AnthonyQ 45 Posted August 3, 2022 Share Posted August 3, 2022 Hi, I have noticed that the LiveGuard feature is not working properly on my PC recently. On my PC, when I download a new malware sample that is not detected by ESET's scanner, this file: will be automatically blocked from access by LiveGuard for a given period of time (7 mins in my case); will not be automatically uploaded to the cloud sandbox for analysis (no relevant log in "Sent Files", no outbound traffic can be seen); will be unblocked after the given period of time, and a notification saying ESET LiveGuard needs more time to analyze file will appear; can be uploaded to the cloud sandbox manually via context menu (outbound traffic and relevant logs in "Sent Files" can be seen after a manual submission). But according to my knowledge, by default, if a file has not been analyzed by LiveGuard, this file will be automatically blocked and immediately sent to the cloud for analysis. If a file has been analyzed by LiveGuard, this file will be automatically blocked for 0-2 mins while retrieving the verdict. Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 3, 2022 Share Posted August 3, 2022 No problem here using ESSP ver. 15.2.11. Downloading a Palo Alto malware test file that generates a unique hash value upon download yields the following: 1. Desktop alert displayed showing file sent to Eset VirusLab. 2. Eset log entries created confirming the submission to LiveGuard; Time;Component;Event;User 8/3/2022 9:04:52 AM;ESET Kernel;File 'oJKGU3tb.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM Time;Hash;File;Size;Category;Reason;Sent to;User 8/3/2022 9:04:52 AM;458576C74B7D8702A64641498FC15D179C725AA6;C:\Users\xxxxxx\Downloads\oJKGU3tb.exe.part;55296;Executable;Automatic;ESET LiveGuard;xxxxxxxxxxxxx 3, Attempt to run the download yields desktop alert file is blocked due to LiveGuard analysis underway. This activity also creates a corresponding log entry; Time;Component;Event;User 8/3/2022 9:06:22 AM;ESET Kernel;ESET LiveGuard is analyzing the file to ensure it's safe to use. We will notify you in a few minutes.Unblock the file (not recommended)Change setup;xxxxxxxx 4. Because of above no. 3 activity, I received an Eset desktop alert and corresponding log entry that file was safe; Time;Component;Event;User 8/3/2022 9:08:06 AM;ESET Kernel;ESET LiveGuard has analyzed a file. It is safe to use.;xxxxxxx Link to comment Share on other sites More sharing options...
AnthonyQ 45 Posted August 3, 2022 Author Share Posted August 3, 2022 (edited) 2 minutes ago, itman said: No problem here using ESSP ver. 15.2.11. Downloading a Palo Alto malware test file that generates a unique hash value upon download yields the following: 1. Desktop alert displayed showing file sent to Eset VirusLab. 2. Eset log entries created confirming the submission to LiveGuard; Time;Component;Event;User 8/3/2022 9:04:52 AM;ESET Kernel;File 'oJKGU3tb.exe.part' was sent to ESET Virus Lab for analysis.;SYSTEM Time;Hash;File;Size;Category;Reason;Sent to;User 8/3/2022 9:04:52 AM;458576C74B7D8702A64641498FC15D179C725AA6;C:\Users\xxxxxx\Downloads\oJKGU3tb.exe.part;55296;Executable;Automatic;ESET LiveGuard;xxxxxxxxxxxxx 3, Attempt to run the download yields desktop alert file is blocked due to LiveGuard analysis underway. This activity also creates a corresponding log entry; Time;Component;Event;User 8/3/2022 9:06:22 AM;ESET Kernel;ESET LiveGuard is analyzing the file to ensure it's safe to use. We will notify you in a few minutes.Unblock the file (not recommended)Change setup;xxxxxxxx 4. Because of above no. 3 activity, I received an Eset desktop alert and corresponding log entry that file was safe; Time;Component;Event;User 8/3/2022 9:08:06 AM;ESET Kernel;ESET LiveGuard has analyzed a file. It is safe to use.;xxxxxxx So I stressed that this issue only happened on my PC. I've tried to reinstall ESSP but it won't help. Edited August 3, 2022 by AnthonyQ Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 3, 2022 Share Posted August 3, 2022 Your file was downloaded via a browser? Was the file .exe or something else? Link to comment Share on other sites More sharing options...
AnthonyQ 45 Posted August 3, 2022 Author Share Posted August 3, 2022 5 minutes ago, itman said: Your file was downloaded via a browser? Was the file .exe or something else? Yes. Yes. .exe files. As these files are blocked by LiveGuard, I'm sure LiveGuard has been triggered. Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 3, 2022 Share Posted August 3, 2022 50 minutes ago, AnthonyQ said: But according to my knowledge, by default, if a file has not been analyzed by LiveGuard, this file will be automatically blocked and immediately sent to the cloud for analysis. Actually, this assumption is incorrect. LiveGuard doesn't work like MD BAFS processing which submits to the cloud any file not previously scanned. LiveGuard submission is conditioned upon Eset local heuristic analysis verdict as I understand it. If local heuristic analysis verdict doesn't detect anything, there won't be a LiveGuard submission. On the other hand, I have seen Eset submit files to LiveGrid for further review in this situation. Link to comment Share on other sites More sharing options...
