LiveGuard can automatically block a suspicious file but cannot upload it to the cloud

[itman 1,659]

15 minutes ago, AnthonyQ said:

Regarding this test file, ESET LiveGuard didn't block and send it to the cloud.

I believe your LiveGuard issues are related to communication originating from China. Perhaps interference via "the great firewall."

[AnthonyQ 48]

Just now, itman said:

I believe your LiveGuard issues are related to communication originating from China. Perhaps interference via "the great firewall."

That's not true. I can easily upload samples to LiveGuard manually via the option in context menu.

[itman 1,659]

4 minutes ago, AnthonyQ said:

That's not true. I can easily upload samples to LiveGuard manually via the option in context menu.

I suspect Eset manual submissions are not being sent directly to LiveGuard servers but are instead being sent to LiveGrid servers regardless of the fact the Eset Sent log entry states "LiveGuard." Remember that LiveGuard servers are reserved for Eset interactive activity; i.e. a timely sample analysis with result reply to the originator.

[AnthonyQ 48]

Just now, itman said:

I suspect Eset manual submissions are not being sent directly to LiveGuard servers but are instead being sent to LiveGrid servers regardless of the fact the Eset Sent log entry states "LiveGuard." Remember that LiveGuard servers are reserved for Eset interactive activity; i.e. a timely sample analysis with result reply to the originator.

No. After manual submission to LiveGuard, some samples can be detected and removed by LiveGuard.

[itman 1,659]

2 hours ago, AnthonyQ said:

No. After manual submission to LiveGuard, some samples can be detected and removed by LiveGuard.

Ditto for LiveGrid processing. You can spot these using a network connection monitor. The URL starts with tsmxx. Eset stores these entries in C:\ProgramData\ESET\ESET Security\Charon directory. What is stored there is in essence a pointer to the submitted file location. If later LiveGrid determines the file malicious, it will use this pointer file to locate and delete/quarantine the file.

Edited August 15, 2022 by itman

[peteyt 393]

4 hours ago, AnthonyQ said:

Yes. I continue experiencing issues with LiveGuard which are discussed above.

Regarding this test file, ESET LiveGuard didn't block and send it to the cloud.

decided to try it myself. Seems liveguard might have sent it but got no notification

[itman 1,659]

9 minutes ago, peteyt said:

decided to try it myself. Seems liveguard might have sent it but got no notification

You won't get a Safe file verdict popup unless you physically try to access the sent file while in a blocked status.

[peteyt 393]

1 minute ago, itman said:

You won't get a Safe file verdict popup unless you physically try to access the sent file while in a blocked status.

should I have gotten a warning that it was being checked as I can see it is in my logs but no popup saying the file has been blocked temporary or anything

[itman 1,659]

5 hours ago, AnthonyQ said:

Regarding this test file, ESET LiveGuard didn't block and send it to the cloud.

Oops! It didn't register with me that the file was not sent by LifeGuard. It most certainly should have been blocked and sent. Each file download has a unique hash.

For some unknown reason, LiveGuard appears not to function on your ESSP installation. Since you stated you have repeatedly reinstalled ESSP, the problem might not be LiveGuard per se, but Eset heuristic scanning settings. Remember, it is this feature that detects a suspicious file originally. Are all your Eset real-time detection settings set to Aggressive?

Edited August 15, 2022 by itman

[itman 1,659]

4 minutes ago, peteyt said:

should I have gotten a warning that it was being checked as I can see it is in my logs but no popup saying the file has been blocked temporary or anything

Download it again. Immediately try to run the file. You will receive a Win popup that the file can't be accessed. You will also receive an Eset popup that asks if you want to unblock the file which you do not want to do. When LiveGuard file analysis completes, you will get an LiveGuard desktop popup that the file is safe.

[peteyt 393]

9 minutes ago, itman said:

Download it again. Immediately try to run the file. You will receive a Win popup that the file can't be accessed. You will also receive an Eset popup that asks if you want to unblock the file which you do not want to do. When LiveGuard file analysis completes, you will get an LiveGuard desktop popup that the file is safe.

I have realised what was causing the issue. When I tried to open the exe I got nothing - not a are you sure you want to open this. If I download via Chrome and open Eset alerts me but if I download through the download manager I use, Free Download Manager (FDM) it seems it is sent but I'm not alerted and the .exe is not running

[itman 1,659]

11 minutes ago, peteyt said:

if I download through the download manager I use, Free Download Manager (FDM) it seems it is sent but I'm not alerted and the .exe is not running

Makes sense. Eset LiveGuard only fully supports browser and e-mail client downloads as far as I am aware of.

[Marcos 5,074]

3 minutes ago, itman said:

Makes sense. Eset LiveGuard only fully supports browser and e-mail client downloads as far as I am aware of.

