Leonardo 11 Posted April 29, 2022 Share Posted April 29, 2022 12 minutes ago, itman said: Eset will unblock a file after the "Maximum wait time for analysis result expires." The default value is 5 mins.. As far as if there is a risk associated with this, theoretically the answer is yes. To exploit this however would require an attacker to perform system modifications prior to the executable/script being dropped. One example would be creating a scheduled task to run every 6 mins. or so that in turn, runs the executable/script. I had tweaked "30 minutes" for the maximum wait time, it is not possible to choose more time. I think it is really dangerous without any clear notification saying "safe" or "unsafe" the situation remains ambiguous ; the most secure for the basic user who does not be careful is to block the file till the result of LiveGuard analysis. New_Style_xd 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted April 29, 2022 Administrators Share Posted April 29, 2022 4 hours ago, itman said: The issue is why it took 4 hours to do so. I have never seen this behavior previously from Eset. Are you able to reproduce it with modules from the pre-release channel? In particular, with the Antivirus and antispyware module 1589. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted April 29, 2022 Administrators Share Posted April 29, 2022 2 hours ago, Leonardo said: But is it safe to run "pre-release" updates? I'm afraid about possible bugs on ESET pre-release ? Yes, it's safe. In 99,9% of cases you get the same modules both from the regular and pre-release update channel. Even in the enterprise environment we recommend updating from the pre-release update channel on a small subset of computers. Leonardo 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 29, 2022 Author Share Posted April 29, 2022 11 minutes ago, Marcos said: Are you able to reproduce it with modules from the pre-release channel? In particular, with the Antivirus and antispyware module 1589. Reproduction is "highly doubtful." As I posted when I retested, the submission to LiveGuard was immediately after malware detection. This instance shows behavior akin being stuck in the LiveGrid submission queue. Then later, Eset recognized an unsent submission was pending and then sent it. New_Style_xd 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted April 29, 2022 Administrators Share Posted April 29, 2022 I believe the issue should not be reproducible as of yesterday, especially with the latest modules from the pre-release channel. Let us know please should the problem persist. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 30, 2022 Author Share Posted April 30, 2022 15 hours ago, Leonardo said: But you received an aswwer (file safe); but I did not received any answer even after near 7 hours ! Reviewing my Eset Event log, the answer to why you did not receive a LiveGuard safe verdict is as follows. It appears Eset designed LiveGuard processing to run silently in the background. That is when a file is submitted to LiveGuard and the file is not determined to be malicious, you will receive no verdict Event log entry. The only time you will receive a LiveGuard safe verdict Event log entry is when you try to access a currently locked file prior to LiveGuard completing its cloud processing. Leonardo and New_Style_xd 2 Link to comment Share on other sites More sharing options...
Andrew3000 4 Posted April 30, 2022 Share Posted April 30, 2022 Is it normal with Microsoft EDGE that LiveGuard sends the cache and .crdownload files to the sandbox? Link to comment Share on other sites More sharing options...
Most Valued Members shocked 60 Posted April 30, 2022 Most Valued Members Share Posted April 30, 2022 i downloaded itman's file from a few posts back and although it's detected as malicious, it's never sent to LG. i even enabled pre-release updates and the program still didn't sent it. Leonardo 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 30, 2022 Author Share Posted April 30, 2022 13 minutes ago, shocked said: i downloaded itman's file from a few posts back and although it's detected as malicious Are you referring to the PowerShell script posted here: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149839 ? Link to comment Share on other sites More sharing options...
Most Valued Members shocked 60 Posted April 30, 2022 Most Valued Members Share Posted April 30, 2022 (edited) 28 minutes ago, itman said: Are you referring to the PowerShell script posted here: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149839 ? sorry, i meant this edit: live guard however automatically deleted a program i downloaded that was deemed malicious. (i downloaded several stuff as part of the pre-release modules testing.) when it deleted it, it also created a log entry in the sent files section Edited April 30, 2022 by shocked Link to comment Share on other sites More sharing options...
Leonardo 11 Posted April 30, 2022 Share Posted April 30, 2022 21 hours ago, Marcos said: Yes, it's safe. In 99,9% of cases you get the same modules both from the regular and pre-release update channel. Even in the enterprise environment we recommend updating from the pre-release update channel on a small subset of computers. Thanks @Marcos for your explanations. I have enabled pre-release update channel and will stay with it enabled. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 30, 2022 Author Share Posted April 30, 2022 33 minutes ago, shocked said: live guard however automatically deleted a program i downloaded that was deemed malicious. (i downloaded several stuff as part of the pre-release modules testing.) when it deleted it, it also created a log entry in the sent files section Note: files deleted locally via heuristic signature detection are sent to LiveGrid; not LiveGuard. In other words, no LiveGuard cloud scanning was performed in this case. Link to comment Share on other sites More sharing options...
