More LiveGuard Concerns

[itman 1,659]

3 minutes ago, itman said:

Actually, it states it was sent by LiveGuard to Eset VirusLab

I just dawned on me that what I posted above clearly shows LiveGrid processing is being performed.

LiveGuard is a two step process. First, submission is made to Eset cloud for analysis. If that analysis is inconclusive, then an additional upload is performed to Eset VirusLab.

[SeriousHoax 83]

2 minutes ago, itman said:

Actually, it states it was sent by LiveGuard to Eset VirusLab.

Remember Eset only deploy one cloud entity. The "supposed" difference between LiveGrid and LiveGuard is files that sent via LiveGuard are to be blocked until cloud verdict is rendered.

So does it mean the files are sent to malware analyst for manual analysis? 

Recently, I had the chance to test ESET Protect Cloud with EDTD. In this case, manually submitted files are sent to the cloud sandbox and a verdict is given a few minutes later, which can be seen in the web console. 

But as we know, any sandbox is not perfect and will miss malware that would only be possible to detect once a human analyst analyze it. So, I wanted to know if this manually submitted files reach the analyst or not? Or should we use the submit(@)eset email to make the sample reach an analyst? 

@Marcoscan you clarify this? 

[Marcos 5,070]

If you want to have a sample analyzed, please send it by email to samples[at]eset.com in an archive encrypted with the password "infected". Files that are sent to LiveGrid go to the ticketing system, however, since most the submitted files is junk and appropriate files (exe/dll, scripts ...) make up maybe less than 1% of the submissions, it's better to submit them by email as instructed above.

[itman 1,659]

1 hour ago, Marcos said:

This doesn't concern manually submitted files.

As for the problem with scripts not being blocked, we will do our best to prepare a logging version for you tomorrow. The log should shed more light into what's going on there and provide also information as to why scripts are not blocked.

That really isn't necessary.

I've seen enough to conclude LiveGuard processing in regards to non-executables will only be initiated where code exists for potential malware behavior. That is the code has been previously detected performing both benign and malicious activities. The only way to determine the status in this instance is to actually run the code in a full sandbox environment. Hence, the upload to LiveGuard.

[Marcos 5,070]

23 minutes ago, itman said:

I've seen enough to conclude LiveGuard processing in regards to non-executables will only be initiated where code exists for potential malware behavior.

Not true. For instance, the script that I provided above doesn't perform anything malicious, yet it was submitted to LiveGuard for analysis and was temporarily blocked.

[itman 1,659]

Since I realize many are following this thread, I will post an update on LiveGuard script processing.

After a long and arduous off-forum session with @Marcos, the following has been resolved. LiveGuard will not process suspicious scripts until actual execution of the script is performed. Again when a script is downloaded, LiveGuard will not be invoked.

Additionally when the script is being processed by LiveGuard, script access is "locked" but this status will not be shown via Win Explorer Content Menu examination.

[SeriousHoax 83]

59 minutes ago, itman said:

Since I realize many are following this thread, I will post an update on LiveGuard script processing.

After a long and arduous off-forum session with @Marcos, the following has been resolved. LiveGuard will not process suspicious scripts until actual execution of the script is performed. Again when a script is downloaded, LiveGuard will not be invoked.

Additionally when the script is being processed by LiveGuard, script access is "locked" but this status will not be shown via Win Explorer Content Menu examination.

Looks like bugs that need to fixed by ESET.

 

On 4/13/2022 at 10:59 PM, Marcos said:

If you want to have a sample analyzed, please send it by email to samples[at]eset.com in an archive encrypted with the password "infected". Files that are sent to LiveGrid go to the ticketing system, however, since most the submitted files is junk and appropriate files (exe/dll, scripts ...) make up maybe less than 1% of the submissions, it's better to submit them by email as instructed above.

But the problem is, ESET has become worse at reacting to user submission. I used to get replies for all my submission back in 2020 and ESET used to add signatures within a few hours, but later that had stopped. No reply and no signature added. Checked my email history and turns out the last time I submitted samples via email was in April 2021. I stopped out of frustration. I even had to share samples to you a couple of times via private message due to this behavior. Recently found another member from another forum who also had this issue with ESET not responding to his submissions. 

Since ESET is a highly signature oriented product, user submissions should not be ignored. Three of your competitors Avast, Bitdefender, Kaspersky are reactive to user submission, specially the first two.

[Marcos 5,070]

1 hour ago, SeriousHoax said:

Looks like bugs that need to fixed by ESET.

