More LiveGuard Concerns

[Leonardo 11]

12 minutes ago, itman said:

Eset will unblock a file after the "Maximum wait time for analysis result expires." The default value is 5 mins..

As far as if there is a risk associated with this, theoretically the answer is yes. To exploit this however would require an attacker to perform system modifications prior to the executable/script being dropped. One example would be creating a scheduled task to run every 6 mins. or so that in turn, runs the executable/script.

I had tweaked "30 minutes" for the maximum wait time, it is not possible to choose more time.

I think it is really dangerous without any clear notification saying "safe" or "unsafe" the situation remains ambiguous ; the most secure for the basic user who does not be careful is to block the file till the result of LiveGuard analysis.

[Marcos 5,074]

4 hours ago, itman said:

The issue is why it took 4 hours to do so. I have never seen this behavior previously from Eset.

Are you able to reproduce it with modules from the pre-release channel? In particular, with the Antivirus and antispyware module 1589.

[Marcos 5,074]

2 hours ago, Leonardo said:

But is it safe to run "pre-release" updates? I'm afraid about possible bugs on ESET pre-release ?

Yes, it's safe. In 99,9% of cases you get the same modules both from the regular and pre-release update channel. Even in the enterprise environment we recommend updating from the pre-release update channel on a small subset of computers.

[itman 1,659]

11 minutes ago, Marcos said:

Are you able to reproduce it with modules from the pre-release channel? In particular, with the Antivirus and antispyware module 1589.

Reproduction is "highly doubtful." As I posted when I retested, the submission to LiveGuard was immediately after malware detection.

This instance shows behavior akin being stuck in the LiveGrid submission queue. Then later, Eset recognized an unsent submission was pending and then sent it.

[Marcos 5,074]

I believe the issue should not be reproducible as of yesterday, especially with the latest modules from the pre-release channel. Let us know please should the problem persist.

[itman 1,659]

15 hours ago, Leonardo said:

But you received an aswwer (file safe); but I did not received any answer even after near 7 hours !

Reviewing my Eset Event log, the answer to why you did not receive a LiveGuard safe verdict is as follows.

It appears Eset designed LiveGuard processing to run silently in the background. That is when a file is submitted to LiveGuard and the file is not determined to be malicious, you will receive no verdict Event log entry. The only time you will receive a LiveGuard safe verdict Event log entry is when you try to access a currently locked file prior to LiveGuard completing its cloud processing.

[Andrew3000 4]

Is it normal with Microsoft EDGE that LiveGuard sends the cache and .crdownload files to the sandbox?

[shocked 60]

i downloaded itman's file from a few posts back and although it's detected as malicious, it's never sent to LG. i even enabled pre-release updates and the program still didn't sent it.

[itman 1,659]

13 minutes ago, shocked said:

i downloaded itman's file from a few posts back and although it's detected as malicious

Are you referring to the PowerShell script posted here: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149839 ?

[shocked 60]

28 minutes ago, itman said:

Are you referring to the PowerShell script posted here: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149839 ?

sorry, i meant this

 

edit: live guard however automatically deleted a program i downloaded that was deemed malicious. (i downloaded several stuff as part of the pre-release modules testing.) when it deleted it, it also created a log entry in the sent files section

Edited April 30, 2022 by shocked

[Leonardo 11]

21 hours ago, Marcos said:

Yes, it's safe. In 99,9% of cases you get the same modules both from the regular and pre-release update channel. Even in the enterprise environment we recommend updating from the pre-release update channel on a small subset of computers.

Thanks @Marcos for your explanations.

I have enabled pre-release update channel and will stay with it enabled.

[itman 1,659]

33 minutes ago, shocked said:

live guard however automatically deleted a program i downloaded that was deemed malicious. (i downloaded several stuff as part of the pre-release modules testing.) when it deleted it, it also created a log entry in the sent files section

Note: files deleted locally via heuristic signature detection are sent to LiveGrid; not LiveGuard. In other words, no LiveGuard cloud scanning was performed in this case.

[shocked 60]

perhaps i misunderstood the whole process ? 🤔

although the MaliciousPS.bat from zippyshare is immediately removed, should it or it shouldn't create a "sent files" entry?

the image below might clarify what i meant earlier, the threat was detected by liveguard and .

[Marcos 5,074]

14 hours ago, Andrew3000 said:

Is it normal with Microsoft EDGE that LiveGuard sends the cache and .crdownload files to the sandbox?

As soon as the browser closes the handle to a downloaded file, it's sent for analysis.

[itman 1,659]

14 hours ago, shocked said:

although the MaliciousPS.bat from zippyshare is immediately removed, should it or it shouldn't create a "sent files" entry?

A LiveGrid Event log submission will only occur if the local detected malicious file has not been previously sent to LiveGrid.

Assuming you didn't modify the script in anyway, I had previously used it in a test:

Time;Hash;File;Size;Category;Reason;Sent to;User
4/28/2022 6:07:47 PM;846CE8E933E6C4FC774709E109726B20D88ECE33;https://www73.zippyshare.com/d/hINOQIlH/26452/MaliciousPS.bat;4058;Script;Automatic;LiveGrid®;xxxxxxxxxx

Note the hash in your posted Detection log entries is the same as that shown in my above Sent log entry. Therefore, no submission would have been made when you downloaded it and no Sent Event log entry created.

Edited May 1, 2022 by itman

[SeriousHoax 83]

It seems even the pre-release update didn't fix the LiveGuard issue for me. When I download the file from here: https://demo.wd.microsoft.com/page/BAFS ESSP don't automatically send it. But right-clicking the file shows that the file is blocked and ESET only sends it when I try to open the file. Also tested with another malware that was in a zip file. Upon extracting, it wasn't automatically sent to LiveGuard. Maybe because LiveGuard already seen it before or part of this bug? I don't know. I submitted this sample to ESET but got no reply and no detection was added. Don't know if it's corrupted or not. Detected by many other products:

VirusTotal - File - e6a97492f6c1163dfd77113ad51992f5388a9442cf0388a174302948ea90f609

[itman 1,659]

15 minutes ago, SeriousHoax said:

When I download the file from here: https://demo.wd.microsoft.com/page/BAFS ESSP don't automatically send it.

It was for me: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149740

[New_Style_xd 69]

1 hour ago, SeriousHoax said:

Parece que nem a atualização de pré-lançamento resolveu o problema do LiveGuard para mim. Quando eu baixar o arquivo daqui : https://demo.wd.microsoft.com/page/BAFS ESSP don't automatically send it. But right-clicking the file shows that the file is blocked and ESET only sends it when I try to open the file. Also tested with another malware that was in a zip file. Upon extracting, it wasn't automatically sent to LiveGuard. Maybe because LiveGuard already seen it before or part of this bug? I don't know. I submitted this sample to ESET but got no reply and no detection was added. Don't know if it's corrupted or not. Detected by many other products:

VirusTotal - Arquivo - e6a97492f6c1163dfd77113ad51992f5388a9442cf0388a174302948ea90f609

From what I've seen you have the same file being tested. you have to check if the file is really with problems. because for @itman it worked.
Take the test again.

[SeriousHoax 83]

1 hour ago, itman said:

It was for me: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149740

Tested it yesterday and today. Not working for me. Pre-release module didn't change the behavior on my system.

 

15 minutes ago, New_Style_xd said:

From what I've seen you have the same file being tested. you have to check if the file is really with problems. because for @itman it worked.
Take the test again.

The site generates a new file with different hash every single time. So the file that's being tested is not exactly the same. Every single downloaded file on my system is not being sent automatically to LiveGuard for some reason. 

[itman 1,659]

58 minutes ago, SeriousHoax said:

Every single downloaded file on my system is not being sent automatically to LiveGuard for some reason. 

