itman 1,659 Posted May 7, 2022 Author Share Posted May 7, 2022 (edited) As far as I am concerned there is a timing issue in regards to LiveGuard uploads. This morning I went to the Kaspersky Virus Removal Tool web site using Firefox. Upon access to the web site and in anticipation of me performing an actual download, Firefox did a partial download of the KVRT.exe file. LiveGuard immediately sent this to the cloud and generated a desktop alert: Time;Hash;File;Size;Category;Reason;Sent to;User 5/7/2022 9:31:19 AM;2A589D5ED79B97DDF45432A24650ACF81ABA2F1E;C:\Users\xxxxxx\Downloads\KTLQMcZI.exe.part;45088768;Executable;Automatic;ESET LiveGuard;xxxxxxx Time;Component;Event;User 5/7/2022 9:31:19 AM;ESET Kernel;File 'KTLQMcZI.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM Of note is I did not actually download the app and exited the web site. That was it for any other LiveGuard alerting or logging activity Shortly thereafter, I did actually return to the web site and perform an actual download: Note that the actual size of the KVRT.exe download is 114 MB. Edited May 7, 2022 by itman New_Style_xd 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 8, 2022 Author Share Posted May 8, 2022 (edited) I finally resolved these partial file uploads to LiveGuard via Firefox downloading. By "playing around" with Firefox download settings, I was able to eliminate Firefox creating .part file downloads in %LocalAppData%\Temp directory. Now all Firefox .part file downloads go directly to my Downloads directory. Unfortunately, this change also activated Firefox's new download behavior where the download occurs immediately upon access to any web site where a download option is presented. As such and as far as I am concerned, setting Firefox's download option to always ask where the download should be stored is a must to prevent a drive-by download attack that sneaked though Eset detection. Tested yesterday with a 55 MB download and Liveguard submitted the entire .exe file. Today, retested using the Kaspersky Virus Removal Tool download. Note this download is updated daily with new malware detection's resulting in a new file hash value. Upon file download, no LiveGuard submission as expected since this file being 111 MB, exceeded LiveGuard's maximum file submission size of 64 MB. Edited May 8, 2022 by itman Link to comment Share on other sites More sharing options...
Recommended Posts