Correct. Looks like some information from https://help.eset.com/elga/en-US/proactive_protection.html is missing in the ESET LiveGuard help, will check it out with colleagues from the documentation team.

[New_Style_xd 69]

That's why I was downloading via torrent client, liveguard did not alert.

[peteyt 393]

8 hours ago, Marcos said:

Correct. Looks like some information from https://help.eset.com/elga/en-US/proactive_protection.html is missing in the ESET LiveGuard help, will check it out with colleagues from the documentation team.

Will post this in the feature request area but do you think it would ever be possible to get it to work with download managers?

[AnthonyQ 48]

14 hours ago, itman said:

Makes sense. Eset LiveGuard only fully supports browser and e-mail client downloads as far as I am aware of.

I use IDM to download files and that might be a reason why LiveGuard is not working properly on my PC. But I think ESET LiveGuard should support IDM in the future, as it is widely used.

[Marcos 5,074]

6 hours ago, peteyt said:

Will post this in the feature request area but do you think it would ever be possible to get it to work with download managers?

Currently we don't plan to support download managers because: 1, We could not cover all download managers, 2, The first part of downloaded files would be redundantly submitted, 3, The first part of the downloaded file would be blocked by proactive protection while waiting for the verdict which would prevent the download manager from assembling parts and creating the final file.

[New_Style_xd 69]

3 hours ago, AnthonyQ said:

I use IDM to download files and that might be a reason why LiveGuard is not working properly on my PC. But I think ESET LiveGuard should support IDM in the future, as it is widely used.

I agree, because this way we will always be unprotected, since LiveGuard is designed to mitigate threats never seen before. Not fighting for other download manager we will always be Vulnerable. so i agree with you.

[SeriousHoax 83]

20 hours ago, Marcos said:

Correct. Looks like some information from https://help.eset.com/elga/en-US/proactive_protection.html is missing in the ESET LiveGuard help, will check it out with colleagues from the documentation team.

Based on personal experience of @AnthonyQand myself on LiveGuard's not so stellar performance, it seems our home users LiveGuard only performs Level 1 analysis in the cloud that's described here: https://help.eset.com/elga/en-US/how_detection_layers_work.html 

Is this correct?

I also had the chance to try out of ESET Endpoint, where the Level 2 or Level 4 (or both, I forgot which one) option was locked for license with more seats. 

[Marcos 5,074]

There's no difference between ESET LiveGuard employed by ESET Smart Security Premium and ESET LiveGuard Advanced in business products when it comes to analyzing files downloaded from the Internet.

 

[itman 1,659]

The download manager issue withstanding, my question is what about app based downloads; updates, etc.?

Most I believe are aware of every growing supply chain based tampering issue. Also, the connection could be hijacked en-route.

[New_Style_xd 69]

We really have a lot of doubts about the security of liveguard.
For example, I use patch my pc to update my programs, without me looking at the manufacturer's websites, the question will be that LIVEGUARD is protecting me in relation to the updates I'm making of my programs, since with the download manager and programs torrents I know that LIVEGUARD does not protect.

[itman 1,659]

I can confirm that something has changed in LiveGuard.

I have another security app I use. I also perform manual updating of this app via browser based download. To date every time I performed an update, LiveGuard has blocked the file, given me an Eset submission notification pop-up alert, and created entries in both the Event and Sent logs.

I just performed a manual update two hours ago. The only thing LiveGuard did was block the file upon download. I did not receive any Eset submission notification pop-up alert. No Eset event logs of any type were created. Finally, the file was only blocked for a very short period of time. Normally, a LiveGuard verdict for an update takes around 4 - 6 minutes. Appears to me all that was performed was a cloud blacklist check.

Edited August 16, 2022 by itman

[AnthonyQ 48]

I just downloaded a sample from MalwareBazaar (MD5: dc55c31f417efc2fa4d421a16277e3b1) which is undetected by ESET's scanner, using Edge's bulit-in download function. 

However, after extracted by 7-Zip, this sample was again blocked by LiveGuard but wasn't uploaded to the cloud automatically.

7 mins later, a notification saying LiveGuard needs more time to analyze appeared. But I don't think LiveGuard has actually received the sample.

 

Edited August 17, 2022 by AnthonyQ

[Marcos 5,074]

1 hour ago, AnthonyQ said:

I just downloaded a sample from MalwareBazaar (MD5: dc55c31f417efc2fa4d421a16277e3b1) which is undetected by ESET's scanner, using Edge's bulit-in download function.

That's most likely because the file is already detected. Make sure that you have aggressive detection set for "malware" category:

38816055042a3693ff846a391e8280f800d06a3c49ca0181ab0f99d99db48b09.exe - ML/Augur trojan

Also it's detected upon execution with real-time protection disabled: