Leonardo 10 Posted April 29 Share Posted April 29 12 minutes ago, itman said: Eset will unblock a file after the "Maximum wait time for analysis result expires." The default value is 5 mins.. As far as if there is a risk associated with this, theoretically the answer is yes. To exploit this however would require an attacker to perform system modifications prior to the executable/script being dropped. One example would be creating a scheduled task to run every 6 mins. or so that in turn, runs the executable/script. I had tweaked "30 minutes" for the maximum wait time, it is not possible to choose more time. I think it is really dangerous without any clear notification saying "safe" or "unsafe" the situation remains ambiguous ; the most secure for the basic user who does not be careful is to block the file till the result of LiveGuard analysis. New_Style_xd 1 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,233 Posted April 29 Administrators Share Posted April 29 4 hours ago, itman said: The issue is why it took 4 hours to do so. I have never seen this behavior previously from Eset. Are you able to reproduce it with modules from the pre-release channel? In particular, with the Antivirus and antispyware module 1589. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,233 Posted April 29 Administrators Share Posted April 29 2 hours ago, Leonardo said: But is it safe to run "pre-release" updates? I'm afraid about possible bugs on ESET pre-release ? Yes, it's safe. In 99,9% of cases you get the same modules both from the regular and pre-release update channel. Even in the enterprise environment we recommend updating from the pre-release update channel on a small subset of computers. Leonardo 1 Quote Link to comment Share on other sites More sharing options...
itman 1,395 Posted April 29 Author Share Posted April 29 11 minutes ago, Marcos said: Are you able to reproduce it with modules from the pre-release channel? In particular, with the Antivirus and antispyware module 1589. Reproduction is "highly doubtful." As I posted when I retested, the submission to LiveGuard was immediately after malware detection. This instance shows behavior akin being stuck in the LiveGrid submission queue. Then later, Eset recognized an unsent submission was pending and then sent it. New_Style_xd 1 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,233 Posted April 29 Administrators Share Posted April 29 I believe the issue should not be reproducible as of yesterday, especially with the latest modules from the pre-release channel. Let us know please should the problem persist. Quote Link to comment Share on other sites More sharing options...
itman 1,395 Posted April 30 Author Share Posted April 30 15 hours ago, Leonardo said: But you received an aswwer (file safe); but I did not received any answer even after near 7 hours ! Reviewing my Eset Event log, the answer to why you did not receive a LiveGuard safe verdict is as follows. It appears Eset designed LiveGuard processing to run silently in the background. That is when a file is submitted to LiveGuard and the file is not determined to be malicious, you will receive no verdict Event log entry. The only time you will receive a LiveGuard safe verdict Event log entry is when you try to access a currently locked file prior to LiveGuard completing its cloud processing. Leonardo and New_Style_xd 2 Quote Link to comment Share on other sites More sharing options...
Andrew3000 4 Posted April 30 Share Posted April 30 Is it normal with Microsoft EDGE that LiveGuard sends the cache and .crdownload files to the sandbox? Quote Link to comment Share on other sites More sharing options...
Most Valued Members shocked 59 Posted April 30 Most Valued Members Share Posted April 30 i downloaded itman's file from a few posts back and although it's detected as malicious, it's never sent to LG. i even enabled pre-release updates and the program still didn't sent it. Leonardo 1 Quote Link to comment Share on other sites More sharing options...
itman 1,395 Posted April 30 Author Share Posted April 30 13 minutes ago, shocked said: i downloaded itman's file from a few posts back and although it's detected as malicious Are you referring to the PowerShell script posted here: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149839 ? Quote Link to comment Share on other sites More sharing options...
Most Valued Members shocked 59 Posted April 30 Most Valued Members Share Posted April 30 (edited) 28 minutes ago, itman said: Are you referring to the PowerShell script posted here: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149839 ? sorry, i meant this edit: live guard however automatically deleted a program i downloaded that was deemed malicious. (i downloaded several stuff as part of the pre-release modules testing.) when it deleted it, it also created a log entry in the sent files section Edited April 30 by shocked Quote Link to comment Share on other sites More sharing options...
