Jump to content

Bugs in ESET File Reputation ( ESET Live Grid )


Go to solution Solved by Marcos,

Recommended Posts

Hi guys

A few days ago since I found a bug in the classification of applications

These files appear on the grounds that they are good applications , While it is harmful applications

 

 

post-1991-0-60911400-1420209387_thumb.png

 

post-1991-0-12102100-1420209371_thumb.png

 

Please fix this problem and improve it :)

 

Best Regards

Link to comment
Share on other sites

Risk level : fine !!!, It must have been unknown

because risk level : fine is means that the application is 100% secure

While it must have been unknown classification

So please fix these problem

Best regards

Link to comment
Share on other sites

I have seen that a few times as well, I wonder why all files (safe or malware) doesn't get an unknown status(orange triangle) until LG has decided that the file is safe and gives it a green known safe status. If it worked like that then the files above in the screenshot should be marked unknown until they get a red triangle if they are malware, and not get a known safe/green status for a few hours, that is just confusing and very wrong unless they are known safe. I don't understand why any file get a known safe status when they could get a unknown status until Live Grid is sure about what they are, safe or bad.

 

Only known safe files should be marked "known safe/green" as that is what that green icon means. 

Malware should never get a known safe/green status, even if it is just for a few hours it doesn't make any sense, Live Grid should mark them as unknown (orange) during that time NOT green!

 

Marcos, doesn't ALL files get an unknown status in Live Grid at first ? 

 

 

It sounds like the "unknown" status would fit the above files perfectly according to the help file.

 

Also according to the help file the above files are "definitely clean" and "whitelisted" ! 

 

Risk level – In most cases, ESET Smart Security and ESET Live Grid technology assign risk levels to objects (files, processes, registry keys, etc.) using a series of heuristic rules that examine the characteristics of each object and then weigh their potential for malicious activity. Based on these heuristics, objects are assigned a risk level from

1 – Fine (green) to 9 – Risky (red).

 

 

NOTE: Known applications marked as Fine (green) are definitely clean (whitelisted) and will be excluded from scanning, as this will improve the scanning speed of on-demand computer scan or Real-time file system protection on your computer.

Number of users – The number of users that use a given application. This information is gathered by ESET Live Grid technology.

 

Time of discovery – Period of time since the application was discovered by ESET Live Grid technology.


 

NOTE: When an application is marked as Unknown (orange) security level, it is not necessarily malicious software. Usually it is just a newer application. If you are not sure about the file, you can submit file for analysis to the ESET Virus Lab. If the file turns out to be a malicious application, its detection will be added to one of the upcoming updates.

 

 

It should work like the help file shows it, but it doesn't always work like that.

Edited by SweX
Link to comment
Share on other sites

  • Administrators

As I wrote, these files are probably new and were not detected the first time they were scanned on someone's computer. Unfortunately, no additional information was provided, such as SHA1 of these files so I was not able to verify my assumption.

Link to comment
Share on other sites

  • Administrators

Marcos, doesn't ALL files get an unknown status in Live Grid at first ? 

 

They do but they were not unknown any more after somebody had scanned them. One should also consider the prevalence and time of discovery instead of just looking at the status as it may not always be accurate information.

Link to comment
Share on other sites

But that doesn't explain why some new malware are marked as green clean fine/safe. 

 

 

Marcos, doesn't ALL files get an unknown status in Live Grid at first ? 

 

They do but they were not unknown any more after somebody had scanned them. One should also consider the prevalence and time of discovery instead of just looking at the status as it may not always be accurate information.

 

 

"instead of just looking at the status as it may not always be accurate information.

 

So, green known safe "definitely clean" doesn't always mean definitely clean ?  

 

The way I read it, is that unknown could be used until the file is known safe or known bad. But LG skipped that and marked them as known safe which means "definitely clean". I see that as a problem.

 

I mean even if the file no longer is unknown, LG still hasn't determined if the file is known safe or bad = clean/infected status unknown. In that case it is wrong to mark them as green/known safe if they really isn't.

 

Maybe a color status between "unknown" and "known safe" is needed, purple for suspicious ? 

 

Then the classification could go like this...

 

Unknown (orange) -> suspicious (purple) -> Red triangle (if malware).  

(but the suspicious status can be skipped and go straight to Green known safe if it is a clean file.)

 

And not like it works now...

 

Unknown (orange) -> Green (known safe) -> Red triangle (if malware).

