More LiveGuard Concerns

[itman 1,659]

9 hours ago, Marcos said:

Obviously the command was amended only in one section on the page and in the "ESET Cloud Office Security users" it was left intact. Will notify the documentation team about it. Thanks for the heads-up.

Add-Content .\EdtdTestFile.exe $(date)

This test worked as expected. However, there clearly is an issue with LiveGuard script processing.

I copied the code that is the basis of the EDTD functionality test. Added some code to the end of it to change the hash value. I then saved the file as a .vbs file.

Next, I zipped up the file and uploaded it to a file sharing web site.

I downloaded the archive from the file sharing web site and extracted the archive.

Upon extraction of the file, it was submitted to LiveGuard. However, as in all the previous LiveGuard script detections posted in this thread, the file was not blocked. Nor was any verdict rendering done by Liveguard:

Time;Hash;File;Size;Category;Reason;Sent to;User
4/10/2022 11:08:18 AM;500B7B5D71A08C36D603AEC3CE0FA1A3FBFD0306;C:\Users\xxxxx\Downloads\Test\etdttestfile.vbs;396;Script;Automatic;ESET LiveGuard;xxxxxxxxxxx

Time;Component;Event;User
4/10/2022 11:08:18 AM;ESET Kernel;File 'etdttestfile.vbs' was sent to ESET Virus Lab for analysis.;SYSTEM

Edited April 10, 2022 by itman

[Leonardo 11]

On 4/9/2022 at 4:18 PM, Marcos said:

This file was sent to LiveGrid, ie. access to it was not blocked. It could be that the file is either trusted or has already been submitted to LiveGuard before and was evaluated as clean. ESET Log Collector logs could shed more light.

Hello @Marcos

As you asked, I have attached ESET Log Collector logs.

essp_logs.zip

[itman 1,659]

I am now 100% convinced that LiveGuard processing of suspicious unknown scripts is non-existent.

This morning I found a web site that was showing code examples for two .vbs scripts that could be used maliciously. Note that the code was shown in clear text and therefore couldn't be directly executed from web site access. LiveGuard upload was triggered by the code in one of the scripts:

Time;Hash;File;Size;Category;Reason;Sent to;User
4/11/2022 9:16:36 AM;2AC6C154FA1000AE10D85D4892B79D13763DAB8A;https://gist.github.com/Alekseyyy/6e3569c5b3dfa5eeee60f9f48af58579.js?file=medium.2021.infosecw.vbscript_fun.reboot.vbs;30092;Script;Automatic;ESET LiveGuard;xxxxxxx

Time;Component;Event;User
4/11/2022 9:16:36 AM;ESET Kernel;File '6e3569c5b3dfa5eeee60f9f48af58579.js?file=medium.2021.infosecw.vbscript_fun.reboot.vbs' was sent to ESET Virus Lab for analysis.;SYSTEM

This is "classic" LiveGrid processing behavior I have seen many times in the past.

First, Eset detection is not "smart" enough to realize that the web page code was shown in clear text and can't be directly executed. Next, Eset's detection of this script code was by signature which I will get to later. The upload to the Eset clould was for notification that a web site was found with malicious code.

Why do I know that this code was detected by signature? I copied the code and pasted it in Notepad. When I tried to save  the code as a .vbs file:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
4/11/2022 9:23:26 AM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\edtdtestfile\Test.vbs;VBS/Agent.DN trojan;cleaned by deleting;xxxxx;Event occurred on a new file created by the application: C:\Windows\System32\notepad.exe (5B80BBB07B1A84384E61FB3F9366CAD97904EBEA).;2482C486EB9F55C9DD98FEFD55B200B169A75DAA; 4/11/2022 9:23:23 AM

As far as I am concerned, LiveGuard, as currently designed, will only protect you from unknown, to Eset, suspicious binaries. That is stand-alone .exe's and the like or, the same embedded in another file that can be identified by Eset as such. Note that the procedure Eset recommends for testing LiveGuard functionality is create an e-mail and attach the created test .exe to it. This is as bogus a test that I have seen in a while. Note that most if not all third party e-mail providers will immediately delete any .exe attachments upon receipt of the e-mail by the provider.