Leonardo 10 Posted April 30 Share Posted April 30 21 hours ago, Marcos said: Yes, it's safe. In 99,9% of cases you get the same modules both from the regular and pre-release update channel. Even in the enterprise environment we recommend updating from the pre-release update channel on a small subset of computers. Thanks @Marcos for your explanations. I have enabled pre-release update channel and will stay with it enabled. Quote Link to comment Share on other sites More sharing options...
itman 1,395 Posted April 30 Author Share Posted April 30 33 minutes ago, shocked said: live guard however automatically deleted a program i downloaded that was deemed malicious. (i downloaded several stuff as part of the pre-release modules testing.) when it deleted it, it also created a log entry in the sent files section Note: files deleted locally via heuristic signature detection are sent to LiveGrid; not LiveGuard. In other words, no LiveGuard cloud scanning was performed in this case. Quote Link to comment Share on other sites More sharing options...
Most Valued Members shocked 59 Posted May 1 Most Valued Members Share Posted May 1 perhaps i misunderstood the whole process ? 🤔 although the MaliciousPS.bat from zippyshare is immediately removed, should it or it shouldn't create a "sent files" entry? the image below might clarify what i meant earlier, the threat was detected by liveguard and . Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,233 Posted May 1 Administrators Share Posted May 1 14 hours ago, Andrew3000 said: Is it normal with Microsoft EDGE that LiveGuard sends the cache and .crdownload files to the sandbox? As soon as the browser closes the handle to a downloaded file, it's sent for analysis. Andrew3000 1 Quote Link to comment Share on other sites More sharing options...
itman 1,395 Posted May 1 Author Share Posted May 1 (edited) 14 hours ago, shocked said: although the MaliciousPS.bat from zippyshare is immediately removed, should it or it shouldn't create a "sent files" entry? A LiveGrid Event log submission will only occur if the local detected malicious file has not been previously sent to LiveGrid. Assuming you didn't modify the script in anyway, I had previously used it in a test: Time;Hash;File;Size;Category;Reason;Sent to;User 4/28/2022 6:07:47 PM;846CE8E933E6C4FC774709E109726B20D88ECE33;https://www73.zippyshare.com/d/hINOQIlH/26452/MaliciousPS.bat;4058;Script;Automatic;LiveGrid®;xxxxxxxxxx Note the hash in your posted Detection log entries is the same as that shown in my above Sent log entry. Therefore, no submission would have been made when you downloaded it and no Sent Event log entry created. Edited May 1 by itman Quote Link to comment Share on other sites More sharing options...
SeriousHoax 47 Posted May 1 Share Posted May 1 It seems even the pre-release update didn't fix the LiveGuard issue for me. When I download the file from here: https://demo.wd.microsoft.com/page/BAFS ESSP don't automatically send it. But right-clicking the file shows that the file is blocked and ESET only sends it when I try to open the file. Also tested with another malware that was in a zip file. Upon extracting, it wasn't automatically sent to LiveGuard. Maybe because LiveGuard already seen it before or part of this bug? I don't know. I submitted this sample to ESET but got no reply and no detection was added. Don't know if it's corrupted or not. Detected by many other products: VirusTotal - File - e6a97492f6c1163dfd77113ad51992f5388a9442cf0388a174302948ea90f609 Quote Link to comment Share on other sites More sharing options...
itman 1,395 Posted May 1 Author Share Posted May 1 15 minutes ago, SeriousHoax said: When I download the file from here: https://demo.wd.microsoft.com/page/BAFS ESSP don't automatically send it. It was for me: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149740 Quote Link to comment Share on other sites More sharing options...
New_Style_xd 46 Posted May 1 Share Posted May 1 1 hour ago, SeriousHoax said: Parece que nem a atualização de pré-lançamento resolveu o problema do LiveGuard para mim. Quando eu baixar o arquivo daqui : https://demo.wd.microsoft.com/page/BAFS ESSP don't automatically send it. But right-clicking the file shows that the file is blocked and ESET only sends it when I try to open the file. Also tested with another malware that was in a zip file. Upon extracting, it wasn't automatically sent to LiveGuard. Maybe because LiveGuard already seen it before or part of this bug? I don't know. I submitted this sample to ESET but got no reply and no detection was added. Don't know if it's corrupted or not. Detected by many other products: VirusTotal - Arquivo - e6a97492f6c1163dfd77113ad51992f5388a9442cf0388a174302948ea90f609 From what I've seen you have the same file being tested. you have to check if the file is really with problems. because for @itman it worked. Take the test again. Quote Link to comment Share on other sites More sharing options...
