Jump to content

More LiveGuard Concerns


Recommended Posts

Posted (edited)

As far as I am concerned there is a timing issue in regards to LiveGuard uploads.

This morning I went to the Kaspersky Virus Removal Tool web site using Firefox. Upon access to the web site and in anticipation of me performing an actual download, Firefox did a partial download of the KVRT.exe file. LiveGuard immediately sent this to the cloud and generated a desktop alert:

Time;Hash;File;Size;Category;Reason;Sent to;User
5/7/2022 9:31:19 AM;2A589D5ED79B97DDF45432A24650ACF81ABA2F1E;C:\Users\xxxxxx\Downloads\KTLQMcZI.exe.part;45088768;Executable;Automatic;ESET LiveGuard;xxxxxxx

Time;Component;Event;User
5/7/2022 9:31:19 AM;ESET Kernel;File 'KTLQMcZI.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM

Of note is I did not actually download the app and exited the web site. That was it for any other LiveGuard alerting or logging activity

Shortly thereafter, I did actually return to the web site and perform an actual download:

Eset_KVRT.thumb.png.1a081011c00a37178bfd00f42ab52055.png

Note that the actual size of the KVRT.exe download is 114 MB.

Edited by itman
Link to comment
Share on other sites

Posted (edited)

I finally resolved these partial file uploads to LiveGuard via Firefox downloading.

By "playing around" with Firefox download settings, I was able to eliminate Firefox creating .part file downloads in %LocalAppData%\Temp directory. Now all Firefox .part file downloads go directly to my Downloads directory. Unfortunately, this change also activated Firefox's new download behavior where the download occurs immediately upon access to any web site where a download option is presented. As such and as far as I am concerned, setting Firefox's download option to always ask where the download should be stored is a must to prevent a drive-by download attack that sneaked though Eset detection.

Tested yesterday with a 55 MB download and Liveguard submitted the entire .exe file.

Today, retested using the Kaspersky Virus Removal Tool download. Note this download is updated daily with new malware detection's resulting in a new file hash value. Upon file download, no LiveGuard submission as expected since this file being 111 MB, exceeded LiveGuard's maximum file submission size of 64 MB.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...