Mohimen 3 Posted January 2, 2015 Share Posted January 2, 2015 Hi guys A few days ago since I found a bug in the classification of applications These files appear on the grounds that they are good applications , While it is harmful applications Please fix this problem and improve it Best Regards Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted January 2, 2015 Administrators Share Posted January 2, 2015 Probably it's been recognized as malware just recently which would explain that. Try checking it in a few hours. Link to comment Share on other sites More sharing options...
Mohimen 3 Posted January 2, 2015 Author Share Posted January 2, 2015 Risk level : fine !!!, It must have been unknown because risk level : fine is means that the application is 100% secure While it must have been unknown classification So please fix these problem Best regards Link to comment Share on other sites More sharing options...
SweX 871 Posted January 2, 2015 Share Posted January 2, 2015 (edited) I have seen that a few times as well, I wonder why all files (safe or malware) doesn't get an unknown status(orange triangle) until LG has decided that the file is safe and gives it a green known safe status. If it worked like that then the files above in the screenshot should be marked unknown until they get a red triangle if they are malware, and not get a known safe/green status for a few hours, that is just confusing and very wrong unless they are known safe. I don't understand why any file get a known safe status when they could get a unknown status until Live Grid is sure about what they are, safe or bad. Only known safe files should be marked "known safe/green" as that is what that green icon means. Malware should never get a known safe/green status, even if it is just for a few hours it doesn't make any sense, Live Grid should mark them as unknown (orange) during that time NOT green! Marcos, doesn't ALL files get an unknown status in Live Grid at first ? It sounds like the "unknown" status would fit the above files perfectly according to the help file. Also according to the help file the above files are "definitely clean" and "whitelisted" ! Risk level – In most cases, ESET Smart Security and ESET Live Grid technology assign risk levels to objects (files, processes, registry keys, etc.) using a series of heuristic rules that examine the characteristics of each object and then weigh their potential for malicious activity. Based on these heuristics, objects are assigned a risk level from 1 – Fine (green) to 9 – Risky (red). NOTE: Known applications marked as Fine (green) are definitely clean (whitelisted) and will be excluded from scanning, as this will improve the scanning speed of on-demand computer scan or Real-time file system protection on your computer.Number of users – The number of users that use a given application. This information is gathered by ESET Live Grid technology. Time of discovery – Period of time since the application was discovered by ESET Live Grid technology. NOTE: When an application is marked as Unknown (orange) security level, it is not necessarily malicious software. Usually it is just a newer application. If you are not sure about the file, you can submit file for analysis to the ESET Virus Lab. If the file turns out to be a malicious application, its detection will be added to one of the upcoming updates. It should work like the help file shows it, but it doesn't always work like that. Edited January 2, 2015 by SweX Link to comment Share on other sites More sharing options...
Mohimen 3 Posted January 2, 2015 Author Share Posted January 2, 2015 exactly SweX This is what I wanted to say exactly So you must solve this problem as soon as possible Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted January 2, 2015 Administrators Share Posted January 2, 2015 As I wrote, these files are probably new and were not detected the first time they were scanned on someone's computer. Unfortunately, no additional information was provided, such as SHA1 of these files so I was not able to verify my assumption. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted January 2, 2015 Administrators Share Posted January 2, 2015 Marcos, doesn't ALL files get an unknown status in Live Grid at first ? They do but they were not unknown any more after somebody had scanned them. One should also consider the prevalence and time of discovery instead of just looking at the status as it may not always be accurate information. Link to comment Share on other sites More sharing options...
SweX 871 Posted January 2, 2015 Share Posted January 2, 2015 (edited) But that doesn't explain why some new malware are marked as green clean fine/safe. Marcos, doesn't ALL files get an unknown status in Live Grid at first ? They do but they were not unknown any more after somebody had scanned them. One should also consider the prevalence and time of discovery instead of just looking at the status as it may not always be accurate information. "instead of just looking at the status as it may not always be accurate information." So, green known safe "definitely clean" doesn't always mean definitely clean ? The way I read it, is that unknown could be used until the file is known safe or known bad. But LG skipped that and marked them as known safe which means "definitely clean". I see that as a problem. I mean even if the file no longer is unknown, LG still hasn't determined if the file is known safe or bad = clean/infected status unknown. In that case it is wrong to mark them as green/known safe if they really isn't. Maybe a color status between "unknown" and "known safe" is needed, purple for suspicious ? Then the classification could go like this... Unknown (orange) -> suspicious (purple) -> Red triangle (if malware). (but the suspicious status can be skipped and go straight to Green known safe if it is a clean file.) And not like it works now... Unknown (orange) -> Green (known safe) -> Red triangle (if malware). I find it weird that a file goes from green known safe "definitely clean" status one second, to malware status a few minutes or so later. Something in between is needed while the clean/infected status is being determined to prevent malware from getting a green "definitely clean" status in LG. Edited January 2, 2015 by SweX Link to comment Share on other sites More sharing options...
sky7 19 Posted January 2, 2015 Share Posted January 2, 2015 (edited) That is something wrong.Those exe files must be unknown (orange) even if somebody had scanned them.See editplus.exe (it's one of well-known text editors for windows)It's still unknown classification. (more people are using it and more people had scanned it)Of course editplus.exe is clean file and I don't care it's still Unknown(orange) classification butif new/unknown malware files are green(definitely clean (whitelisted) and will be excluded from scanning)That is a problem. Edited January 2, 2015 by sky7 Link to comment Share on other sites More sharing options...
