Jump to content

More LiveGuard Concerns


Recommended Posts

9 minutes ago, itman said:

It's impossible to determine what went on from your posted logs screen shot since the dates are different.

Best to test using BAFS when you get back in town and then compare your results with my posted one. When you do retest, make sure you log on to MS BAFS web site and download a new wdtestfile.exe to test with.

Thanks @itman

I'll do this and let you know.

Link to comment
Share on other sites

Posted (edited)

Well, I am now feeling a lot better about LiveGuard detection of malicious scripts upon download. I found a "real doozy" of a PowerShell script that I embedded in a ,bat script.

First, a bit of detail on this attack method:

Quote

Open Reverse Shell via C# on-the-fly compiling with Microsoft.Workflow.Compiler.exe

Passing over and looking deeper i found different articles that talks about arbitrary, unsigned code execution in Microsoft.Workflow.Compiler.exe. Here the articles: 123.

As a result of these articles I thought … why not use this technique to open my reverse shell written in C#?

In short, the articles talk about how to abuse the Microsoft.Workflow.Compiler.exe service in order to compile C# code on-the-fly.

Open Reverse Shell via PowerShell & C# live compiling

At this point I thought … what could be the next step to evolve this attack to something more usable in a red team or in a real attack?

Easy… to give Microsoft.Workflow.Compiler.exe the files to compile, why not use PowerShell? …and here we are:

PowerShell_Shell.thumb.png.7299458e1f0e9b8b2ba7424a85088a14.png

With this command the PS will download the two files described above and save them on the file system. Immediately afterwards it will abuse the Microsoft.Workflow.Compiler.exe to compile the C # live code and open the reverse shell.

https://bank-security.medium.com/undetectable-c-c-reverse-shells-fab4c0ec4f15

The first revelation to many, I assume, is that PowerShell can be used to create a C# executable on-the-fly using a Win trusted built-in .Net compiler and then dynamically execute it.

Anyway, LiveGuard caught the script on download and submitted it the Eset cloud for analysis with subsequent verdict rendered, so I am happy.

I am still pondering the safe verdict though ................

Edited by itman
Link to comment
Share on other sites

Could someone tell, why when I download *.exe files that are unknown by LiveGuard the notification that is being sent to ESET servers is not appearing and asks me to wait a few minutes?
This information never appeared again.

Link to comment
Share on other sites

  • Administrators
59 minutes ago, New_Style_xd said:

Could someone tell, why when I download *.exe files that are unknown by LiveGuard the notification that is being sent to ESET servers is not appearing and asks me to wait a few minutes?
This information never appeared again.

A notification would appear if you attempted to run a file which is temporarily blocked by LiveGuard while waiting for a verdict.

Link to comment
Share on other sites

Posted (edited)
1 hour ago, New_Style_xd said:

Could someone tell, why when I download *.exe files that are unknown by LiveGuard the notification that is being sent to ESET servers is not appearing

Make sure the following setting per below screenshot is enabled. Otherwise, you will not receive any Eset popup notification any file has been sent to the cloud for analysis.

Eset_Notifications.thumb.png.1ad81374af3d50989dfdedc8abf4b005.png

Edited by itman
Link to comment
Share on other sites

4 hours ago, itman said:

Make sure the following setting per below screenshot is enabled. Otherwise, you will not receive any Eset popup notification any file has been sent to the cloud for analysis.

Eset_Notifications.thumb.png.1ad81374af3d50989dfdedc8abf4b005.png

Thank you, I activated them all as shown in the images.

Link to comment
Share on other sites

Posted (edited)
3 hours ago, Marcos said:

Appears that LiveGuard helped a lot to receive 100% L1 detection in this test: https://avlab.pl/en/recent-results/

Glad to see that Eset has joined AVLab test series. Since they are not an AMTSO member, they are not constrained by its testing methodology. As such, they can be more "creative" in testing of malware.

There does appear to be some confusion as to what the various test levels; L1 - L3 mean. So let's review those:

Quote

Notice the Level 3 of analysis because it shows real protection against 0-day samples. But beware! Certain antiviruses of the next generation intentionally do not have protection in a browser (Level 1). Sometimes they do not have traditional protection based on signatures (Level 1 and Level 2), so without proper interpretation, such tests could favor other protection solutions. Not ours!

The so-called Level 1 shows early blocking of threats in a browser or on a hard drive.

If this fails, the next is Level 2: a virus is scanned by the antivirus based on signatures when moving from X to Y folder. Obviously, only if such protection exists. In this test, there are many test cases when samples have not been tested by developers yet, so the next level of analysis is crucial.

Level 3 represents modern protection without any signatures. In such cases, a virus is run in the operating system. It is the most dangerous situation but needed because it shows true effectiveness of protection against and 0-day files – a threat unknown to a developer of protection software.

https://avlab.pl/en/modern-protection-without-signatures-comparison-test-on-real-threats/

To sum up the above, Level 3 ranking means malware detection based on behavior methods only. Also, behavior based detection implies that some system modification activities may have occurred prior to detection. Level 1 detection obviously offers the most system protection. However, almost all in the security industry will state that given the current and evolving state of malware development, it is an unrealistic malware detection standard. Rather, Level 3 malware behavior detection today is mandatory in conjunction with Level 1 and 2 methods.