Edited April 11, 2022 by itman

[Marcos 5,074]

I've tested a vbs script; after extracting it from an archive I attempted to run it and it was indeed blocked:

I assume the best would be to provide you with a logging module in order to be able to determine the reason for your issues easily. Will discuss it with devs tomorrow and let you know.

[itman 1,659]

7 minutes ago, Marcos said:

I've tested a vbs script

PM me the script. I will modify it to make a different hash value. Then upload to file sharing web site.

[New_Style_xd 69]

A registration module would really be great. it would avoid many problems, even security flaws.

[itman 1,659]

2 minutes ago, New_Style_xd said:

A registration module would really be great.

I have no clue what you are referring to. Please elaborate more.

[Marcos 5,074]

6 minutes ago, itman said:

PM me the script. I will modify it to make a different hash value. Then upload to file sharing web site.

You can download it from https://we.tl/t-kGTJmoyalk

It will be unique on your machine so it should be blocked and submitted:

[itman 1,659]

15 minutes ago, Marcos said:

You can download it from https://we.tl/t-kGTJmoyalk

No detection at all. Not even an upload to LiveGuard.

As such, this means that Eset hueristics is giving it a 100% safe verdict. Note that all real-time settings are set to aggressive.

Viewing the script, I didn't see anything in it that would be of a suspicious nature.

Of note is no SmartScreen alert on this one. This means SS is only monitoring select scripts.

Edited April 11, 2022 by itman

[Marcos 5,074]

The script is benign and is not supposed to be detected. However, it should be normally blocked and submitted for analysis when it's downloaded for the first time on a machine. Let's wait for devs to comment on providing you with a logging module tomorrow.

[itman 1,659]

2 minutes ago, Marcos said:

Let's wait for devs to comment on providing you with a logging module tomorrow.

I have seen enough that I am going to re-install ESSP. A while back the HIPS wasn't working properly and there was zip notification from EIS about this, I wouldn't be surprised if LiveGuard is borked in some way.

I will use your script for testing after the ESSP reinstall.

[Leonardo 11]

1 hour ago, Marcos said:

You can download it from https://we.tl/t-kGTJmoyalk

It will be unique on your machine so it should be blocked and submitted:

Hello @Marcos

Just tested on my home desktop and it works☺️ Tomorrow I'll test on my office desktop (the one with the "problem" I previously exposed).

[stackz 112]

The script was also blocked here.

[itman 1,659]

@Marcos after reinstalling ESSP, LiveGuard now detects your modified test.vbs file. However, LiveGuard is still not blocking the file. I also ran multiple tests modifying the file each time with the same result.

I also downloaded: https://we.tl/t-kGTJmoyalk again after ESSP reinstall and as prior to the reinstall, the file was never submitted to Liveguard.

[total 4]

4 hours ago, itman said:

No detection at all. Not even an upload to LiveGuard.

 

Can confirm, no detection at all;

[Marcos 5,074]

4 hours ago, total said:

Can confirm, no detection at all;

Again, the test script I provided is not supposed to be detected. However, it should be sent to LiveGuard and temporarily blocked upon the first download.

[total 4]

3 hours ago, Marcos said:

Again, the test script I provided is not supposed to be detected. However, it should be sent to LiveGuard and temporarily blocked upon the first download.

Unfortunately, I could click and execute the script (created some text file) without any reaction from ESET

Edited April 12, 2022 by total

[itman 1,659]

@Marcos, I downloaded a modified test.vbs using Edge instead Firefox. The result was the same as previous Firefox downloads. The file was sent to the Eset cloud by LiveGuard, but it was not blocked and no safe verdict rendered.

I am starting to believe it has something to due with the below setting not working right internally. Or, my extending of default wait time is the culprit:

Will do further testing in this regard.

However, I was previously able to get a .exe download to work properly with these settings.

