LiveGuard can automatically block a suspicious file but cannot upload it to the cloud

[AnthonyQ 31]

Hi,

I have noticed that the LiveGuard feature is not working properly on my PC recently.

On my PC, when I download a new malware sample that is not detected by ESET's scanner, this file:

• will be automatically blocked from access by LiveGuard for a given period of time (7 mins in my case);
• will not be automatically uploaded to the cloud sandbox for analysis (no relevant log in "Sent Files", no outbound traffic can be seen);
• will be unblocked after the given period of time, and a notification saying ESET LiveGuard needs more time to analyze file will appear;
• can be uploaded to the cloud sandbox manually via context menu (outbound traffic and relevant logs in "Sent Files" can be seen after a manual submission).

But according to my knowledge, by default, if a file has not been analyzed by LiveGuard, this file will be automatically blocked and immediately sent to the cloud for analysis. If a file has been analyzed by LiveGuard, this file will be automatically blocked for 0-2 mins while retrieving the verdict.

[itman 1,407]

No problem here using ESSP ver. 15.2.11.

Downloading a Palo Alto malware test file that generates a unique hash value upon download yields the following:

1. Desktop alert displayed showing file sent to Eset VirusLab.

2. Eset log entries created confirming the submission to LiveGuard;

Time;Component;Event;User
8/3/2022 9:04:52 AM;ESET Kernel;File 'oJKGU3tb.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM

Time;Hash;File;Size;Category;Reason;Sent to;User
8/3/2022 9:04:52 AM;458576C74B7D8702A64641498FC15D179C725AA6;C:\Users\xxxxxx\Downloads\oJKGU3tb.exe.part;55296;Executable;Automatic;ESET LiveGuard;xxxxxxxxxxxxx

3, Attempt to run the download yields desktop alert file is blocked due to LiveGuard analysis underway. This activity also creates a corresponding log entry;

Time;Component;Event;User
8/3/2022 9:06:22 AM;ESET Kernel;ESET LiveGuard is analyzing the file to ensure it's safe to use. We will notify you in a few minutes.Unblock the file (not recommended)Change setup;xxxxxxxx

4. Because of above no. 3 activity, I received an Eset desktop alert and corresponding log entry that file was safe;

Time;Component;Event;User
8/3/2022 9:08:06 AM;ESET Kernel;ESET LiveGuard has analyzed a file. It is safe to use.;xxxxxxx

[AnthonyQ 31]

2 minutes ago, itman said:

No problem here using ESSP ver. 15.2.11.

Downloading a Palo Alto malware test file that generates a unique hash value upon download yields the following:

1. Desktop alert displayed showing file sent to Eset VirusLab.

2. Eset log entries created confirming the submission to LiveGuard;

Time;Component;Event;User
8/3/2022 9:04:52 AM;ESET Kernel;File 'oJKGU3tb.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM

Time;Hash;File;Size;Category;Reason;Sent to;User
8/3/2022 9:04:52 AM;458576C74B7D8702A64641498FC15D179C725AA6;C:\Users\xxxxxx\Downloads\oJKGU3tb.exe.part;55296;Executable;Automatic;ESET LiveGuard;xxxxxxxxxxxxx

3, Attempt to run the download yields desktop alert file is blocked due to LiveGuard analysis underway. This activity also creates a corresponding log entry;

Time;Component;Event;User
8/3/2022 9:06:22 AM;ESET Kernel;ESET LiveGuard is analyzing the file to ensure it's safe to use. We will notify you in a few minutes.Unblock the file (not recommended)Change setup;xxxxxxxx

4. Because of above no. 3 activity, I received an Eset desktop alert and corresponding log entry that file was safe;

Time;Component;Event;User
8/3/2022 9:08:06 AM;ESET Kernel;ESET LiveGuard has analyzed a file. It is safe to use.;xxxxxxx

So I stressed that this issue only happened on my PC. I've tried to reinstall ESSP but it won't help.

Edited August 3 by AnthonyQ

[itman 1,407]

Your file was downloaded via a browser?

Was the file .exe or something else?

[AnthonyQ 31]

5 minutes ago, itman said:

Your file was downloaded via a browser?

Was the file .exe or something else?

Yes.

Yes. .exe files.

As these files are blocked by LiveGuard, I'm sure LiveGuard has been triggered.

[itman 1,407]

50 minutes ago, AnthonyQ said:

But according to my knowledge, by default, if a file has not been analyzed by LiveGuard, this file will be automatically blocked and immediately sent to the cloud for analysis.

Actually, this assumption is incorrect.

LiveGuard doesn't work like MD BAFS processing which submits to the cloud any file not previously scanned. LiveGuard submission is conditioned upon Eset local heuristic analysis verdict as I understand it. If local heuristic analysis verdict doesn't detect anything, there won't be a LiveGuard submission. On the other hand, I have seen Eset submit files to LiveGrid for further review in this situation.

[AnthonyQ 31]

1 minute ago, itman said:

Actually, this assumption is incorrect.

LiveGuard doesn't work like MD BAFS processing which submits to the cloud any file not previously scanned. LiveGuard submission is conditioned upon Eset local heuristic analysis verdict as I understand it. If local heuristic analysis verdict doesn't detect anything, there won't be a LiveGuard submission. On the other hand, I have seen Eset submit files to LiveGrid for further review in this situation.

I see. But that's irrelevant in my case. 

[Marcos 4,289]

Please provide ELC logs as well as SHA1 hashes of some of the files that you have downloaded and expected them to be submitted to LiveGuard.

[itman 1,407]

I will also note that since I am located in the U.S., I am connecting to Eset LiveGuard server located in San Diego, CA. There might be an issue with other locals that are connecting to Eset LiveGuard server located in Slovakia.

