Jump to content

LiveGuard and malware


Recommended Posts

Hey guys. 

Not sure if this post is in the correct place, but we logged a ticket with our ESET region but though we will post it here as well.

We do our own malware testing, now in our test environment we came across some questionable actions regarding LiveGuard/LiveGrid that we are concerned about and maybe we need better explanation or training maybe?. Below is the mail we sent to them, feel free to have a read:

Our issue is that when we extract malware on our test VM, our concerns are:

 

  1. According to our knowledge, LiveGaurd as the zero-day component is supposed to blocks unknown files from being extracted/executed from a supported archiver, then submit the sample, after analysis then allowed or block according to the rating. Yet they are extracted and allowed to be executed and run in memory and then a couple seconds later detected and killed, some samples are missed and running in memory until we reboot the machine. So liveGaurd is not stopping unknowns from extracting nor executing. We did this with placing the zip files on the desktop and emailing it and extracting it.
  2. Why does LiveGaurd not submit unknown files/malware immediately and only hours/days later and mostly not even at all? Then we must submit them manually. We have samples that are on the VM for days on end, not submitted until we do it manually or randomly days later we will see the popup that a file or 2 was submitted.
  3. We see LiveGrid rating malware as clean, yet when we submit the samples to VT, many vendors will rate it as malicious. When we also scan the machines with other 3rd party tools like Malwarebytes, NPE, Emsisoft Emergency kit, they are detecting a good amount of the samples and strange startup items etc as we detonated the samples, then scanned the machine with ESET prior to the 3rd party scans, where ESET says the endpoint is clean. There is no way to object a rating from LiveGrid, it seems the final/only rating is from machine/AI and no human developer interaction to double check if Live Grid is correct and didn’t make a mistake.
  4. The 10 items only at a time to submit is very limiting, many other vendors allow unlimited submit of samples. There is also no way to submit a sample from the dashboard, further limiting the submitting process.

 

This is raising some concerns for us and maybe it’s because we don’t understand fully how the product works/protects or this might be a bug/vulnerabily maybe.

 

Please see our concerns as us trying to help and improve ESET as it’s a great product but really needs to make things more modern when submitting samples. Surely there are other MSP/IT departments using ESET and testing ESET in controlled environments and will greatly benefit of being able to submit unlimited samples manually that support a vast file extension and to do so from the cloud console and not only from and endpoint level. Also, to object rating and get a second opinion from a developer. LiveGaurd needs to be able to protect from all attack vectors, not just common ones and to be more of a cloud/local sandbox and stop all unknown files, be it exe, dll etc.

Link to comment
Share on other sites

  • Administrators
7 hours ago, QuickSilverST250 said:

1. According to our knowledge, LiveGuard as the zero-day component is supposed to blocks unknown files from being extracted/executed from a supported archiver, then submit the sample, after analysis then allowed or block according to the rating. Yet they are extracted and allowed to be executed and run in memory and then a couple seconds later detected and killed, some samples are missed and running in memory until we reboot the machine. So LiveGuard is not stopping unknowns from extracting nor executing. We did this with placing the zip files on the desktop and emailing it and extracting it.

First of all, please clarify what ESET product / version you've used for testing. Was it ESET Security Premium with ESET LiveGuard or ESET Endpoint with ESET LiveGuard Advanced?

LiveGuard is not supposed to block unknown files per se but it can block untrusted files never seen before on the machine unless a verdict of analysis is received from the cloud sandbox. It is not a magic thing that would 100% distinguish between clean files and malware.

7 hours ago, QuickSilverST250 said:

2. Why does LiveGuard not submit unknown files/malware immediately and only hours/days later and mostly not even at all? Then we must submit them manually. We have samples that are on the VM for days on end, not submitted until we do it manually or randomly days later we will see the popup that a file or 2 was submitted.

ESET LiveGuard submits files immediately as long as the machine is connected to the Internet. More information would be needed, including ELC logs from the machine and the samples you have tested.

7 hours ago, QuickSilverST250 said:

3. We see LiveGrid rating malware as clean, yet when we submit the samples to VT, many vendors will rate it as malicious. When we also scan the machines with other 3rd party tools like Malwarebytes, NPE, Emsisoft Emergency kit, they are detecting a good amount of the samples and strange startup items etc as we detonated the samples, then scanned the machine with ESET prior to the 3rd party scans, where ESET says the endpoint is clean. There is no way to object a rating from LiveGrid, it seems the final/only rating is from machine/AI and no human developer interaction to double check if Live Grid is correct and didn’t make a mistake.

ESET LiveGuard does not take the results from VirusTotal to decide about the maliciousness of analyzed files so it's normal that it reports files detected by some other vendors at VT as clean and vice-versa.

ESET LiveGuard and ESET LiveGrid are autonomous systems nor requiring analyst intervention. It would be beyond human capabilites to manually check all the hundreds of thousands of files that are received on a daily basis. However, suspicious undetected files are manually checked as well.

7 hours ago, QuickSilverST250 said:

4. The 10 items only at a time to submit is very limiting, many other vendors allow unlimited submit of samples. There is also no way to submit a sample from the dashboard, further limiting the submitting process.

There is no limit for the number of files that are submitted automatically for analysis. If there were many of them (e.g. if there many suspicious undetected files after a clean install), they would be queued for submission. As for manual submission of files, users typically submit 1 or 2 files. If there are more of them, they usually submit junk, such as multimedia files. If you have a bulk of suspicious files that are hundreds of MB in total, upload them to a safe location and email samples[at]eset.com as per the instructions at https://support.eset.com/en/kb141.

Link to comment
Share on other sites

  • Marcos changed the title to LiveGuard and malware

Hello,

Thank you for your reply. Let me clarify a bit more.

We only use Endpoint Security and File server security (MSP). Thats why we asked is LiveGuard is supposed to block unknown files (regardless is clean or not), now we know it doesn't. Our policy states to submit all detected samples also.

We have no issue if the manual submits stays on 10 if unknowns are submitted automaticlly for us, but with the inconsistency with files not being submitted or a very long time later is the issue. I have supplied the logs and necessary info to our ESET region with a video recording. It seems it might only submit the sample if it might detect some malicious code but needs further checking? Not submit it if detects it as clean maybe?

We are aware LiveGuard does not take VT info into account, the purpose of mentioning it was to demonstrate that ESET is rating a lot of these files as safe, as many other vendors don't. I'm not referring that vendors are rating files as malicious and ESET has no rating yet, we are saying ESET says it's clean and other vendors say it's malicious. Thats the issue. Then we execute the malware and can see some strange behavior.

 

I will provide the feedback form tech support once i have it. We will be doing new malware testing this weekend and will provide feedback here.

 

Link to comment
Share on other sites

  • Administrators

Please provide me with samples or at least hashes of files that were suspicious to you or detected by other vendor at VT but ESET reported them clean. I'd like to do a quick check to find out if they really pose a threat and are subject to detection.

Link to comment
Share on other sites

Eset offers two versions of LiveGuard; one available in consumer products and one available for Eset commercial products. The version available for commercial products is titled LiveGuard Advanced and is a subscription service. LiveGuard Advanced offers features and protection not available on consumer product versions such as the ability to configure malware detection sensitivity level and detection response actions.

Refer to this Eset article on LiveGuard Advanced: https://help.eset.com/elga/en-US/overview.html .

Edited by itman
Link to comment
Share on other sites

22 hours ago, Marcos said:

Please provide me with samples or at least hashes of files that were suspicious to you or detected by other vendor at VT but ESET reported them clean. I'd like to do a quick check to find out if they really pose a threat and are subject to detection.

Hi, please see attached samples, they aren't the best as the techs did delete most samples as they are continuing to test, but i did add some samples. They are running on the machine in memory and the other ones are showing green/yellow as reputation but aren't being removed. For some of these samples we got the message the file was blocked due to analysis, after a short time it say the files are safe to use and not removed. 

The password is "suspicious" for the zip.

image.thumb.png.4757499ddca4d92fffa3161b62199c2a.pngimage.thumb.png.c3bc9de8ff147f820cce4347b554110e.png

Samples to submit to ESET.rar

Link to comment
Share on other sites

20 hours ago, itman said:

Eset offers two versions of LiveGuard; one available in consumer products and one available for Eset commercial products. The version available for commercial products is titled LiveGuard Advanced and is a subscription service. LiveGuard Advanced offers features and protection not available on consumer product versions such as the ability to configure malware detection sensitivity level and detection response actions.

Refer to this Eset article on LiveGuard Advanced: https://help.eset.com/elga/en-US/overview.html .

Hi Itman, thank you for the reply. Yes, we are aware of the deferent LiveGuards, ours are set to Suspicious->kill running process->block execution till verdict and set to 10min.

Link to comment
Share on other sites

  • Administrators

It's a mix of clean and corrupted files and other junk.

The only malicious file seems to be 1ad6d069860b89547224cbc682cac1d95f63fa95ca15e45cf151f51c7bd2fa84 which is, however, reversed. After reversing bytes in the right order, it's detected: a variant of MSIL/Kryptik.AJEE trojan

Junk:
image.png

Link to comment
Share on other sites

1 hour ago, Marcos said:

It's a mix of clean and corrupted files and other junk.

The only malicious file seems to be 1ad6d069860b89547224cbc682cac1d95f63fa95ca15e45cf151f51c7bd2fa84 which is, however, reversed. After reversing bytes in the right order, it's detected: a variant of MSIL/Kryptik.AJEE trojan

Junk:
image.png

The only junk files are the ones i added by accident, but all the other ones should be fine but could be corrupted. I re-uploaded them again for you.

ESET malware files.rar

Link to comment
Share on other sites

2 hours ago, Marcos said:

The only malicious file seems to be 1ad6d069860b89547224cbc682cac1d95f63fa95ca15e45cf151f51c7bd2fa84 which is, however, reversed. After reversing bytes in the right order, it's detected: a variant of MSIL/Kryptik.AJEE trojan

Found this one on a malware share. After download and extraction, the file is indeed an unknown type;

Eset_malware.png.f15eba7c885f6b050840390deb00967d.png

As such, file has to be manipulated on target device as noted before it could be executed. Assumed there is another malware component to the attack that does this.