Most Valued Members planet 232 Posted January 2, 2015 Most Valued Members Share Posted January 2, 2015 (edited) I just wanted to also mention a similar issue over on the Cyber Security side that may explain this issue - as of now, processes without a classification are showing random user icons instead of it being blank until ESET can set the classification (like an unknown yellow icon or green tick)... maybe Smart Security is showing the green tick icon (due to a visual bug) instead of it being blank (or however it should be), like how Cyber Security is wrongly showing the user icon instead of that being blank (that's how it used to be before something happened late last year)? In other words, Cyber Security (and I'm assuming Smart Security too) used to show a blank spot for an unclassified process or executable until the unknown yellow icon is shown, but they both are resorting to showing a green tick in Smart Security or a user icon in Cyber Security due to a visual UI bug? Edited March 29, 2015 by planet Link to comment Share on other sites More sharing options...
SweX 871 Posted January 2, 2015 Share Posted January 2, 2015 @sky7 Yes, I have seen old (clean/safe) files with a big amount of users have "unknown" status as well, so I don't understand exactly what Marcos mean. @planet Hmmm interesting, so you see the 3 people in a que icon, instead of the file status. Maybe it really is a graph glitch, but I doubt it as I have seen known safe files (green) get malware status (red) many times. What ever the issue is it needs fixing. Link to comment Share on other sites More sharing options...
Most Valued Members planet 232 Posted January 2, 2015 Most Valued Members Share Posted January 2, 2015 @planet Hmmm interesting, so you see the 3 people in a que icon, instead of the file status. Yes, only for the recently discovered ones that have no classification yet (even before the unknown yellow/orange icon). It used to be blank before something happened late last year, but now it shows a random user icon (sometimes one person, sometimes two people) which shouldn't be there. Anyway I don't want to hijack the topic, just wanted to mention this in case this issue in Smart Security is the same thing. Link to comment Share on other sites More sharing options...
Mohimen 3 Posted January 2, 2015 Author Share Posted January 2, 2015 Another example again risk level Green !!! , It must have been at least a buff ( risk level : unknown ) There is a great imbalance in the ESET File Reputation ( ESET Live Grid ) So you must solve this problem as soon as possible Link to comment Share on other sites More sharing options...
rugk 397 Posted January 2, 2015 Share Posted January 2, 2015 @planet Personally I think the bug you mentioned is only a graphical bug in ECS and the bug reported by the TS is a "deeper" one. However I could be fully wrong of course. @Mohimen Can you please post (not-clickable) links to some of the malious files (I recommend to pack them into a passwort-protected archive), so we can reproduce the issue. Have you also find malious files which are marked with a red triangle in ESET LiveGrid? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted January 2, 2015 Administrators Share Posted January 2, 2015 A lot of posts have been made but still not a single mention of SHA1 so that we could check it out Link to comment Share on other sites More sharing options...
rugk 397 Posted January 3, 2015 Share Posted January 3, 2015 Yeah either a checksum or the complete file. Link to comment Share on other sites More sharing options...
Mohimen 3 Posted January 3, 2015 Author Share Posted January 3, 2015 @rugk Can I put links here Link to comment Share on other sites More sharing options...
Arakasi 549 Posted January 3, 2015 Share Posted January 3, 2015 (edited) Broken links please hxxp://yup.com Edited January 3, 2015 by Arakasi Link to comment Share on other sites More sharing options...
rugk 397 Posted January 3, 2015 Share Posted January 3, 2015 (edited) It's also very strange that the eicar test file is... well... nothing? (if it would be unknown it would be an orange triangle) Edited January 3, 2015 by rugk Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted January 3, 2015 Administrators Share Posted January 3, 2015 It's also very strange that the eicar test file is... well... nothing? (if it would be unknown it would be an orange triangle) Eicar.com is not a PE file. Reputation is evaluated only for PE files. Link to comment Share on other sites More sharing options...
Mohimen 3 Posted January 3, 2015 Author Share Posted January 3, 2015 Malware Samples link hxxp://rghost.net/60117403 Password: infected Best regards Link to comment Share on other sites More sharing options...
rugk 397 Posted January 3, 2015 Share Posted January 3, 2015 Okay, but malware can also be not in a PE file... So this should recognized by ESET LiveGrid too. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted January 3, 2015 Administrators Share Posted January 3, 2015 Okay, but malware can also be not in a PE file... So this should recognized by ESET LiveGrid too. Malware can be in any website for instance but you cannot make SHA1 for every single website that contain a malicious script. For this purpose, there's generic signature detection in place. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted January 3, 2015 Administrators Share Posted January 3, 2015 Malware Samples link hxxp://rghost.net/60117403 Password: infected Best regards Thank you, I'll discuss it with our engineers during work days next week. The files have currently "unknown" status in cloud. Link to comment Share on other sites More sharing options...
rugk 397 Posted January 3, 2015 Share Posted January 3, 2015 (edited) Malware can be in any website for instance but you cannot make SHA1 for every single website that contain a malicious script. For this purpose, there's generic signature detection in place. Yes I also wasn't talking about websites - I meant e.g. com, bat, cmd, vbs or other executable file types or script files - from these files you can make the hash you like and you can include them in ESET LiveGrid. Edited January 3, 2015 by rugk Link to comment Share on other sites More sharing options...
Recommended Posts