SeriousHoax 47 Posted May 1 Share Posted May 1 1 hour ago, itman said: It was for me: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149740 Tested it yesterday and today. Not working for me. Pre-release module didn't change the behavior on my system. 15 minutes ago, New_Style_xd said: From what I've seen you have the same file being tested. you have to check if the file is really with problems. because for @itman it worked. Take the test again. The site generates a new file with different hash every single time. So the file that's being tested is not exactly the same. Every single downloaded file on my system is not being sent automatically to LiveGuard for some reason. New_Style_xd 1 Quote Link to comment Share on other sites More sharing options...
itman 1,395 Posted May 1 Author Share Posted May 1 58 minutes ago, SeriousHoax said: Every single downloaded file on my system is not being sent automatically to LiveGuard for some reason. I just tested the download again and it was sent to the LiveGuard cloud with Sent event log created: Time;Hash;File;Size;Category;Reason;Sent to;User 5/1/2022 6:45:42 PM;F288C07DE5C2AE6EFA254D09852DF3CF42423924;C:\Users\xxxxxx\Downloads\HeF7jsCk.exe.part;5716;Executable;Automatic;ESET LiveGuard;xxxxxxxx Are you getting the desktop popup indicating the file was sent to Eset VirusLab for analysis? If not, refer to this posting: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149846 . It's possible that setting also influences whether the Sent event log is created. Also, I am not on pre-release updates. Quote Link to comment Share on other sites More sharing options...
New_Style_xd 46 Posted May 1 Share Posted May 1 50 minutos atrás, Itman disse: Acabei de testar o download novamente e ele foi enviado para a nuvem LiveGuard com o log de eventos Sent criado : Time; Hash; File; Size; Categoria; Motivo; Enviado para; Usuário 1/5/2022 18:45:42; F288C07DE5C2AE6EFA254D09852DF3CF42423924; 😄 \ Usuários \ xxxxxx \ Downloads \ HeF7jsCk.exe.part ; 5716; Executar; ESx Live Você está recebendo o pop-up da área de trabalho indicando que o arquivo foi enviado ao Eset VirusLab para análise? Caso contrário, consulte esta postagem : https://forum.eset.com/topic/31893-more-liveguard-concerns/?do = findComment & comment = 149846 É possível que a configuração também influencie se o log de eventos Enviado foi criado. Além disso, não estou em atualizações de pré-lançamento. . Nesse caso, e vantagem é essa na versão de pré-lançamento? Pelo que estou vendo, não vejo nenhuma vantagem e minha impressão Quote Link to comment Share on other sites More sharing options...
itman 1,395 Posted May 2 Author Share Posted May 2 13 hours ago, New_Style_xd said: Nesse caso, e vantagem é essa na versão de pré-lançamento? Pelo que estou vendo, não vejo nenhuma vantagem e minha impressão Post in English please! Quote In that case, what advantage is this in the pre-release version? From what I'm seeing, I don't see any advantage and my impression Quote Link to comment Share on other sites More sharing options...
itman 1,395 Posted May 2 Author Share Posted May 2 (edited) 18 hours ago, SeriousHoax said: I submitted this sample to ESET but got no reply and no detection was added. Don't know if it's corrupted or not. Detected by many other products: VirusTotal - File - e6a97492f6c1163dfd77113ad51992f5388a9442cf0388a174302948ea90f609 Eset still doesn't detect it by signature . It's a Cobalt Strike beacon. Not good ............... Was this uploaded to LiveGuard cloud upon download? If so, was the verdict safe? -EDIT- My best guess at this point is Eset cloud would have returned a safe verdict based on a prior Joe's Sandbox analysis 48% malware confidence factor rendering: Edited May 2 by itman Quote Link to comment Share on other sites More sharing options...
SeriousHoax 47 Posted May 2 Share Posted May 2 2 hours ago, itman said: Eset still doesn't detect it by signature . It's a Cobalt Strike beacon. Not good ............... Was this uploaded to LiveGuard cloud upon download? If so, was the verdict safe? -EDIT- My best guess at this point is Eset cloud would have returned a safe verdict based on a prior Joe's Sandbox analysis 48% malware confidence factor rendering: It wasn't sent automatically. But when I manually did via ESET gui it was sent to LiveGuard. Before that, I submitted to the email. Another user I know also submitted, but nothing from ESET yet. Quote Link to comment Share on other sites More sharing options...
itman 1,395 Posted May 2 Author Share Posted May 2 (edited) 2 hours ago, SeriousHoax said: It wasn't sent automatically. But when I manually did via ESET gui it was sent to LiveGuard. Before that, I submitted to the email. Another user I know also submitted, but nothing from ESET yet. Eset currently blocking it via cloud blacklist detection; i.e. LiveGrid. See the PM I sent you. Also, the fact that it wasn't sent to the LiveGuard cloud initially means the file download wasn't detected by local heuristic scanning as suspect. Edited May 2 by itman Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.