[AnthonyQ 31]

29 minutes ago, Marcos said:

Please provide ESET Log Collector logs as well as SHA1 hashes of some of the files that you have downloaded and expected them to be submitted to LiveGuard.

ESET Log Collector logs as attached. 

Some of the hashes of the files that I think should be detected are:

8445991990bf9b3b94608ac2beaa341fcda13993 - Blocked by LiveGuard but not uploaded to the cloud

dd567a62cabfc7c3b782d0e6352980298633e458 - Blocked by LiveGuard but not uploaded to the cloud

A8EF96E5DC42057CB09465FAE8E9F3A3240C90AB - couldn't submitted automatically; submitted manually instead

A77504203D0BF9DF4B754A113530004DCC637807 - couldn't submitted automatically; submitted manually instead

A80A2C03EE389BE9146E88B0F83CC0A2A2290DCD - couldn't submitted automatically; submitted manually instead

essp_logs.zip

Edited August 3 by AnthonyQ

[AnthonyQ 31]

Another hash: d9108ee2137524c1963fe4419914beb78ad6358f - Blocked by LiveGuard but not uploaded to the cloud

[itman 1,407]

4 hours ago, AnthonyQ said:

8445991990bf9b3b94608ac2beaa341fcda13993 - Blocked by LiveGuard but not uploaded to the cloud

Eset still doesn't detect the above file at VT. I have a theory on what might be going on here.

At the time of your download, the file was previously submitted to Eset cloud. The file is still under evaluation by the VirusLab.

Since the file had been previously submitted, LiveGuard did not submit it again. LiveGuard however did query the Eset cloud for a status on this file and could not obtain one - safe or malicious. The file subsequently just sat in the cloud until it timed out. 

If my theory is correct, Eset needs to return a suspicious verdict to the submitted device along the line of "Suspicious - currently under VirusLab review" and quarantine the file. Once the file verdict has been rendered and if its a safe one, Eset restores the file from quarantine; this part is where "the Eset rub" lies.

Edited August 3 by itman

[SeriousHoax 54]

40 minutes ago, itman said:

Eset still doesn't detect the above file at VT. I have a theory on what might be going on here.

At the time of your download, the file was previously submitted to Eset cloud. The file is still under evaluation by the VirusLab.

Since the file had been previously submitted, LiveGuard did not submit it again. LiveGuard however did query the Eset cloud for a status on this file and could not obtain one - safe or malicious. The file subsequently just sat in the cloud until it timed out. 

If my theory is correct, Eset needs to return a suspicious verdict to the submitted device along the line of "Suspicious - currently under VirusLab review" and quarantine the file. Once the file verdict has been rendered and if its a safe one, Eset restores the file from quarantine; this part is where "the Eset rub" lies.

LiveGuard now gives this file a safe verdict. 

[itman 1,407]

3 hours ago, SeriousHoax said:

LiveGuard now gives this file a safe verdict. 

Did you verify that the file was actually sent to LiveGuard? The Eset Sent log entry should show a file of approx. 2.19 MB.

[SeriousHoax 54]

11 hours ago, itman said:

Did you verify that the file was actually sent to LiveGuard? The Eset Sent log entry should show a file of approx. 2.19 MB.

Yeah, I did. It was sent, the file was blocked initially, and a verdict was received within a few minutes.

[itman 1,407]

10 hours ago, SeriousHoax said:

Yeah, I did. It was sent, the file was blocked initially, and a verdict was received within a few minutes.

This indicates the OP was correct and this sample was never submitted to LiveGuard. If it was previously submitted, it wouldn't have been when you submitted it.

It would be informative to find out why the OP's LiveGuard submissions didn't occur.

[SeriousHoax 54]

@MarcosCan you please check this sample? LiveGuard said it's safe, but it has 45 detections in VirusTotal. 

https://www.virustotal.com/gui/file/e4abd9b47864d4868de2945f573efe301dc77c00df865749b170dfb33e55a3f7/detection

[itman 1,407]

4 hours ago, SeriousHoax said:

but it has 45 detections in VirusTotal

It now has 46 detections and Eset still doesn't detect it. The only other major AV not detecting it is F-Secure.

[SeriousHoax 54]

45 minutes ago, itman said:

It now has 46 detections and Eset still doesn't detect it. The only other major AV not detecting it is F-Secure.

Very weird from ESET. I wonder what's the reason? F-Secure also detects it since it uses full Avira SDK (signature+cloud) but F-Secure's detection for some reason doesn't show up in VT most of the time. 

Edit: It's now detected as suspicious. So, a cloud aka LiveGrid block/stream update. I guess Marcos/someone else saw my comment and reacted promptly.

Edited Saturday at 08:29 PM by SeriousHoax
Edit

[itman 1,407]

9 minutes ago, SeriousHoax said:

Edit: It's now detected as suspicious. So, a cloud aka LiveGrid block/stream update. I guess Marcos/someone else saw my comment and reacted promptly.

I just re-scanned at VT. F-Secure now detects but Eset still does not.

[AnthonyQ 31]

7 hours ago, SeriousHoax said:

@MarcosCan you please check this sample? LiveGuard said it's safe, but it has 45 detections in VirusTotal. 

https://www.virustotal.com/gui/file/e4abd9b47864d4868de2945f573efe301dc77c00df865749b170dfb33e55a3f7/detection

In fact, since last week, ESET has become very slow in analyzing the samples submitted via email.

[IvanL_5306 1]

14 hours ago, AnthonyQ said:

In fact, since last week, ESET has become very slow in analyzing the samples submitted via email.

They analyzed the samples but refused to reply the final verdict.