Most Valued Members shocked 60 Posted May 1, 2022 Most Valued Members Share Posted May 1, 2022 perhaps i misunderstood the whole process ? 🤔 although the MaliciousPS.bat from zippyshare is immediately removed, should it or it shouldn't create a "sent files" entry? the image below might clarify what i meant earlier, the threat was detected by liveguard and . Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 1, 2022 Administrators Share Posted May 1, 2022 14 hours ago, Andrew3000 said: Is it normal with Microsoft EDGE that LiveGuard sends the cache and .crdownload files to the sandbox? As soon as the browser closes the handle to a downloaded file, it's sent for analysis. Andrew3000 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 1, 2022 Author Share Posted May 1, 2022 (edited) 14 hours ago, shocked said: although the MaliciousPS.bat from zippyshare is immediately removed, should it or it shouldn't create a "sent files" entry? A LiveGrid Event log submission will only occur if the local detected malicious file has not been previously sent to LiveGrid. Assuming you didn't modify the script in anyway, I had previously used it in a test: Time;Hash;File;Size;Category;Reason;Sent to;User 4/28/2022 6:07:47 PM;846CE8E933E6C4FC774709E109726B20D88ECE33;https://www73.zippyshare.com/d/hINOQIlH/26452/MaliciousPS.bat;4058;Script;Automatic;LiveGrid®;xxxxxxxxxx Note the hash in your posted Detection log entries is the same as that shown in my above Sent log entry. Therefore, no submission would have been made when you downloaded it and no Sent Event log entry created. Edited May 1, 2022 by itman Link to comment Share on other sites More sharing options...
SeriousHoax 83 Posted May 1, 2022 Share Posted May 1, 2022 It seems even the pre-release update didn't fix the LiveGuard issue for me. When I download the file from here: https://demo.wd.microsoft.com/page/BAFS ESSP don't automatically send it. But right-clicking the file shows that the file is blocked and ESET only sends it when I try to open the file. Also tested with another malware that was in a zip file. Upon extracting, it wasn't automatically sent to LiveGuard. Maybe because LiveGuard already seen it before or part of this bug? I don't know. I submitted this sample to ESET but got no reply and no detection was added. Don't know if it's corrupted or not. Detected by many other products: VirusTotal - File - e6a97492f6c1163dfd77113ad51992f5388a9442cf0388a174302948ea90f609 Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 1, 2022 Author Share Posted May 1, 2022 15 minutes ago, SeriousHoax said: When I download the file from here: https://demo.wd.microsoft.com/page/BAFS ESSP don't automatically send it. It was for me: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149740 Link to comment Share on other sites More sharing options...
New_Style_xd 69 Posted May 1, 2022 Share Posted May 1, 2022 1 hour ago, SeriousHoax said: Parece que nem a atualização de pré-lançamento resolveu o problema do LiveGuard para mim. Quando eu baixar o arquivo daqui : https://demo.wd.microsoft.com/page/BAFS ESSP don't automatically send it. But right-clicking the file shows that the file is blocked and ESET only sends it when I try to open the file. Also tested with another malware that was in a zip file. Upon extracting, it wasn't automatically sent to LiveGuard. Maybe because LiveGuard already seen it before or part of this bug? I don't know. I submitted this sample to ESET but got no reply and no detection was added. Don't know if it's corrupted or not. Detected by many other products: VirusTotal - Arquivo - e6a97492f6c1163dfd77113ad51992f5388a9442cf0388a174302948ea90f609 From what I've seen you have the same file being tested. you have to check if the file is really with problems. because for @itman it worked. Take the test again. Link to comment Share on other sites More sharing options...
