AnthonyQ 31 Posted August 3 Share Posted August 3 Hi, I have noticed that the LiveGuard feature is not working properly on my PC recently. On my PC, when I download a new malware sample that is not detected by ESET's scanner, this file: will be automatically blocked from access by LiveGuard for a given period of time (7 mins in my case); will not be automatically uploaded to the cloud sandbox for analysis (no relevant log in "Sent Files", no outbound traffic can be seen); will be unblocked after the given period of time, and a notification saying ESET LiveGuard needs more time to analyze file will appear; can be uploaded to the cloud sandbox manually via context menu (outbound traffic and relevant logs in "Sent Files" can be seen after a manual submission). But according to my knowledge, by default, if a file has not been analyzed by LiveGuard, this file will be automatically blocked and immediately sent to the cloud for analysis. If a file has been analyzed by LiveGuard, this file will be automatically blocked for 0-2 mins while retrieving the verdict. Quote Link to comment Share on other sites More sharing options...
itman 1,407 Posted August 3 Share Posted August 3 No problem here using ESSP ver. 15.2.11. Downloading a Palo Alto malware test file that generates a unique hash value upon download yields the following: 1. Desktop alert displayed showing file sent to Eset VirusLab. 2. Eset log entries created confirming the submission to LiveGuard; Time;Component;Event;User 8/3/2022 9:04:52 AM;ESET Kernel;File 'oJKGU3tb.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM Time;Hash;File;Size;Category;Reason;Sent to;User 8/3/2022 9:04:52 AM;458576C74B7D8702A64641498FC15D179C725AA6;C:\Users\xxxxxx\Downloads\oJKGU3tb.exe.part;55296;Executable;Automatic;ESET LiveGuard;xxxxxxxxxxxxx 3, Attempt to run the download yields desktop alert file is blocked due to LiveGuard analysis underway. This activity also creates a corresponding log entry; Time;Component;Event;User 8/3/2022 9:06:22 AM;ESET Kernel;ESET LiveGuard is analyzing the file to ensure it's safe to use. We will notify you in a few minutes.Unblock the file (not recommended)Change setup;xxxxxxxx 4. Because of above no. 3 activity, I received an Eset desktop alert and corresponding log entry that file was safe; Time;Component;Event;User 8/3/2022 9:08:06 AM;ESET Kernel;ESET LiveGuard has analyzed a file. It is safe to use.;xxxxxxx Quote Link to comment Share on other sites More sharing options...
AnthonyQ 31 Posted August 3 Author Share Posted August 3 (edited) 2 minutes ago, itman said: No problem here using ESSP ver. 15.2.11. Downloading a Palo Alto malware test file that generates a unique hash value upon download yields the following: 1. Desktop alert displayed showing file sent to Eset VirusLab. 2. Eset log entries created confirming the submission to LiveGuard; Time;Component;Event;User 8/3/2022 9:04:52 AM;ESET Kernel;File 'oJKGU3tb.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM Time;Hash;File;Size;Category;Reason;Sent to;User 8/3/2022 9:04:52 AM;458576C74B7D8702A64641498FC15D179C725AA6;C:\Users\xxxxxx\Downloads\oJKGU3tb.exe.part;55296;Executable;Automatic;ESET LiveGuard;xxxxxxxxxxxxx 3, Attempt to run the download yields desktop alert file is blocked due to LiveGuard analysis underway. This activity also creates a corresponding log entry; Time;Component;Event;User 8/3/2022 9:06:22 AM;ESET Kernel;ESET LiveGuard is analyzing the file to ensure it's safe to use. We will notify you in a few minutes.Unblock the file (not recommended)Change setup;xxxxxxxx 4. Because of above no. 3 activity, I received an Eset desktop alert and corresponding log entry that file was safe; Time;Component;Event;User 8/3/2022 9:08:06 AM;ESET Kernel;ESET LiveGuard has analyzed a file. It is safe to use.;xxxxxxx So I stressed that this issue only happened on my PC. I've tried to reinstall ESSP but it won't help. Edited August 3 by AnthonyQ Quote Link to comment Share on other sites More sharing options...
itman 1,407 Posted August 3 Share Posted August 3 Your file was downloaded via a browser? Was the file .exe or something else? Quote Link to comment Share on other sites More sharing options...