As far as LiveGuard being a contributing factor to ESSP 100% Level 1 scoring, I see no evidence of this in the current test published details. One of many ways to determine LiveGuard effectiveness would be to have AVLab perform a controlled test of both EIS and ESSP. The test malware samples would include a large number of "true" 0-day samples. That is malware in-the-wild not currently being detected by any AV solution; not 0-day malware seen in the last 30 days. This test would also establish Eset's effectiveness using L3 behavior methods.

Edited by itman
Link to comment
Share on other sites

53 minutes ago, itman said:

It is also noteworthy to review how ESSP performed in AVLab's recent Banking and Payment Protection test: https://avlab.pl/en/overview-of-techniques-and-attacks-in-windows-11/ .  Some work needed by Eset in this area.

ESSP was neither the best nor the worst in this test 😉

Link to comment
Share on other sites

The bug that doesn't send files to LiveGuard happens to me too.
The file is pro-actively blocked but no analysis in progress is notified (yes if you try to access the file). No files sent appear in the logs.
After a while it appears, "ESET LiveGuard takes longer to analyse the file..."

Link to comment
Share on other sites

19 minutes ago, Andrew3000 said:

The file is pro-actively blocked but no analysis in progress is notified (yes if you try to access the file). No files sent appear in the logs.

Agreed. When I was testing LiveGuard, the Sent Event log creation was a "hit or miss" occurrence. In most cases, the Sent Event log entry was created; but not always.

Link to comment
Share on other sites

6 hours ago, Marcos said:

Please check if the issue with the delay in sending files to LiveGuard persists after switching to the pre-release channel in the advanced update setup.

I switched to the pre-release and so far it seems to be working, if not I'll let you know!

Link to comment
Share on other sites

Posted (edited)

Here's a weird one "I am trying to wrap my head around."

I have been doing a lot of LiveGuard script detection testing. Yesterday, I downloaded a highly obfuscated PowerShell script that has been previously known to perform malicious activities. Upon download, Eset detected the script by signature:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
4/28/2022 2:15:35 PM;HTTP filter;file;https://www73.zippyshare.com/d/hINOQIlH/26452/MaliciousPS.bat;PowerShell/TrojanDownloader.Agent.DDF trojan;connection terminated;xxxxxxxEvent occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (D2A23E0F4342F241647216290F5674DCA0017365).;846CE8E933E6C4FC774709E109726B20D88ECE33;

Then 4 hour later, Eset decides to send the download to LiveGrid:

Time;Hash;File;Size;Category;Reason;Sent to;User
4/28/2022 6:07:47 PM;846CE8E933E6C4FC774709E109726B20D88ECE33;https://www73.zippyshare.com/d/hINOQIlH/26452/MaliciousPS.bat;4058;Script;Automatic;LiveGrid®;xxxxxxxxxxx

Err .................... what?

Edited by itman
Link to comment
Share on other sites

  • Administrators

A lot of already detected samples are sent to LiveGrid so that's pretty normal.

Link to comment
Share on other sites

Posted (edited)
2 hours ago, Marcos said:

A lot of already detected samples are sent to LiveGrid so that's pretty normal.

Err .......... yes, I know that.

The issue is why it took 4 hours to do so. I have never seen this behavior previously from Eset.

BTW - I just repeated the test and the download was immediately sent to LiveGrid after detection.

Edited by itman
Link to comment
Share on other sites

Hello @Marcos

I have another problem.

Yesterday a file was sent to LiveGuard at 23:22:56 and 25 minutes later at 23:47:40 the analysis was not finished, but the file was unblocked. I think that it is very dangerous ! And I did not receive any answer later to know if this file is safe or not ?!

Capture.thumb.PNG.4aafdaab5e44446ae1647cebb59522d6.PNG

Link to comment
Share on other sites

18 hours ago, Marcos said:

Please check if the issue with the delay in sending files to LiveGuard persists after switching to the pre-release channel in the advanced update setup.

Hello @Marcos

Thanks for the solution👍

But is it safe to run "pre-release" updates? I'm afraid about possible bugs on ESET pre-release ?

Link to comment
Share on other sites

19 minutes ago, Leonardo said:

Yesterday a file was sent to LiveGuard at 23:22:56 and 25 minutes later at 23:47:40 the analysis was not finished,

I had one that took 35 mins. .................

Eset_LiveGuard.thumb.png.dd2999f1e180d846d5216466a8d4af32.png

Link to comment
Share on other sites

4 minutes ago, itman said:

I had one that took 35 mins. .................

Eset_LiveGuard.thumb.png.dd2999f1e180d846d5216466a8d4af32.png

But you received an answer, not me after

 

5 minutes ago, itman said:

I had one that took 35 mins. .................

Eset_LiveGuard.thumb.png.dd2999f1e180d846d5216466a8d4af32.png

Thanks @itman

But you received an aswwer (file safe); but I did not received any answer even after near 7 hours !

And what do you think about the dangerosity of unblocking a file (it is ESET SSP that unblock the file !) before the end of the analysis?

Link to comment
Share on other sites

3 minutes ago, Leonardo said:

And what do you think about the dangerosity of unblocking a file (it is ESET SSP that unblock the file !) before the end of the analysis?

Eset will unblock a file after the "Maximum wait time for analysis result expires." The default value is 5 mins..

As far as if there is a risk associated with this, theoretically the answer is yes. To exploit this however would require an attacker to perform system modifications prior to the executable/script being dropped. One example would be creating a scheduled task to run every 6 mins. or so that in turn, runs the executable/script.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...