What bugs are you referring to? We are not aware of any. Without providing more details we cannot comment on it.

1 hour ago, SeriousHoax said:

But the problem is, ESET has become worse at reacting to user submission.

I've found some submissions from your email address, however, none had a sample attached. Basically we do not process submissions without samples. I suggest that you compress a suspicious file to an archive encrypted with the password "infected" and submit it to samples[at]eset.com, I'm sure that if the sample is relevant and malicious, the detection will be added in minutes or a few hours at maximum. Submit just one sample per email unless you have more samples that are related to each other (e.g. a dropper and the payload). Will keep an eye on your submissions to make sure they are processed as expected.

Looking at submissions from a user who regularly submits files attached to the email, 99,99% of his submissions were processed and replied so it is not true that submissions are not processed at all.

[SeriousHoax 83]

38 minutes ago, Marcos said:

What bugs are you referring to? We are not aware of any. Without providing more details we cannot comment on it.

What itman said about your discussion about LiveGuard make it seem like this behavior of LiveGuard is a bug. Or did I misunderstand! 

 

39 minutes ago, Marcos said:

What bugs are you referring to? We are not aware of any. Without providing more details we cannot comment on it.

I've found some submissions from your email address, however, none had a sample attached. Basically we do not process submissions without samples. I suggest that you compress a suspicious file to an archive encrypted with the password "infected" and submit it to samples[at]eset.com, I'm sure that if the sample is relevant and malicious, the detection will be added in minutes or a few hours at maximum. Submit just one sample per email unless you have more samples that are related to each other (e.g. a dropper and the payload). Will keep an eye on your submissions to make sure they are processed as expected.

Looking at submissions from a user who regularly submits files attached to the email, 99,99% of his submissions were processed and replied so it is not true that submissions are not processed at all.

Thanks for the clarification, but some email providers like gmail don't often let you attach a zip file. So it becomes a problem. I submitted a sample today, which could be malicious since it's detected by some popular vendors, but the size of the zip is above 20 MB. Outlook's maximum size limit is 20 MB. So I was not able to attach it and instead uploaded it to a third party file sharing site and shared the link in my email. What can I do in this situation? 

[itman 1,659]

55 minutes ago, SeriousHoax said:

What itman said about your discussion about LiveGuard make it seem like this behavior of LiveGuard is a bug. Or did I misunderstand! 

No bugs as to LiveGuard expected processing of scripts. My recent posting in that regard just clarified how LiveGuard script processing works.

[Leonardo 11]

5 hours ago, itman said:

Since I realize many are following this thread, I will post an update on LiveGuard script processing.

After a long and arduous off-forum session with @Marcos, the following has been resolved. LiveGuard will not process suspicious scripts until actual execution of the script is performed. Again when a script is downloaded, LiveGuard will not be invoked.

Additionally when the script is being processed by LiveGuard, script access is "locked" but this status will not be shown via Win Explorer Content Menu examination.

@itman

Thank you very much for your works and the explanations you give at other ESET users 👍

[Leonardo 11]

On 4/11/2022 at 12:03 PM, Leonardo said:

Hello @Marcos

As you asked, I have attached ESET Log Collector logs.

essp_logs.zip 50.62 MB · 1 download

@Marcos

I know that you are very busy but did you have yet watched my essp_logs ?

[Marcos 5,070]

15 hours ago, SeriousHoax said:

Thanks for the clarification, but some email providers like gmail don't often let you attach a zip file. So it becomes a problem. I submitted a sample today, which could be malicious since it's detected by some popular vendors, but the size of the zip is above 20 MB. Outlook's maximum size limit is 20 MB. So I was not able to attach it and instead uploaded it to a third party file sharing site and shared the link in my email. What can I do in this situation? 

A detection for your sample was added yesterday. You can also submit samples via the built-in form, but I'd recommend not to submit anonymously. For some reason a lot of users submit anonymously without entering the email address, yet they expect us to reply.

[Marcos 5,070]

12 hours ago, Leonardo said:

@Marcos

I know that you are very busy but did you have yet watched my essp_logs ?

Unfortunately it's not clear to me what the problem is and what I should check in the ELC logs. Please elaborate more on the issue.

[Leonardo 11]

On 4/12/2022 at 3:58 PM, Leonardo said:

@Marcos

But still the same problem; the event appears in "events" logfiles but not in "sent files" logfiles.

