cyb 0 Posted November 25, 2022 Share Posted November 25, 2022 I am using ESET PROTECT and ESET Endpoint. One URL is blocked by the Web protection module (PUA blacklist) but is declared « Safe » by LiveGrid: is there a way to make the Web protection use LiveGrid's reputation? I am getting a few false positive like this one over the organization and if I could avoid such errors by trusting LiveGrid it would be great. The detection details follows (emphasis mine): ----- Web protection An attempt to connect to URL Occurred: November 3, 2022 17:12:35 Occurrences: * Total 4 * Resolved 4 * Handled by product 4 Cause: Blocked Hash: C0E20A0172694DF8441C75B848A86BEA97C2CE17 Uniform Resource Identifier (URI): ***redacted*** Process name: C:\Program Files\Google\Chrome\Application\chrome.exe Event: An attempt to connect to URLRule: Blocked by PUA blacklist Scanner: HTTP filter Target address: ***redacted*** User: ***redacted*** ESET LiveGrid® Observed worldwide (ESET LiveGrid®)Reputation: Safe (8) Popularity: 10000000 - 99999999 computers (approximation) First seen: 2 weeks ago Detection observed in organization Count: 17 First time: November 3, 2022 11:33:29 Last time: November 8, 2022 15:20:18 ----- Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted November 25, 2022 Administrators Share Posted November 25, 2022 It appears that Chrome (clean app) attempted to open a PUA website. What is the url that was blocked? LiveGrid has reputation of files, not urls. Link to comment Share on other sites More sharing options...
cyb 0 Posted November 25, 2022 Author Share Posted November 25, 2022 I can't really publicly share the URL (can do privately though). What actually happened is that Chrome attempted a GET on an URL which contains (in the query string) an URL which ESET think is bad. Quote LiveGrid has reputation of files, not urls. OK, so the display of LiveGrid reputation on the detection details window is misleading. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted November 25, 2022 Administrators Share Posted November 25, 2022 Please drop me a private message with the url and a screenshot of the above detection details enclosed. Link to comment Share on other sites More sharing options...
cyb 0 Posted November 25, 2022 Author Share Posted November 25, 2022 (Private message sent) As a I said, I know theses URLs are seen as potentially bad (but I don't know why) but I think they are false-positive, and I thought I could use LiveGrid to avoid blocking for some of theses. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted November 25, 2022 Administrators Share Posted November 25, 2022 Thanks. Since malware has been removed from the website, we have unblocked it. Also I've asked the product manager to consider labeling the LiveGrid part "Process details" to make it clear that LiveGrid info pertain to the process that accessed the url. Link to comment Share on other sites More sharing options...
cyb 0 Posted November 28, 2022 Author Share Posted November 28, 2022 Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts