Jump to content

More LiveGuard Concerns


Recommended Posts

3 minutes ago, itman said:

Actually, it states it was sent by LiveGuard to Eset VirusLab

I just dawned on me that what I posted above clearly shows LiveGrid processing is being performed.

LiveGuard is a two step process. First, submission is made to Eset cloud for analysis. If that analysis is inconclusive, then an additional upload is performed to Eset VirusLab.

Link to comment
Share on other sites

2 minutes ago, itman said:

Actually, it states it was sent by LiveGuard to Eset VirusLab.

Remember Eset only deploy one cloud entity. The "supposed" difference between LiveGrid and LiveGuard is files that sent via LiveGuard are to be blocked until cloud verdict is rendered.

So does it mean the files are sent to malware analyst for manual analysis? 

Recently, I had the chance to test ESET Protect Cloud with EDTD. In this case, manually submitted files are sent to the cloud sandbox and a verdict is given a few minutes later, which can be seen in the web console. 

But as we know, any sandbox is not perfect and will miss malware that would only be possible to detect once a human analyst analyze it. So, I wanted to know if this manually submitted files reach the analyst or not? Or should we use the submit(@)eset email to make the sample reach an analyst? 

@Marcoscan you clarify this? 

Link to comment
Share on other sites

  • Administrators

If you want to have a sample analyzed, please send it by email to samples[at]eset.com in an archive encrypted with the password "infected". Files that are sent to LiveGrid go to the ticketing system, however, since most the submitted files is junk and appropriate files (exe/dll, scripts ...) make up maybe less than 1% of the submissions, it's better to submit them by email as instructed above.

Link to comment
Share on other sites

1 hour ago, Marcos said:

This doesn't concern manually submitted files.

As for the problem with scripts not being blocked, we will do our best to prepare a logging version for you tomorrow. The log should shed more light into what's going on there and provide also information as to why scripts are not blocked.

That really isn't necessary.

I've seen enough to conclude LiveGuard processing in regards to non-executables will only be initiated where code exists for potential malware behavior. That is the code has been previously detected performing both benign and malicious activities. The only way to determine the status in this instance is to actually run the code in a full sandbox environment. Hence, the upload to LiveGuard.

Link to comment
Share on other sites

  • Administrators
23 minutes ago, itman said:

I've seen enough to conclude LiveGuard processing in regards to non-executables will only be initiated where code exists for potential malware behavior.

Not true. For instance, the script that I provided above doesn't perform anything malicious, yet it was submitted to LiveGuard for analysis and was temporarily blocked.

Link to comment
Share on other sites

Since I realize many are following this thread, I will post an update on LiveGuard script processing.

After a long and arduous off-forum session with @Marcos, the following has been resolved. LiveGuard will not process suspicious scripts until actual execution of the script is performed. Again when a script is downloaded, LiveGuard will not be invoked.

Additionally when the script is being processed by LiveGuard, script access is "locked" but this status will not be shown via Win Explorer Content Menu examination.

Link to comment
Share on other sites

59 minutes ago, itman said:

Since I realize many are following this thread, I will post an update on LiveGuard script processing.

After a long and arduous off-forum session with @Marcos, the following has been resolved. LiveGuard will not process suspicious scripts until actual execution of the script is performed. Again when a script is downloaded, LiveGuard will not be invoked.

Additionally when the script is being processed by LiveGuard, script access is "locked" but this status will not be shown via Win Explorer Content Menu examination.

Looks like bugs that need to fixed by ESET.

 

On 4/13/2022 at 10:59 PM, Marcos said:

If you want to have a sample analyzed, please send it by email to samples[at]eset.com in an archive encrypted with the password "infected". Files that are sent to LiveGrid go to the ticketing system, however, since most the submitted files is junk and appropriate files (exe/dll, scripts ...) make up maybe less than 1% of the submissions, it's better to submit them by email as instructed above.

But the problem is, ESET has become worse at reacting to user submission. I used to get replies for all my submission back in 2020 and ESET used to add signatures within a few hours, but later that had stopped. No reply and no signature added. Checked my email history and turns out the last time I submitted samples via email was in April 2021. I stopped out of frustration. I even had to share samples to you a couple of times via private message due to this behavior. Recently found another member from another forum who also had this issue with ESET not responding to his submissions. 

Since ESET is a highly signature oriented product, user submissions should not be ignored. Three of your competitors Avast, Bitdefender, Kaspersky are reactive to user submission, specially the first two.