I just tested the download again and it was sent to the LiveGuard cloud with Sent event log created:

Time;Hash;File;Size;Category;Reason;Sent to;User
5/1/2022 6:45:42 PM;F288C07DE5C2AE6EFA254D09852DF3CF42423924;C:\Users\xxxxxx\Downloads\HeF7jsCk.exe.part;5716;Executable;Automatic;ESET LiveGuard;xxxxxxxx

Are you getting the desktop popup indicating the file was sent to Eset VirusLab for analysis? If not, refer to this posting: https://forum.eset.com/topic/31893-more-liveguard-concerns/?do=findComment&comment=149846 . It's possible that setting also influences whether the Sent event log is created.

Also, I am not on pre-release updates.

[New_Style_xd 69]

50 minutos atrás, Itman disse:

Acabei de testar o download novamente e ele foi enviado para a nuvem LiveGuard com o log de eventos Sent criado :

Time; Hash; File; Size; Categoria; Motivo; Enviado para; Usuário
1/5/2022 18:45:42; F288C07DE5C2AE6EFA254D09852DF3CF42423924; 😄 \ Usuários \ xxxxxx \ Downloads \ HeF7jsCk.exe.part ; 5716; Executar; ESx Live

Você está recebendo o pop-up da área de trabalho indicando que o arquivo foi enviado ao Eset VirusLab para análise? Caso contrário, consulte esta postagem : https://forum.eset.com/topic/31893-more-liveguard-concerns/?do = findComment & comment = 149846 É possível que a configuração também influencie se o log de eventos Enviado foi criado.

Além disso, não estou em atualizações de pré-lançamento. .

Nesse caso, e vantagem é essa na versão de pré-lançamento?
Pelo que estou vendo, não vejo nenhuma vantagem e minha impressão

[itman 1,659]

13 hours ago, New_Style_xd said:

Nesse caso, e vantagem é essa na versão de pré-lançamento?
Pelo que estou vendo, não vejo nenhuma vantagem e minha impressão

Post in English please!

Quote

In that case, what advantage is this in the pre-release version? From what I'm seeing, I don't see any advantage and my impression

 

[itman 1,659]

18 hours ago, SeriousHoax said:

I submitted this sample to ESET but got no reply and no detection was added. Don't know if it's corrupted or not. Detected by many other products:

VirusTotal - File - e6a97492f6c1163dfd77113ad51992f5388a9442cf0388a174302948ea90f609

Eset still doesn't detect it by signature . It's a Cobalt Strike beacon. Not good ...............

Was this uploaded to LiveGuard cloud upon download? If so, was the verdict safe?

-EDIT- My best guess at this point is Eset cloud would have returned a safe verdict based on a prior Joe's Sandbox analysis 48% malware confidence factor rendering:

Edited May 2, 2022 by itman

[SeriousHoax 83]

2 hours ago, itman said:

Eset still doesn't detect it by signature . It's a Cobalt Strike beacon. Not good ...............

Was this uploaded to LiveGuard cloud upon download? If so, was the verdict safe?

-EDIT- My best guess at this point is Eset cloud would have returned a safe verdict based on a prior Joe's Sandbox analysis 48% malware confidence factor rendering:

It wasn't sent automatically. But when I manually did via ESET gui it was sent to LiveGuard. Before that, I submitted to the email. Another user I know also submitted, but nothing from ESET yet. 

[itman 1,659]

2 hours ago, SeriousHoax said:

It wasn't sent automatically. But when I manually did via ESET gui it was sent to LiveGuard. Before that, I submitted to the email. Another user I know also submitted, but nothing from ESET yet. 

Eset currently blocking it via cloud blacklist detection; i.e. LiveGrid. See the PM I sent you.

Also, the fact that it wasn't sent to the LiveGuard cloud initially means the file download wasn't detected by local heuristic scanning as suspect.

Edited May 2, 2022 by itman