Link to comment
Share on other sites

1 minute ago, QuickSilverST250 said:

Did you see the other .exe etc ones.

The malware sample I downloaded only contained this one unknown file. Very possible it contains additional files. It could be a disguised .cab, etc., who knows folder. The bottom line is in its initial downloaded state, the file is harmless.

Link to comment
Share on other sites

1 minute ago, itman said:

The malware sample I downloaded only contained this one unknown file. Very possible it contains additional files. It could be a disguised .cab, etc., who knows folder. The bottom line is in its initial downloaded state, the file is harmless.

Was referring to the zip files i uploaded with multipale files in them.

Link to comment
Share on other sites

Just now, QuickSilverST250 said:

Was referring to the zip files i uploaded with multipale files in them.

Only Eset moderators can access forum attachments.

Link to comment
Share on other sites

7 hours ago, itman said:

I will also add this malware sample,1ad6d069860b89547224cbc682cac1d95f63fa95ca15e45cf151f51c7bd2fa84, is identified as zgRAT. It's .Net based malware. Full analysis of it is here: https://blog.cluster25.duskrise.com/2022/12/22/an-infostealer-comes-to-town

Great thank you.

Link to comment
Share on other sites

  • Administrators

We've checked all the files you've supplied. There was only one trivial JavaScript downloaded that has been added: JS/TrojanDownloader.Agent.AAOS trojan.  Nevertheless, the payload () has been detected as PowerShell/TrojanDownloader.Agent.HLI trojan since February 12.

The other files are not subject to detection.

Link to comment
Share on other sites

2 hours ago, Marcos said:

We've checked all the files you've supplied. There was only one trivial JavaScript downloaded that has been added: JS/TrojanDownloader.Agent.AAOS trojan.  Nevertheless, the payload () has been detected as PowerShell/TrojanDownloader.Agent.HLI trojan since February 12.

The other files are not subject to detection.

Thank I appreciate it. What is the best way to supply samples to ESET? To do it on a endpoint and submit auto/manually or send the samples to ESET?

Link to comment
Share on other sites

  • Administrators

Both email submissions to samples[at]eset.com and via the built-in submission form are supported, basically it should not matter which one you prefer.

Link to comment
Share on other sites

2 hours ago, Marcos said:

Both email submissions to samples[at]eset.com and via the built-in submission form are supported, basically it should not matter which one you prefer.

I have some apk files i want to check but to exceeds the limit so will email a wetransfer link for them

Link to comment
Share on other sites

  • Administrators
10 hours ago, QuickSilverST250 said:

I have some apk files i want to check but to exceeds the limit so will email a wetransfer link for them

Is it detected by other vendors or it exhibited suspicious behavior when you installed the application? It is not that an arbitrary file can be submitted and it will be analyzed by humans. We need to know what makes the file suspicious to you. Moreover, if only a link is submitted the file cannot be pre-processed automatically for analysts.

Link to comment
Share on other sites

11 hours ago, Marcos said:

Is it detected by other vendors or it exhibited suspicious behavior when you installed the application? It is not that an arbitrary file can be submitted and it will be analyzed by humans. We need to know what makes the file suspicious to you. Moreover, if only a link is submitted the file cannot be pre-processed automatically for analysts.

We will be testing the behavior soon, only noticed other vendors are flagging them. We saw today that our EES detected some of them, so we restored them and copied to an android phone with endpoint protection on it, it detected now 3 of them, yesterday it detected nothing. We attached the other ones; they might not be malicious but can check them out if you want to ESET but you can check them out if you want. The ones left behind was scanned detected by surfshark antivirus on android, not all but only 

image.thumb.png.972506d782f54ce3bcd2017cdb4618cf.pngimage.png.94303b06ad2d0cdf2812cdcc689e40fc.pngimage.png.6dc906b75594bf36c93dbbd6d9016cc1.pngimage.thumb.png.610827c3793c87aa70b5c891eb95d8a5.png

image.png

image.png

Malicious APK.rar

Link to comment
Share on other sites

Just now, QuickSilverST250 said:

We will be testing the behavior soon, only noticed other vendors are flagging them. We saw today that our EES detected some of them, so we restored them and copied to an android phone with endpoint protection on it, it detected now 3 of them, yesterday it detected nothing. We attached the other ones; they might not be malicious but can check them out if you want to ESET but you can check them out if you want. The ones left behind was scanned detected by surfshark antivirus on android, not all but only 

image.thumb.png.972506d782f54ce3bcd2017cdb4618cf.pngimage.png.94303b06ad2d0cdf2812cdcc689e40fc.pngimage.png.6dc906b75594bf36c93dbbd6d9016cc1.pngimage.thumb.png.610827c3793c87aa70b5c891eb95d8a5.png

image.png

image.png

Malicious APK.rar 128.22 MB · 0 downloads

Here is the 2nd upload.

Malicious APK 2.rar

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...