Link to comment
Share on other sites

  • Administrators
1 hour ago, SeriousHoax said:

Looks like bugs that need to fixed by ESET.

What bugs are you referring to? We are not aware of any. Without providing more details we cannot comment on it.

1 hour ago, SeriousHoax said:

But the problem is, ESET has become worse at reacting to user submission.

I've found some submissions from your email address, however, none had a sample attached. Basically we do not process submissions without samples. I suggest that you compress a suspicious file to an archive encrypted with the password "infected" and submit it to samples[at]eset.com, I'm sure that if the sample is relevant and malicious, the detection will be added in minutes or a few hours at maximum. Submit just one sample per email unless you have more samples that are related to each other (e.g. a dropper and the payload). Will keep an eye on your submissions to make sure they are processed as expected.

Looking at submissions from a user who regularly submits files attached to the email, 99,99% of his submissions were processed and replied so it is not true that submissions are not processed at all.

Link to comment
Share on other sites

38 minutes ago, Marcos said:

What bugs are you referring to? We are not aware of any. Without providing more details we cannot comment on it.

What itman said about your discussion about LiveGuard make it seem like this behavior of LiveGuard is a bug. Or did I misunderstand! 

 

39 minutes ago, Marcos said:

What bugs are you referring to? We are not aware of any. Without providing more details we cannot comment on it.

I've found some submissions from your email address, however, none had a sample attached. Basically we do not process submissions without samples. I suggest that you compress a suspicious file to an archive encrypted with the password "infected" and submit it to samples[at]eset.com, I'm sure that if the sample is relevant and malicious, the detection will be added in minutes or a few hours at maximum. Submit just one sample per email unless you have more samples that are related to each other (e.g. a dropper and the payload). Will keep an eye on your submissions to make sure they are processed as expected.

Looking at submissions from a user who regularly submits files attached to the email, 99,99% of his submissions were processed and replied so it is not true that submissions are not processed at all.

Thanks for the clarification, but some email providers like gmail don't often let you attach a zip file. So it becomes a problem. I submitted a sample today, which could be malicious since it's detected by some popular vendors, but the size of the zip is above 20 MB. Outlook's maximum size limit is 20 MB. So I was not able to attach it and instead uploaded it to a third party file sharing site and shared the link in my email. What can I do in this situation? 

Link to comment
Share on other sites

55 minutes ago, SeriousHoax said:

What itman said about your discussion about LiveGuard make it seem like this behavior of LiveGuard is a bug. Or did I misunderstand! 

No bugs as to LiveGuard expected processing of scripts. My recent posting in that regard just clarified how LiveGuard script processing works.

Link to comment
Share on other sites

5 hours ago, itman said:

Since I realize many are following this thread, I will post an update on LiveGuard script processing.

After a long and arduous off-forum session with @Marcos, the following has been resolved. LiveGuard will not process suspicious scripts until actual execution of the script is performed. Again when a script is downloaded, LiveGuard will not be invoked.

Additionally when the script is being processed by LiveGuard, script access is "locked" but this status will not be shown via Win Explorer Content Menu examination.

@itman

Thank you very much for your works and the explanations you give at other ESET users 👍

Link to comment
Share on other sites

  • Administrators
15 hours ago, SeriousHoax said:

Thanks for the clarification, but some email providers like gmail don't often let you attach a zip file. So it becomes a problem. I submitted a sample today, which could be malicious since it's detected by some popular vendors, but the size of the zip is above 20 MB. Outlook's maximum size limit is 20 MB. So I was not able to attach it and instead uploaded it to a third party file sharing site and shared the link in my email. What can I do in this situation? 

A detection for your sample was added yesterday. You can also submit samples via the built-in form, but I'd recommend not to submit anonymously. For some reason a lot of users submit anonymously without entering the email address, yet they expect us to reply.

Link to comment
Share on other sites

  • Administrators
12 hours ago, Leonardo said:

@Marcos

I know that you are very busy but did you have yet watched my essp_logs ?

Unfortunately it's not clear to me what the problem is and what I should check in the ELC logs. Please elaborate more on the issue.

Link to comment
Share on other sites

On 4/16/2022 at 4:21 PM, Leonardo said:

But still the same problem; the event appears in "events" logfiles but not in "sent files" logfiles.

Verify that Log files minimum verbosity level is set to "Informative" per below screen shot;

Eset_Logs.thumb.png.b45326655c82d6cec295e15fbda15ed5.png

Link to comment
Share on other sites

23 hours ago, itman said:

Verify that Log files minimum verbosity level is set to "Informative" per below screen shot;

Eset_Logs.thumb.png.b45326655c82d6cec295e15fbda15ed5.png

Thanks @itman

Yes I'm on default settings for log files.

 

1.PNG

Link to comment
Share on other sites

Posted (edited)
On 4/17/2022 at 4:26 PM, itman said:

But still the same problem; the event appears in "events" logfiles but not in "sent files" logfiles.

I suspect you are seeing a LiveGrid submission. Malicious files detected locally are sent to LiveGrid only.

Or if the file/code hasn't changed since a previous submission to LiveGuard, the Event log entry just reflects the file was scanned locally but not actually submitted to LiveGuard.

 

Edited by itman
Link to comment
Share on other sites

  • Administrators

If you are able to reproduce the situation when files are temporarily blocked by LiveGuard but are not listed in the Sent files log, I could provide you with a logging module to get more info about what's going on.

Link to comment
Share on other sites

18 minutes ago, Marcos said:

If you are able to reproduce the situation when files are temporarily blocked by LiveGuard but are not listed in the Sent files log, I could provide you with a logging module to get more info about what's going on.

Thanks @Marcos

At the momen I'm in vacation but I will try next week with BAFS test https://demo.wd.microsoft.com/Page/BAFS

Link to comment
Share on other sites

On 4/16/2022 at 1:26 AM, Marcos said:

What bugs are you referring to? We are not aware of any. Without providing more details we cannot comment on it.

I've found some submissions from your email address, however, none had a sample attached. Basically we do not process submissions without samples. I suggest that you compress a suspicious file to an archive encrypted with the password "infected" and submit it to samples[at]eset.com, I'm sure that if the sample is relevant and malicious, the detection will be added in minutes or a few hours at maximum. Submit just one sample per email unless you have more samples that are related to each other (e.g. a dropper and the payload). Will keep an eye on your submissions to make sure they are processed as expected.

Looking at submissions from a user who regularly submits files attached to the email, 99,99% of his submissions were processed and replied so it is not true that submissions are not processed at all.

Hello, I also want to report an issue with sample submission. I've sent ~15 emails to the Lab in the last three days and have received only three responses. I'm not sure if the analysts have analyzed my submissions because ESET has yet to detect the following samples:

https://www.virustotal.com/gui/file/f0a81420bfcdcd05a469db022b27547d40547aa31e948b85c7f708399b428899 - Rootkit

https://www.virustotal.com/gui/file/45fbcd97f558df487706a5efee45fcd56a53d6d0225c4da2b3f5e07f44d6573c - VBS downloader

https://www.virustotal.com/gui/file/75018e6f3a5865e8358940c3f4567f7c3c20fa54044fae637608c23d5881ce0e - Android locker, the current Potential Unsafe detection is not enough

https://www.virustotal.com/gui/file/7a9aa63df3c8cd1c978b0e139f76d46b3ca37a167973ca072a4189ea3c012132 - Rootkit trojan, the current PUA detection is not enough

... and more 

Thanks in advance.

Link to comment
Share on other sites

  • Administrators
51 minutes ago, AnthonyQ said:

Corrupted, not subject to detection.

51 minutes ago, AnthonyQ said:

Already detected:

45fbcd97f558df487706a5efee45fcd56a53d6d0225c4da2b3f5e07f44d6573c.vbs - VBS/TrojanDownloader.Agent.XAN trojan

Please don't mix different topics. This one is about specific issues with LiveGuard and not about detection of specific samples.

Link to comment
Share on other sites

Posted (edited)
9 hours ago, Leonardo said:

At the momen I'm in vacation but I will try next week with BAFS test https://demo.wd.microsoft.com/Page/BAFS

I'll save you some work.

For those not familiar with this download test, it is to test Microsoft Defender "block-at-first-sight" of a file download with subsequent upload and analysis by the Microsoft cloud.