AnthonyQ 31 Posted August 3 Author Share Posted August 3 5 minutes ago, itman said: Your file was downloaded via a browser? Was the file .exe or something else? Yes. Yes. .exe files. As these files are blocked by LiveGuard, I'm sure LiveGuard has been triggered. Quote Link to comment Share on other sites More sharing options...
itman 1,407 Posted August 3 Share Posted August 3 50 minutes ago, AnthonyQ said: But according to my knowledge, by default, if a file has not been analyzed by LiveGuard, this file will be automatically blocked and immediately sent to the cloud for analysis. Actually, this assumption is incorrect. LiveGuard doesn't work like MD BAFS processing which submits to the cloud any file not previously scanned. LiveGuard submission is conditioned upon Eset local heuristic analysis verdict as I understand it. If local heuristic analysis verdict doesn't detect anything, there won't be a LiveGuard submission. On the other hand, I have seen Eset submit files to LiveGrid for further review in this situation. Quote Link to comment Share on other sites More sharing options...
AnthonyQ 31 Posted August 3 Author Share Posted August 3 1 minute ago, itman said: Actually, this assumption is incorrect. LiveGuard doesn't work like MD BAFS processing which submits to the cloud any file not previously scanned. LiveGuard submission is conditioned upon Eset local heuristic analysis verdict as I understand it. If local heuristic analysis verdict doesn't detect anything, there won't be a LiveGuard submission. On the other hand, I have seen Eset submit files to LiveGrid for further review in this situation. I see. But that's irrelevant in my case. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,289 Posted August 3 Administrators Share Posted August 3 Please provide ELC logs as well as SHA1 hashes of some of the files that you have downloaded and expected them to be submitted to LiveGuard. Quote Link to comment Share on other sites More sharing options...
itman 1,407 Posted August 3 Share Posted August 3 I will also note that since I am located in the U.S., I am connecting to Eset LiveGuard server located in San Diego, CA. There might be an issue with other locals that are connecting to Eset LiveGuard server located in Slovakia. Quote Link to comment Share on other sites More sharing options...
AnthonyQ 31 Posted August 3 Author Share Posted August 3 (edited) 29 minutes ago, Marcos said: Please provide ESET Log Collector logs as well as SHA1 hashes of some of the files that you have downloaded and expected them to be submitted to LiveGuard. ESET Log Collector logs as attached. Some of the hashes of the files that I think should be detected are: 8445991990bf9b3b94608ac2beaa341fcda13993 - Blocked by LiveGuard but not uploaded to the cloud dd567a62cabfc7c3b782d0e6352980298633e458 - Blocked by LiveGuard but not uploaded to the cloud A8EF96E5DC42057CB09465FAE8E9F3A3240C90AB - couldn't submitted automatically; submitted manually instead A77504203D0BF9DF4B754A113530004DCC637807 - couldn't submitted automatically; submitted manually instead A80A2C03EE389BE9146E88B0F83CC0A2A2290DCD - couldn't submitted automatically; submitted manually instead essp_logs.zip Edited August 3 by AnthonyQ Quote Link to comment Share on other sites More sharing options...
AnthonyQ 31 Posted August 3 Author Share Posted August 3 Another hash: d9108ee2137524c1963fe4419914beb78ad6358f - Blocked by LiveGuard but not uploaded to the cloud Quote Link to comment Share on other sites More sharing options...
itman 1,407 Posted August 3 Share Posted August 3 (edited) 4 hours ago, AnthonyQ said: 8445991990bf9b3b94608ac2beaa341fcda13993 - Blocked by LiveGuard but not uploaded to the cloud Eset still doesn't detect the above file at VT. I have a theory on what might be going on here. At the time of your download, the file was previously submitted to Eset cloud. The file is still under evaluation by the VirusLab. Since the file had been previously submitted, LiveGuard did not submit it again. LiveGuard however did query the Eset cloud for a status on this file and could not obtain one - safe or malicious. The file subsequently just sat in the cloud until it timed out. If my theory is correct, Eset needs to return a suspicious verdict to the submitted device along the line of "Suspicious - currently under VirusLab review" and quarantine the file. Once the file verdict has been rendered and if its a safe one, Eset restores the file from quarantine; this part is where "the Eset rub" lies. Edited August 3 by itman Quote Link to comment Share on other sites More sharing options...