AnthonyQ 45 Posted August 3, 2022 Author Share Posted August 3, 2022 1 minute ago, itman said: Actually, this assumption is incorrect. LiveGuard doesn't work like MD BAFS processing which submits to the cloud any file not previously scanned. LiveGuard submission is conditioned upon Eset local heuristic analysis verdict as I understand it. If local heuristic analysis verdict doesn't detect anything, there won't be a LiveGuard submission. On the other hand, I have seen Eset submit files to LiveGrid for further review in this situation. I see. But that's irrelevant in my case. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,841 Posted August 3, 2022 Administrators Share Posted August 3, 2022 Please provide ELC logs as well as SHA1 hashes of some of the files that you have downloaded and expected them to be submitted to LiveGuard. Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 3, 2022 Share Posted August 3, 2022 I will also note that since I am located in the U.S., I am connecting to Eset LiveGuard server located in San Diego, CA. There might be an issue with other locals that are connecting to Eset LiveGuard server located in Slovakia. Link to comment Share on other sites More sharing options...
AnthonyQ 45 Posted August 3, 2022 Author Share Posted August 3, 2022 (edited) 29 minutes ago, Marcos said: Please provide ESET Log Collector logs as well as SHA1 hashes of some of the files that you have downloaded and expected them to be submitted to LiveGuard. ESET Log Collector logs as attached. Some of the hashes of the files that I think should be detected are: 8445991990bf9b3b94608ac2beaa341fcda13993 - Blocked by LiveGuard but not uploaded to the cloud dd567a62cabfc7c3b782d0e6352980298633e458 - Blocked by LiveGuard but not uploaded to the cloud A8EF96E5DC42057CB09465FAE8E9F3A3240C90AB - couldn't submitted automatically; submitted manually instead A77504203D0BF9DF4B754A113530004DCC637807 - couldn't submitted automatically; submitted manually instead A80A2C03EE389BE9146E88B0F83CC0A2A2290DCD - couldn't submitted automatically; submitted manually instead essp_logs.zip Edited August 3, 2022 by AnthonyQ Link to comment Share on other sites More sharing options...
AnthonyQ 45 Posted August 3, 2022 Author Share Posted August 3, 2022 Another hash: d9108ee2137524c1963fe4419914beb78ad6358f - Blocked by LiveGuard but not uploaded to the cloud Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 3, 2022 Share Posted August 3, 2022 (edited) 4 hours ago, AnthonyQ said: 8445991990bf9b3b94608ac2beaa341fcda13993 - Blocked by LiveGuard but not uploaded to the cloud Eset still doesn't detect the above file at VT. I have a theory on what might be going on here. At the time of your download, the file was previously submitted to Eset cloud. The file is still under evaluation by the VirusLab. Since the file had been previously submitted, LiveGuard did not submit it again. LiveGuard however did query the Eset cloud for a status on this file and could not obtain one - safe or malicious. The file subsequently just sat in the cloud until it timed out. If my theory is correct, Eset needs to return a suspicious verdict to the submitted device along the line of "Suspicious - currently under VirusLab review" and quarantine the file. Once the file verdict has been rendered and if its a safe one, Eset restores the file from quarantine; this part is where "the Eset rub" lies. Edited August 3, 2022 by itman Link to comment Share on other sites More sharing options...
SeriousHoax 80 Posted August 3, 2022 Share Posted August 3, 2022 40 minutes ago, itman said: Eset still doesn't detect the above file at VT. I have a theory on what might be going on here. At the time of your download, the file was previously submitted to Eset cloud. The file is still under evaluation by the VirusLab. Since the file had been previously submitted, LiveGuard did not submit it again. LiveGuard however did query the Eset cloud for a status on this file and could not obtain one - safe or malicious. The file subsequently just sat in the cloud until it timed out. If my theory is correct, Eset needs to return a suspicious verdict to the submitted device along the line of "Suspicious - currently under VirusLab review" and quarantine the file. Once the file verdict has been rendered and if its a safe one, Eset restores the file from quarantine; this part is where "the Eset rub" lies. LiveGuard now gives this file a safe verdict. Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 3, 2022 Share Posted August 3, 2022 3 hours ago, SeriousHoax said: LiveGuard now gives this file a safe verdict. Did you verify that the file was actually sent to LiveGuard? The Eset Sent log entry should show a file of approx. 2.19 MB. Link to comment Share on other sites More sharing options...