Upon file download by Firefox, Eset LiveGuard detected it and submitted it to the Eset cloud:

Time;Component;Event;User
4/19/2022 9:12:55 AM;ESET Kernel;File 'Sj2-Kz7u.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM

Time;Hash;File;Size;Category;Reason;Sent to;User
4/19/2022 9:12:55 AM;09C513ABE0F1B48029E8EBE288EBE530DEE8E5FE;C:\Users\xxxxxx\Downloads\Sj2-Kz7u.exe.part;5716;Executable;Automatic;ESET LiveGuard;xxxxxxxxx

Since this download was an executable, Eset blocked file access upon file creation until Eset cloud scanning was completed:

WD_Test.thumb.png.cfb69c679badcf964d07633cd680bc09.png

Blocked file access was further confirmed when I tried to access the file while Eset cloud analysis was underway:

Time;Component;Event;User
4/19/2022 9:16:14 AM;ESET Kernel;ESET LiveGuard is analyzing the file to ensure it's safe to use. We will notify you in a few minutes.Unblock the file (not recommended)Change setup;xxxxxxxxx

Upon completion of Eset cloud scanning, a safe verdict was rendered by LiveGuard and access to the file was unlocked:

Time;Component;Event;User
4/19/2022 9:17:49 AM;ESET Kernel;ESET LiveGuard has analyzed a file. It is safe to use.;xxxxxxxxxx

WD_Test-2.thumb.png.2f0f49cc2dea2767e7d294b7d394047d.png

Pertaining to Eset log entries created in this transaction, all were Event log entries except for one Sent log entry.

-EDIT- I forgot to mention that although 29 vendors at VirusTotal detect this file malicious, Kaspersky's detection is the most accurate, "Not-a-virus:HEUR:RiskTool.Win32.TestFile.gen."

When the file is created by the Microsoft download site, it in turn creates a sig. for it only used by the MD cloud. In other words, this is a MD "block-at-first-sight" functionality test only. This is further confirmed by the file not being detected by Microsoft at VirusTotal.

Edited by itman
Link to comment
Share on other sites

6 hours ago, itman said:

I'll save you some work.

For those not familiar with this download test, it is to test Microsoft Defender "block-at-first-sight" of a file download with subsequent upload and analysis by the Microsoft cloud.

Upon file download by Firefox, Eset LiveGuard detected it and submitted it to the Eset cloud:

Time;Component;Event;User
4/19/2022 9:12:55 AM;ESET Kernel;File 'Sj2-Kz7u.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM

Time;Hash;File;Size;Category;Reason;Sent to;User
4/19/2022 9:12:55 AM;09C513ABE0F1B48029E8EBE288EBE530DEE8E5FE;C:\Users\xxxxxx\Downloads\Sj2-Kz7u.exe.part;5716;Executable;Automatic;ESET LiveGuard;xxxxxxxxx

Since this download was an executable, Eset blocked file access upon file creation until Eset cloud scanning was completed:

WD_Test.thumb.png.cfb69c679badcf964d07633cd680bc09.png

Blocked file access was further confirmed when I tried to access the file while Eset cloud analysis was underway:

Time;Component;Event;User
4/19/2022 9:16:14 AM;ESET Kernel;ESET LiveGuard is analyzing the file to ensure it's safe to use. We will notify you in a few minutes.Unblock the file (not recommended)Change setup;xxxxxxxxx

Upon completion of Eset cloud scanning, a safe verdict was rendered by LiveGuard and access to the file was unlocked:

Time;Component;Event;User
4/19/2022 9:17:49 AM;ESET Kernel;ESET LiveGuard has analyzed a file. It is safe to use.;xxxxxxxxxx

WD_Test-2.thumb.png.2f0f49cc2dea2767e7d294b7d394047d.png

Pertaining to Eset log entries created in this transaction, all were Event log entries except for one Sent log entry.

-EDIT- I forgot to mention that although 29 vendors at VirusTotal detect this file malicious, Kaspersky's detection is the most accurate, "Not-a-virus:HEUR:RiskTool.Win32.TestFile.gen."

When the file is created by the Microsoft download site, it in turn creates a sig. for it only used by the MD cloud. In other words, this is a MD "block-at-first-sight" functionality test only. This is further confirmed by the file not being detected by Microsoft at VirusTotal.

Thanks @itman for your help.

But It is not normal that the event did not appear on "files sent" logs on my ESSP. Is my remark right ?

Link to comment
Share on other sites

Posted (edited)
44 minutes ago, Leonardo said:

But It is not normal that the event did not appear on "files sent" logs on my ESSP. Is my remark right ?

It's impossible to determine what went on from your posted logs screen shot since the dates are different.

Best to test using BAFS when you get back in town and then compare your results with my posted one. When you do retest, make sure you log on to MS BAFS web site and download a new wdtestfile.exe to test with.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...