SeriousHoax 54 Posted August 3 Share Posted August 3 40 minutes ago, itman said: Eset still doesn't detect the above file at VT. I have a theory on what might be going on here. At the time of your download, the file was previously submitted to Eset cloud. The file is still under evaluation by the VirusLab. Since the file had been previously submitted, LiveGuard did not submit it again. LiveGuard however did query the Eset cloud for a status on this file and could not obtain one - safe or malicious. The file subsequently just sat in the cloud until it timed out. If my theory is correct, Eset needs to return a suspicious verdict to the submitted device along the line of "Suspicious - currently under VirusLab review" and quarantine the file. Once the file verdict has been rendered and if its a safe one, Eset restores the file from quarantine; this part is where "the Eset rub" lies. LiveGuard now gives this file a safe verdict. Quote Link to comment Share on other sites More sharing options...
itman 1,407 Posted August 3 Share Posted August 3 3 hours ago, SeriousHoax said: LiveGuard now gives this file a safe verdict. Did you verify that the file was actually sent to LiveGuard? The Eset Sent log entry should show a file of approx. 2.19 MB. Quote Link to comment Share on other sites More sharing options...
SeriousHoax 54 Posted August 4 Share Posted August 4 11 hours ago, itman said: Did you verify that the file was actually sent to LiveGuard? The Eset Sent log entry should show a file of approx. 2.19 MB. Yeah, I did. It was sent, the file was blocked initially, and a verdict was received within a few minutes. Quote Link to comment Share on other sites More sharing options...
itman 1,407 Posted Thursday at 08:49 PM Share Posted Thursday at 08:49 PM 10 hours ago, SeriousHoax said: Yeah, I did. It was sent, the file was blocked initially, and a verdict was received within a few minutes. This indicates the OP was correct and this sample was never submitted to LiveGuard. If it was previously submitted, it wouldn't have been when you submitted it. It would be informative to find out why the OP's LiveGuard submissions didn't occur. Quote Link to comment Share on other sites More sharing options...
SeriousHoax 54 Posted Saturday at 02:45 PM Share Posted Saturday at 02:45 PM @MarcosCan you please check this sample? LiveGuard said it's safe, but it has 45 detections in VirusTotal. https://www.virustotal.com/gui/file/e4abd9b47864d4868de2945f573efe301dc77c00df865749b170dfb33e55a3f7/detection Quote Link to comment Share on other sites More sharing options...
itman 1,407 Posted Saturday at 07:43 PM Share Posted Saturday at 07:43 PM 4 hours ago, SeriousHoax said: but it has 45 detections in VirusTotal It now has 46 detections and Eset still doesn't detect it. The only other major AV not detecting it is F-Secure. Quote Link to comment Share on other sites More sharing options...
SeriousHoax 54 Posted Saturday at 08:25 PM Share Posted Saturday at 08:25 PM (edited) 45 minutes ago, itman said: It now has 46 detections and Eset still doesn't detect it. The only other major AV not detecting it is F-Secure. Very weird from ESET. I wonder what's the reason? F-Secure also detects it since it uses full Avira SDK (signature+cloud) but F-Secure's detection for some reason doesn't show up in VT most of the time. Edit: It's now detected as suspicious. So, a cloud aka LiveGrid block/stream update. I guess Marcos/someone else saw my comment and reacted promptly. Edited Saturday at 08:29 PM by SeriousHoax Edit Quote Link to comment Share on other sites More sharing options...
itman 1,407 Posted Saturday at 08:36 PM Share Posted Saturday at 08:36 PM 9 minutes ago, SeriousHoax said: Edit: It's now detected as suspicious. So, a cloud aka LiveGrid block/stream update. I guess Marcos/someone else saw my comment and reacted promptly. I just re-scanned at VT. F-Secure now detects but Eset still does not. Quote Link to comment Share on other sites More sharing options...
AnthonyQ 31 Posted Saturday at 10:47 PM Author Share Posted Saturday at 10:47 PM 7 hours ago, SeriousHoax said: @MarcosCan you please check this sample? LiveGuard said it's safe, but it has 45 detections in VirusTotal. https://www.virustotal.com/gui/file/e4abd9b47864d4868de2945f573efe301dc77c00df865749b170dfb33e55a3f7/detection In fact, since last week, ESET has become very slow in analyzing the samples submitted via email. Quote Link to comment Share on other sites More sharing options...
IvanL_5306 1 Posted Sunday at 01:47 PM Share Posted Sunday at 01:47 PM 14 hours ago, AnthonyQ said: In fact, since last week, ESET has become very slow in analyzing the samples submitted via email. They analyzed the samples but refused to reply the final verdict. New_Style_xd 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.