Jump to content

LiveGuard can automatically block a suspicious file but cannot upload it to the cloud


Recommended Posts

Hi,

I have noticed that the LiveGuard feature is not working properly on my PC recently.

On my PC, when I download a new malware sample that is not detected by ESET's scanner, this file:

  • will be automatically blocked from access by LiveGuard for a given period of time (7 mins in my case);
  • will not be automatically uploaded to the cloud sandbox for analysis (no relevant log in "Sent Files", no outbound traffic can be seen);
  • will be unblocked after the given period of time, and a notification saying ESET LiveGuard needs more time to analyze file will appear;
  • can be uploaded to the cloud sandbox manually via context menu (outbound traffic and relevant logs in "Sent Files" can be seen after a manual submission).

But according to my knowledge, by default, if a file has not been analyzed by LiveGuard, this file will be automatically blocked and immediately sent to the cloud for analysis. If a file has been analyzed by LiveGuard, this file will be automatically blocked for 0-2 mins while retrieving the verdict.

Link to comment
Share on other sites

No problem here using ESSP ver. 15.2.11.

Downloading a Palo Alto malware test file that generates a unique hash value upon download yields the following:

1. Desktop alert displayed showing file sent to Eset VirusLab.

2. Eset log entries created confirming the submission to LiveGuard;

Time;Component;Event;User
8/3/2022 9:04:52 AM;ESET Kernel;File 'oJKGU3tb.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM

Time;Hash;File;Size;Category;Reason;Sent to;User
8/3/2022 9:04:52 AM;458576C74B7D8702A64641498FC15D179C725AA6;C:\Users\xxxxxx\Downloads\oJKGU3tb.exe.part;55296;Executable;Automatic;ESET LiveGuard;xxxxxxxxxxxxx

3, Attempt to run the download yields desktop alert file is blocked due to LiveGuard analysis underway. This activity also creates a corresponding log entry;

Time;Component;Event;User
8/3/2022 9:06:22 AM;ESET Kernel;ESET LiveGuard is analyzing the file to ensure it's safe to use. We will notify you in a few minutes.Unblock the file (not recommended)Change setup;xxxxxxxx

4. Because of above no. 3 activity, I received an Eset desktop alert and corresponding log entry that file was safe;

Time;Component;Event;User
8/3/2022 9:08:06 AM;ESET Kernel;ESET LiveGuard has analyzed a file. It is safe to use.;xxxxxxx

Link to comment
Share on other sites

Posted (edited)
2 minutes ago, itman said:

No problem here using ESSP ver. 15.2.11.

Downloading a Palo Alto malware test file that generates a unique hash value upon download yields the following:

1. Desktop alert displayed showing file sent to Eset VirusLab.

2. Eset log entries created confirming the submission to LiveGuard;

Time;Component;Event;User
8/3/2022 9:04:52 AM;ESET Kernel;File 'oJKGU3tb.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM

Time;Hash;File;Size;Category;Reason;Sent to;User
8/3/2022 9:04:52 AM;458576C74B7D8702A64641498FC15D179C725AA6;C:\Users\xxxxxx\Downloads\oJKGU3tb.exe.part;55296;Executable;Automatic;ESET LiveGuard;xxxxxxxxxxxxx

3, Attempt to run the download yields desktop alert file is blocked due to LiveGuard analysis underway. This activity also creates a corresponding log entry;

Time;Component;Event;User
8/3/2022 9:06:22 AM;ESET Kernel;ESET LiveGuard is analyzing the file to ensure it's safe to use. We will notify you in a few minutes.Unblock the file (not recommended)Change setup;xxxxxxxx

4. Because of above no. 3 activity, I received an Eset desktop alert and corresponding log entry that file was safe;

Time;Component;Event;User
8/3/2022 9:08:06 AM;ESET Kernel;ESET LiveGuard has analyzed a file. It is safe to use.;xxxxxxx

So I stressed that this issue only happened on my PC. I've tried to reinstall ESSP but it won't help.

Edited by AnthonyQ
Link to comment
Share on other sites

5 minutes ago, itman said:

Your file was downloaded via a browser?

Was the file .exe or something else?

Yes.

Yes. .exe files.

As these files are blocked by LiveGuard, I'm sure LiveGuard has been triggered.

Link to comment
Share on other sites

50 minutes ago, AnthonyQ said:

But according to my knowledge, by default, if a file has not been analyzed by LiveGuard, this file will be automatically blocked and immediately sent to the cloud for analysis.

Actually, this assumption is incorrect.

LiveGuard doesn't work like MD BAFS processing which submits to the cloud any file not previously scanned. LiveGuard submission is conditioned upon Eset local heuristic analysis verdict as I understand it. If local heuristic analysis verdict doesn't detect anything, there won't be a LiveGuard submission. On the other hand, I have seen Eset submit files to LiveGrid for further review in this situation.

Link to comment
Share on other sites

1 minute ago, itman said:

Actually, this assumption is incorrect.

LiveGuard doesn't work like MD BAFS processing which submits to the cloud any file not previously scanned. LiveGuard submission is conditioned upon Eset local heuristic analysis verdict as I understand it. If local heuristic analysis verdict doesn't detect anything, there won't be a LiveGuard submission. On the other hand, I have seen Eset submit files to LiveGrid for further review in this situation.

I see. But that's irrelevant in my case. 