Hello @Marcos

Thank you for your interest in my problem.

Are these explanations enough ?

[itman 1,659]

On 4/16/2022 at 4:21 PM, Leonardo said:

But still the same problem; the event appears in "events" logfiles but not in "sent files" logfiles.

Verify that Log files minimum verbosity level is set to "Informative" per below screen shot;

[Leonardo 11]

23 hours ago, itman said:

Verify that Log files minimum verbosity level is set to "Informative" per below screen shot;

Thanks @itman

Yes I'm on default settings for log files.

 

[itman 1,659]

On 4/17/2022 at 4:26 PM, itman said:

But still the same problem; the event appears in "events" logfiles but not in "sent files" logfiles.

I suspect you are seeing a LiveGrid submission. Malicious files detected locally are sent to LiveGrid only.

Or if the file/code hasn't changed since a previous submission to LiveGuard, the Event log entry just reflects the file was scanned locally but not actually submitted to LiveGuard.

 

Edited April 18, 2022 by itman

[Marcos 5,070]

If you are able to reproduce the situation when files are temporarily blocked by LiveGuard but are not listed in the Sent files log, I could provide you with a logging module to get more info about what's going on.

[Leonardo 11]

18 minutes ago, Marcos said:

If you are able to reproduce the situation when files are temporarily blocked by LiveGuard but are not listed in the Sent files log, I could provide you with a logging module to get more info about what's going on.

Thanks @Marcos

At the momen I'm in vacation but I will try next week with BAFS test https://demo.wd.microsoft.com/Page/BAFS

[AnthonyQ 48]

On 4/16/2022 at 1:26 AM, Marcos said:

What bugs are you referring to? We are not aware of any. Without providing more details we cannot comment on it.

I've found some submissions from your email address, however, none had a sample attached. Basically we do not process submissions without samples. I suggest that you compress a suspicious file to an archive encrypted with the password "infected" and submit it to samples[at]eset.com, I'm sure that if the sample is relevant and malicious, the detection will be added in minutes or a few hours at maximum. Submit just one sample per email unless you have more samples that are related to each other (e.g. a dropper and the payload). Will keep an eye on your submissions to make sure they are processed as expected.

Looking at submissions from a user who regularly submits files attached to the email, 99,99% of his submissions were processed and replied so it is not true that submissions are not processed at all.

Hello, I also want to report an issue with sample submission. I've sent ~15 emails to the Lab in the last three days and have received only three responses. I'm not sure if the analysts have analyzed my submissions because ESET has yet to detect the following samples:

https://www.virustotal.com/gui/file/f0a81420bfcdcd05a469db022b27547d40547aa31e948b85c7f708399b428899 - Rootkit

https://www.virustotal.com/gui/file/45fbcd97f558df487706a5efee45fcd56a53d6d0225c4da2b3f5e07f44d6573c - VBS downloader

https://www.virustotal.com/gui/file/75018e6f3a5865e8358940c3f4567f7c3c20fa54044fae637608c23d5881ce0e - Android locker, the current Potential Unsafe detection is not enough

https://www.virustotal.com/gui/file/7a9aa63df3c8cd1c978b0e139f76d46b3ca37a167973ca072a4189ea3c012132 - Rootkit trojan, the current PUA detection is not enough

... and more 

Thanks in advance.

[Marcos 5,070]

51 minutes ago, AnthonyQ said:

https://www.virustotal.com/gui/file/f0a81420bfcdcd05a469db022b27547d40547aa31e948b85c7f708399b428899 - Rootkit

Corrupted, not subject to detection.

51 minutes ago, AnthonyQ said:

https://www.virustotal.com/gui/file/45fbcd97f558df487706a5efee45fcd56a53d6d0225c4da2b3f5e07f44d6573c - VBS downloader

Already detected:

45fbcd97f558df487706a5efee45fcd56a53d6d0225c4da2b3f5e07f44d6573c.vbs - VBS/TrojanDownloader.Agent.XAN trojan

Please don't mix different topics. This one is about specific issues with LiveGuard and not about detection of specific samples.

[itman 1,659]

9 hours ago, Leonardo said:

At the momen I'm in vacation but I will try next week with BAFS test https://demo.wd.microsoft.com/Page/BAFS

I'll save you some work.

For those not familiar with this download test, it is to test Microsoft Defender "block-at-first-sight" of a file download with subsequent upload and analysis by the Microsoft cloud.

