it ?

Just found the "ESET Log Collector logs" KB https://support.eset.com/en/kb3466-how-do-i-use-eset-log-collector

Link to comment
Share on other sites

55 minutes ago, Leonardo said:

I have done ESET Log Collector but what I will do with the collected logs ?

You can add them as an attachment to your next reply. Only Eset moderators can access file attachments.

Link to comment
Share on other sites

Posted (edited)
2 hours ago, itman said:

To do so, it has to interact with Smartscreen to bypass its file processing. Is it possible that his activity is not being performed correctly and is the cause for file uploads to LiveGuard not being blocked?

SmartScreen is not the reason for non-blocking.

I excluded original .bat file downloads from Eset real-time scanning. Modified the .bat files to change their hash value. Created a new .zip archive of the original file download. Uploaded the new .zip archive to a file sharing web site. I also disabled SmartScreen file and app checking.

Upon download of this new .zip archive and extraction of it, exact same behavior from LiveGuard as originally reported. Same two .bat file were uploaded to LiveGuard and they were not blocked.

-EDIT- BTW with SmartScreen app and file checking disabled, I still get a Win warning popup when accessing the ,bat files via Win Explorer Edit option about not being from a Trusted Publisher; i.e. unsigned. Wonder if that could be a factor?

Edited by itman
Link to comment
Share on other sites

Posted (edited)

One last test.

This is to rule out Eset archive scanning after .zip file extraction as the reason for these .bat files not being blocked by LiveGuard.

Repeated same procedure as above with the exception that only the previous archive .bat files triggering LiveGuard uploads to the Eset cloud were uploaded to a file sharing site.

Upon download of these files from the file sharing web site, the exact same LiveGuard behavior occurred. The file was uploaded to Eset VirusLab and the .bat script download was not blocked from execution by LiveGuard. Nor was any LiveGuard safe verdict received on the local device.

It therefore can be concluded that LiveGuard is not properly processing script file downloads. Or, not processing script file downloads per Eset published documentation.

The remaining question is if other non-.exe file downloads are also not being properly processed by LiveGuard.

Edited by itman
Link to comment
Share on other sites

1 hour ago, itman said:

One last test.

This is to rule out Eset archive scanning after .zip file extraction as the reason for these .bat files not being blocked by LiveGuard.

Repeated same procedure as above with the exception that only the previous archive .bat files triggering LiveGuard uploads to the Eset cloud were uploaded to a file sharing site.

Upon download of these files from the file sharing web site, the exact same LiveGuard behavior occurred. The file was uploaded to Eset VirusLab and the .bat script download was not blocked from execution by LiveGuard. Nor was any LiveGuard safe verdict received on the local device.

It therefore can be concluded that LiveGuard is not properly processing script file downloads. Or, not processing script file downloads per Eset published documentation.

The remaining question is if other non-.exe file downloads are also not being properly processed by LiveGuard. .

If the test you really come to the conclusion that LiveGuard has some problem I get very worried, because I made some downloads did not return anything. oh I thought either that it was not detected or the file is clean. I always have this doubt.

Link to comment
Share on other sites

4 hours ago, itman said:

You can add them as an attachment to your next reply. Only Eset moderators can access file attachments.

Thanks @itman

I'll attach the logs monday because they are on my office desktop.

Link to comment
Share on other sites

Posted (edited)

In regards to an early posting in this thread: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=148794 about Eset's own LiveGuard functionality test not working, I decided to test that.

Upon download from a filesharing web site of the previous PowerShell modified EdtdTestFile.exe file, not a peep from LiveGuard. No Eset local heuristics detection of the file and no upload to LiveGuard.

However upon execution of the file:

Eset_EDTD.thumb.png.e20ef6ee605a095315490f4aacd7170a.png

 

Edited by itman
Link to comment
Share on other sites

Posted (edited)

@Marcos, the problem with the LiveGuard functionality test described here: https://help.eset.com/elga/en-US/test_functionality.html is this PowerShell code;

Add-Content .\EdtdTestFile.exe date

is not adding the current date stamp to the end of the file. All I see is "date" at the end of the file.

Assumed is since this code has already been submitted once to LiveGuard, this is why its not been resent.

-EDIT- appears the code should be;

Add-Content .\EdtdTestFile.exe  "date! $(Get-Date)"

Edited by itman
Link to comment
Share on other sites

  • Administrators
7 hours ago, itman said:

@Marcos, the problem with the LiveGuard functionality test described here: https://help.eset.com/elga/en-US/test_functionality.html is this PowerShell code;

Add-Content .\EdtdTestFile.exe date

is not adding the current date stamp to the end of the file. All I see is "date" at the end of the file.

Assumed is since this code has already been submitted once to LiveGuard, this is why its not been resent.

-EDIT- appears the code should be;

Add-Content .\EdtdTestFile.exe  "date! $(Get-Date)"

Obviously the command was amended only in one section on the page and in the "ESET Cloud Office Security users" it was left intact. Will notify the documentation team about it. Thanks for the heads-up.

Add-Content .\EdtdTestFile.exe $(date)

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...