SeriousHoax 83 Posted May 1, 2022 Share Posted May 1, 2022 1 hour ago, itman said: It was for me: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149740 Tested it yesterday and today. Not working for me. Pre-release module didn't change the behavior on my system. 15 minutes ago, New_Style_xd said: From what I've seen you have the same file being tested. you have to check if the file is really with problems. because for @itman it worked. Take the test again. The site generates a new file with different hash every single time. So the file that's being tested is not exactly the same. Every single downloaded file on my system is not being sent automatically to LiveGuard for some reason. New_Style_xd 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 1, 2022 Author Share Posted May 1, 2022 58 minutes ago, SeriousHoax said: Every single downloaded file on my system is not being sent automatically to LiveGuard for some reason. I just tested the download again and it was sent to the LiveGuard cloud with Sent event log created: Time;Hash;File;Size;Category;Reason;Sent to;User 5/1/2022 6:45:42 PM;F288C07DE5C2AE6EFA254D09852DF3CF42423924;C:\Users\xxxxxx\Downloads\HeF7jsCk.exe.part;5716;Executable;Automatic;ESET LiveGuard;xxxxxxxx Are you getting the desktop popup indicating the file was sent to Eset VirusLab for analysis? If not, refer to this posting: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149846 . It's possible that setting also influences whether the Sent event log is created. Also, I am not on pre-release updates. Link to comment Share on other sites More sharing options...
New_Style_xd 69 Posted May 1, 2022 Share Posted May 1, 2022 50 minutos atrás, Itman disse: Acabei de testar o download novamente e ele foi enviado para a nuvem LiveGuard com o log de eventos Sent criado : Time; Hash; File; Size; Categoria; Motivo; Enviado para; Usuário 1/5/2022 18:45:42; F288C07DE5C2AE6EFA254D09852DF3CF42423924; 😄 \ Usuários \ xxxxxx \ Downloads \ HeF7jsCk.exe.part ; 5716; Executar; ESx Live Você está recebendo o pop-up da área de trabalho indicando que o arquivo foi enviado ao Eset VirusLab para análise? Caso contrário, consulte esta postagem : https://forum.eset.com/topic/31893-more-liveguard-concerns/?do = findComment & comment = 149846 É possível que a configuração também influencie se o log de eventos Enviado foi criado. Além disso, não estou em atualizações de pré-lançamento. . Nesse caso, e vantagem é essa na versão de pré-lançamento? Pelo que estou vendo, não vejo nenhuma vantagem e minha impressão Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 2, 2022 Author Share Posted May 2, 2022 13 hours ago, New_Style_xd said: Nesse caso, e vantagem é essa na versão de pré-lançamento? Pelo que estou vendo, não vejo nenhuma vantagem e minha impressão Post in English please! Quote In that case, what advantage is this in the pre-release version? From what I'm seeing, I don't see any advantage and my impression Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 2, 2022 Author Share Posted May 2, 2022 (edited) 18 hours ago, SeriousHoax said: I submitted this sample to ESET but got no reply and no detection was added. Don't know if it's corrupted or not. Detected by many other products: VirusTotal - File - e6a97492f6c1163dfd77113ad51992f5388a9442cf0388a174302948ea90f609 Eset still doesn't detect it by signature . It's a Cobalt Strike beacon. Not good ............... Was this uploaded to LiveGuard cloud upon download? If so, was the verdict safe? -EDIT- My best guess at this point is Eset cloud would have returned a safe verdict based on a prior Joe's Sandbox analysis 48% malware confidence factor rendering: Edited May 2, 2022 by itman Link to comment Share on other sites More sharing options...
SeriousHoax 83 Posted May 2, 2022 Share Posted May 2, 2022 2 hours ago, itman said: Eset still doesn't detect it by signature . It's a Cobalt Strike beacon. Not good ............... Was this uploaded to LiveGuard cloud upon download? If so, was the verdict safe? -EDIT- My best guess at this point is Eset cloud would have returned a safe verdict based on a prior Joe's Sandbox analysis 48% malware confidence factor rendering: It wasn't sent automatically. But when I manually did via ESET gui it was sent to LiveGuard. Before that, I submitted to the email. Another user I know also submitted, but nothing from ESET yet. Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 2, 2022 Author Share Posted May 2, 2022 (edited) 2 hours ago, SeriousHoax said: It wasn't sent automatically. But when I manually did via ESET gui it was sent to LiveGuard. Before that, I submitted to the email. Another user I know also submitted, but nothing from ESET yet. Eset currently blocking it via cloud blacklist detection; i.e. LiveGrid. See the PM I sent you. Also, the fact that it wasn't sent to the LiveGuard cloud initially means the file download wasn't detected by local heuristic scanning as suspect. Edited May 2, 2022 by itman Link to comment Share on other sites More sharing options...
Recommended Posts