Upon file download by Firefox, Eset LiveGuard detected it and submitted it to the Eset cloud:

Time;Component;Event;User
4/19/2022 9:12:55 AM;ESET Kernel;File 'Sj2-Kz7u.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM

Time;Hash;File;Size;Category;Reason;Sent to;User
4/19/2022 9:12:55 AM;09C513ABE0F1B48029E8EBE288EBE530DEE8E5FE;C:\Users\xxxxxx\Downloads\Sj2-Kz7u.exe.part;5716;Executable;Automatic;ESET LiveGuard;xxxxxxxxx

Since this download was an executable, Eset blocked file access upon file creation until Eset cloud scanning was completed:

Blocked file access was further confirmed when I tried to access the file while Eset cloud analysis was underway:

Time;Component;Event;User
4/19/2022 9:16:14 AM;ESET Kernel;ESET LiveGuard is analyzing the file to ensure it's safe to use. We will notify you in a few minutes.Unblock the file (not recommended)Change setup;xxxxxxxxx

Upon completion of Eset cloud scanning, a safe verdict was rendered by LiveGuard and access to the file was unlocked:

Time;Component;Event;User
4/19/2022 9:17:49 AM;ESET Kernel;ESET LiveGuard has analyzed a file. It is safe to use.;xxxxxxxxxx

Pertaining to Eset log entries created in this transaction, all were Event log entries except for one Sent log entry.

-EDIT- I forgot to mention that although 29 vendors at VirusTotal detect this file malicious, Kaspersky's detection is the most accurate, "Not-a-virus:HEUR:RiskTool.Win32.TestFile.gen."

When the file is created by the Microsoft download site, it in turn creates a sig. for it only used by the MD cloud. In other words, this is a MD "block-at-first-sight" functionality test only. This is further confirmed by the file not being detected by Microsoft at VirusTotal.

Edited April 19, 2022 by itman

[Leonardo 11]

6 hours ago, itman said:

I'll save you some work.

For those not familiar with this download test, it is to test Microsoft Defender "block-at-first-sight" of a file download with subsequent upload and analysis by the Microsoft cloud.

Upon file download by Firefox, Eset LiveGuard detected it and submitted it to the Eset cloud:

Time;Component;Event;User
4/19/2022 9:12:55 AM;ESET Kernel;File 'Sj2-Kz7u.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM

Time;Hash;File;Size;Category;Reason;Sent to;User
4/19/2022 9:12:55 AM;09C513ABE0F1B48029E8EBE288EBE530DEE8E5FE;C:\Users\xxxxxx\Downloads\Sj2-Kz7u.exe.part;5716;Executable;Automatic;ESET LiveGuard;xxxxxxxxx

Since this download was an executable, Eset blocked file access upon file creation until Eset cloud scanning was completed:

Blocked file access was further confirmed when I tried to access the file while Eset cloud analysis was underway:

Time;Component;Event;User
4/19/2022 9:16:14 AM;ESET Kernel;ESET LiveGuard is analyzing the file to ensure it's safe to use. We will notify you in a few minutes.Unblock the file (not recommended)Change setup;xxxxxxxxx

Upon completion of Eset cloud scanning, a safe verdict was rendered by LiveGuard and access to the file was unlocked:

Time;Component;Event;User
4/19/2022 9:17:49 AM;ESET Kernel;ESET LiveGuard has analyzed a file. It is safe to use.;xxxxxxxxxx

Pertaining to Eset log entries created in this transaction, all were Event log entries except for one Sent log entry.

-EDIT- I forgot to mention that although 29 vendors at VirusTotal detect this file malicious, Kaspersky's detection is the most accurate, "Not-a-virus:HEUR:RiskTool.Win32.TestFile.gen."

When the file is created by the Microsoft download site, it in turn creates a sig. for it only used by the MD cloud. In other words, this is a MD "block-at-first-sight" functionality test only. This is further confirmed by the file not being detected by Microsoft at VirusTotal.

Thanks @itman for your help.

But It is not normal that the event did not appear on "files sent" logs on my ESSP. Is my remark right ?

[itman 1,659]

44 minutes ago, Leonardo said:

But It is not normal that the event did not appear on "files sent" logs on my ESSP. Is my remark right ?

It's impossible to determine what went on from your posted logs screen shot since the dates are different.

Best to test using BAFS when you get back in town and then compare your results with my posted one. When you do retest, make sure you log on to MS BAFS web site and download a new wdtestfile.exe to test with.

Edited April 19, 2022 by itman