SeriousHoax 80 Posted August 4, 2022 Share Posted August 4, 2022 11 hours ago, itman said: Did you verify that the file was actually sent to LiveGuard? The Eset Sent log entry should show a file of approx. 2.19 MB. Yeah, I did. It was sent, the file was blocked initially, and a verdict was received within a few minutes. Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 4, 2022 Share Posted August 4, 2022 10 hours ago, SeriousHoax said: Yeah, I did. It was sent, the file was blocked initially, and a verdict was received within a few minutes. This indicates the OP was correct and this sample was never submitted to LiveGuard. If it was previously submitted, it wouldn't have been when you submitted it. It would be informative to find out why the OP's LiveGuard submissions didn't occur. Link to comment Share on other sites More sharing options...
SeriousHoax 80 Posted August 6, 2022 Share Posted August 6, 2022 @MarcosCan you please check this sample? LiveGuard said it's safe, but it has 45 detections in VirusTotal. https://www.virustotal.com/gui/file/e4abd9b47864d4868de2945f573efe301dc77c00df865749b170dfb33e55a3f7/detection Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 6, 2022 Share Posted August 6, 2022 4 hours ago, SeriousHoax said: but it has 45 detections in VirusTotal It now has 46 detections and Eset still doesn't detect it. The only other major AV not detecting it is F-Secure. Link to comment Share on other sites More sharing options...
SeriousHoax 80 Posted August 6, 2022 Share Posted August 6, 2022 (edited) 45 minutes ago, itman said: It now has 46 detections and Eset still doesn't detect it. The only other major AV not detecting it is F-Secure. Very weird from ESET. I wonder what's the reason? F-Secure also detects it since it uses full Avira SDK (signature+cloud) but F-Secure's detection for some reason doesn't show up in VT most of the time. Edit: It's now detected as suspicious. So, a cloud aka LiveGrid block/stream update. I guess Marcos/someone else saw my comment and reacted promptly. Edited August 6, 2022 by SeriousHoax Edit Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 6, 2022 Share Posted August 6, 2022 9 minutes ago, SeriousHoax said: Edit: It's now detected as suspicious. So, a cloud aka LiveGrid block/stream update. I guess Marcos/someone else saw my comment and reacted promptly. I just re-scanned at VT. F-Secure now detects but Eset still does not. Link to comment Share on other sites More sharing options...
AnthonyQ 45 Posted August 6, 2022 Author Share Posted August 6, 2022 7 hours ago, SeriousHoax said: @MarcosCan you please check this sample? LiveGuard said it's safe, but it has 45 detections in VirusTotal. https://www.virustotal.com/gui/file/e4abd9b47864d4868de2945f573efe301dc77c00df865749b170dfb33e55a3f7/detection In fact, since last week, ESET has become very slow in analyzing the samples submitted via email. Link to comment Share on other sites More sharing options...
IvanL_5306 1 Posted August 7, 2022 Share Posted August 7, 2022 14 hours ago, AnthonyQ said: In fact, since last week, ESET has become very slow in analyzing the samples submitted via email. They analyzed the samples but refused to reply the final verdict. New_Style_xd 1 Link to comment Share on other sites More sharing options...
AnthonyQ 45 Posted August 13, 2022 Author Share Posted August 13, 2022 On 8/3/2022 at 10:07 PM, Marcos said: Please provide ESET Log Collector logs as well as SHA1 hashes of some of the files that you have downloaded and expected them to be submitted to LiveGuard. Hi Marcos, Any update on this issue? 🤔 New_Style_xd 1 Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 14, 2022 Share Posted August 14, 2022 On 8/13/2022 at 12:17 AM, AnthonyQ said: Any update on this issue? 🤔 Are you still having issues with LiveGuard submissions? Download this Palo Alto test malware file: https://wildfire.paloaltonetworks.com/publicapi/test/pe . Note: this file is not malware but contains enough suspicious characteristics that AV heuristic scanners will flag it. This file should be immediately uploaded to LiveGuard and blocked until a safe verdict is returned. Link to comment Share on other sites More sharing options...
AnthonyQ 45 Posted August 15, 2022 Author Share Posted August 15, 2022 On 8/14/2022 at 9:34 PM, itman said: Are you still having issues with LiveGuard submissions? Download this Palo Alto test malware file: https://wildfire.paloaltonetworks.com/publicapi/test/pe . Note: this file is not malware but contains enough suspicious characteristics that AV heuristic scanners will flag it. This file should be immediately uploaded to LiveGuard and blocked until a safe verdict is returned. Yes. I continue experiencing issues with LiveGuard which are discussed above. Regarding this test file, ESET LiveGuard didn't block and send it to the cloud. Link to comment Share on other sites More sharing options...
Recommended Posts