Link to comment
Share on other sites

  • Administrators

Please provide ELC logs as well as SHA1 hashes of some of the files that you have downloaded and expected them to be submitted to LiveGuard.

Link to comment
Share on other sites

I will also note that since I am located in the U.S., I am connecting to Eset LiveGuard server located in San Diego, CA. There might be an issue with other locals that are connecting to Eset LiveGuard server located in Slovakia.

Link to comment
Share on other sites

Posted (edited)
29 minutes ago, Marcos said:

Please provide ESET Log Collector logs as well as SHA1 hashes of some of the files that you have downloaded and expected them to be submitted to LiveGuard.

ESET Log Collector logs as attached. 

Some of the hashes of the files that I think should be detected are:

8445991990bf9b3b94608ac2beaa341fcda13993 - Blocked by LiveGuard but not uploaded to the cloud

dd567a62cabfc7c3b782d0e6352980298633e458 - Blocked by LiveGuard but not uploaded to the cloud

A8EF96E5DC42057CB09465FAE8E9F3A3240C90AB - couldn't submitted automatically; submitted manually instead

A77504203D0BF9DF4B754A113530004DCC637807 - couldn't submitted automatically; submitted manually instead

A80A2C03EE389BE9146E88B0F83CC0A2A2290DCD - couldn't submitted automatically; submitted manually instead

essp_logs.zip

Edited by AnthonyQ
Link to comment
Share on other sites

Another hash: d9108ee2137524c1963fe4419914beb78ad6358f - Blocked by LiveGuard but not uploaded to the cloud

Link to comment
Share on other sites

4 hours ago, AnthonyQ said:

8445991990bf9b3b94608ac2beaa341fcda13993 - Blocked by LiveGuard but not uploaded to the cloud

Eset still doesn't detect the above file at VT. I have a theory on what might be going on here.

At the time of your download, the file was previously submitted to Eset cloud. The file is still under evaluation by the VirusLab.

Since the file had been previously submitted, LiveGuard did not submit it again. LiveGuard however did query the Eset cloud for a status on this file and could not obtain one - safe or malicious. The file subsequently just sat in the cloud until it timed out. 

If my theory is correct, Eset needs to return a suspicious verdict to the submitted device along the line of "Suspicious - currently under VirusLab review" and quarantine the file. Once the file verdict has been rendered and if its a safe one, Eset restores the file from quarantine; this part is where "the Eset rub" lies.

Edited by itman
Link to comment
Share on other sites

40 minutes ago, itman said:

Eset still doesn't detect the above file at VT. I have a theory on what might be going on here.

At the time of your download, the file was previously submitted to Eset cloud. The file is still under evaluation by the VirusLab.

Since the file had been previously submitted, LiveGuard did not submit it again. LiveGuard however did query the Eset cloud for a status on this file and could not obtain one - safe or malicious. The file subsequently just sat in the cloud until it timed out. 

If my theory is correct, Eset needs to return a suspicious verdict to the submitted device along the line of "Suspicious - currently under VirusLab review" and quarantine the file. Once the file verdict has been rendered and if its a safe one, Eset restores the file from quarantine; this part is where "the Eset rub" lies.

LiveGuard now gives this file a safe verdict. 

Link to comment
Share on other sites

3 hours ago, SeriousHoax said:

LiveGuard now gives this file a safe verdict. 

Did you verify that the file was actually sent to LiveGuard? The Eset Sent log entry should show a file of approx. 2.19 MB.

Link to comment
Share on other sites

11 hours ago, itman said:

Did you verify that the file was actually sent to LiveGuard? The Eset Sent log entry should show a file of approx. 2.19 MB.

Yeah, I did. It was sent, the file was blocked initially, and a verdict was received within a few minutes.

2.png.44f5c9c77f684bb7f061fdb571ec9e92.png1.png.113c228ad7b923aadcca03e16ae6f442.png

Link to comment
Share on other sites

10 hours ago, SeriousHoax said:

Yeah, I did. It was sent, the file was blocked initially, and a verdict was received within a few minutes.

This indicates the OP was correct and this sample was never submitted to LiveGuard. If it was previously submitted, it wouldn't have been when you submitted it.

It would be informative to find out why the OP's LiveGuard submissions didn't occur.

Link to comment
Share on other sites

45 minutes ago, itman said:

It now has 46 detections and Eset still doesn't detect it. The only other major AV not detecting it is F-Secure.

Very weird from ESET. I wonder what's the reason? F-Secure also detects it since it uses full Avira SDK (signature+cloud) but F-Secure's detection for some reason doesn't show up in VT most of the time. 

Edit: It's now detected as suspicious. So, a cloud aka LiveGrid block/stream update. I guess Marcos/someone else saw my comment and reacted promptly.

Edited by SeriousHoax
Edit
Link to comment
Share on other sites

9 minutes ago, SeriousHoax said:

Edit: It's now detected as suspicious. So, a cloud aka LiveGrid block/stream update. I guess Marcos/someone else saw my comment and reacted promptly.

I just re-scanned at VT. F-Secure now detects but Eset still does not.

Link to comment
Share on other sites

7 hours ago, SeriousHoax said:

@MarcosCan you please check this sample? LiveGuard said it's safe, but it has 45 detections in VirusTotal. 

https://www.virustotal.com/gui/file/e4abd9b47864d4868de2945f573efe301dc77c00df865749b170dfb33e55a3f7/detection

In fact, since last week, ESET has become very slow in analyzing the samples submitted via email.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...