Edited April 12, 2022 by itman

[Leonardo 11]

16 hours ago, Leonardo said:

Hello @Marcos

Just tested on my home desktop and it works☺️ Tomorrow I'll test on my office desktop (the one with the "problem" I previously exposed).

For me it also works at office.

[Leonardo 11]

On 4/11/2022 at 12:03 PM, Leonardo said:

Hello @Marcos

As you asked, I have attached ESET Log Collector logs.

essp_logs.zip 50.62 MB · 1 download

@Marcos

But still the same problem; the event appears in "events" logfiles but not in "sent files" logfiles.

[itman 1,659]

@Marcos , I am also reverting back to my original theory that there is some issue with LiveGuard file access in regards to locking the download on my device.

First, note that these script downloads are only a few hundred bytes in size. As such, the download is almost instantaneous.

Next, the relevant details from my last download test:

Time;Hash;File;Size;Category;Reason;Sent to;User
4/12/2022 9:05:43 AM;DBC9B93FBC82DC9BA1772A0668CAA7CAABFDF68D;https://www114.zippyshare.com/d/Sy0TpgxU/5564/test.vbs;392;Script;Automatic;ESET LiveGuard;xxxxxxxxx

Time;Component;Event;User
4/12/2022 9:05:43 AM;ESET Kernel;File 'test.vbs' was sent to ESET Virus Lab for analysis.;SYSTEM

 

 

Let's now analyze this data.

1. The test.vbs file was created in my Downloads folder 2 secs. prior to the LiveGuard upload activity. Assumed it took Eset local hueristics this amount of time to complete its analysis processing.

2. 5 secs. after the LiveGuard upload activity, test.vbs shows it was modified. I assume this modification activity was initiated by LiveGuard in an attempt to "lock" the file from access. Something at this point prevented LiveGuard from completing the full file "locking" activity and resultant verdict rendering by the LiveGuard cloud.

Again, I suspect SmartScreen interference here since it will display a Win popup upon any attempted access to the file that it was downloaded from Internet; i.e. Mark-of-the-Web status.

Edited April 12, 2022 by itman

[itman 1,659]

I am "throwing in the towel" of script testing in regards to LiveGuard.

Using multiple different scripts, LiveGuard always detected and uploaded the scripts but it didn't block any of them on my Win 10 Pro x(64) 21H2 build. In other words, LiveGrid mode processing was being performed in regards to scripts.

I specifically noted my Win version for a reason. The developer software that I was testing as noted in the start of this thread issue tracked specifically to Win 10 Pro x(64) 21H2. The developer software uses third party license protector software. Upon his contacting the third party license protector software vendor, it noted that multiple reports were received in regards to Win 10 Pro x(64) 21H2 installations. The third party license protector software vendor provided a patched version to the developer whose software I was testing and the issue was resolved.

I therefore conclude that there is a strong possibility that this LiveGuard non-blocking of scripts, and I assume other non-.exe suspicious downloads, is related to Win 10 Pro x(64) 21H2. In any case, LiveGuard protection on my device is not functioning as designed.

Edited April 13, 2022 by itman

[SeriousHoax 83]

Since we are talking about LiveGuard, I want to know what the Sent files log shows on your system when a sample is manually sent from the ESET UI? Does it say, it has been sent to LiveGuard? 

[itman 1,659]

6 minutes ago, SeriousHoax said:

Does it say, it has been sent to LiveGuard? 

Actually, it states it was sent by LiveGuard to Eset VirusLab.

Remember Eset only deploys one cloud entity. The "supposed" difference between LiveGrid and LiveGuard is files that sent via LiveGuard are to be blocked until cloud verdict is rendered.

Edited April 13, 2022 by itman

[Marcos 5,074]

2 minutes ago, itman said:

Remember Eset only deploys one cloud entity. The "supposed" difference between LiveGrid and LiveGuard is files that sent via LiveGuard are to be blocked until cloud verdict is rendered.

This doesn't concern manually submitted files.

As for the problem with scripts not being blocked, we will do our best to prepare a logging version for you tomorrow. The log should shed more light into what's going on there and provide also information as to why scripts are not blocked.