 

I find it weird that a file goes from green known safe "definitely clean" status one second, to malware status a few minutes or so later. Something in between is needed while the clean/infected status is being determined to prevent malware from getting a green "definitely clean" status in LG.

Edited by SweX
Link to comment
Share on other sites

That is something wrong.
Those exe files must be unknown (orange) even if somebody had scanned them.

See editplus.exe (it's one of well-known text editors for windows)


post-3349-0-62399400-1420230937_thumb.jpg


It's still unknown classification. (more people are using it and more people had scanned it)

Of course editplus.exe is clean file and I don't care it's still Unknown(orange) classification but
if new/unknown malware files are green(definitely clean (whitelisted) and will be excluded from scanning)
That is a problem.



 

Edited by sky7
Link to comment
Share on other sites

  • Most Valued Members

I just wanted to also mention a similar issue over on the Cyber Security side that may explain this issue - as of now, processes without a classification are showing random user icons instead of it being blank until ESET can set the classification (like an unknown yellow icon or green tick)... maybe Smart Security is showing the green tick icon (due to a visual bug) instead of it being blank (or however it should be), like how Cyber Security is wrongly showing the user icon instead of that being blank (that's how it used to be before something happened late last year)?

 

In other words, Cyber Security (and I'm assuming Smart Security too) used to show a blank spot for an unclassified process or executable until the unknown yellow icon is shown, but they both are resorting to showing a green tick in Smart Security or a user icon in Cyber Security due to a visual UI bug?

Edited by planet
Link to comment
Share on other sites

@sky7

 

Yes, I have seen old (clean/safe) files with a big amount of users have "unknown" status as well, so I don't understand exactly what Marcos mean.

 

@planet

 

Hmmm interesting, so you see the 3 people in a que icon, instead of the file status.  :)

 

Maybe it really is a graph glitch, but I doubt it as I have seen known safe files (green) get malware status (red) many times.

 

What ever the issue is it needs fixing. 

Link to comment
Share on other sites

  • Most Valued Members

@planet

Hmmm interesting, so you see the 3 people in a que icon, instead of the file status.  :)

 

Yes, only for the recently discovered ones that have no classification yet (even before the unknown yellow/orange icon). It used to be blank before something happened late last year, but now it shows a random user icon (sometimes one person, sometimes two people) which shouldn't be there. Anyway I don't want to hijack the topic, just wanted to mention this in case this issue in Smart Security is the same thing.

Link to comment
Share on other sites

Another example
 
post-1991-0-91636800-1420232662_thumb.png
 
post-1991-0-12084800-1420232676_thumb.png
 
again risk level Green !!! , It must have been at least a buff ( risk level : unknown )
 
There is a great imbalance in the ESET File Reputation ( ESET Live Grid )
 

So you must solve this problem as soon as possible

Link to comment
Share on other sites

@planet

Personally I think the bug you mentioned is only a graphical bug in ECS and the bug reported by the TS is a "deeper" one.

However I could be fully wrong of course.

@Mohimen

Can you please post (not-clickable) links to some of the malious files (I recommend to pack them into a passwort-protected archive), so we can reproduce the issue.

Have you also find malious files which are marked with a red triangle in ESET LiveGrid?

Link to comment
Share on other sites

  • Administrators

It's also very strange that the eicar test file is... well... nothing?  :blink: (if it would be unknown it would be an orange triangle)

 

Eicar.com is not a PE file. Reputation is evaluated only for PE files.

Link to comment
Share on other sites

  • Administrators

Okay, but malware can also be not in a PE file...

So this should recognized by ESET LiveGrid too.

 

Malware can be in any website for instance but you cannot make SHA1 for every single website that contain a malicious script. For this purpose, there's generic signature detection in place.

Link to comment
Share on other sites

  • Administrators

Malware Samples link

hxxp://rghost.net/60117403

Password: infected

 

Best regards

 

Thank you, I'll discuss it with our engineers during work days next week. The files have currently "unknown" status in cloud.

Link to comment
Share on other sites

Malware can be in any website for instance but you cannot make SHA1 for every single website that contain a malicious script. For this purpose, there's generic signature detection in place.

Yes I also wasn't talking about websites - I meant e.g. com, bat, cmd, vbs or other executable file types or script files - from these files you can make the hash you like and you can include them in ESET LiveGrid.

Edited by rugk
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...