Jump to content

Recommended Posts

Posted

Endpoint Product: ESET Security

 

ESET LiveGuard keeps scanning downloaded files from a particular website for one staff member, but nobody else.

We don't want LiveGuard doing this.

The files are PDF's.

The website is a provincial government website.

 

Whenever this user clicks on any form, it downloads, then tries to open in Adobe Reader and that is where it gets stopped.

A LiveGuard popup comes up to say it needs to scan the file, then after several minutes, it says its clean and then the user is able to open the file.

Often, the user is on the phone with a client and so it becomes quite annoying to have to wait for each form to scan.

 

The user uses Google Chrome, its all up to date.

Adobe Reader is all up to date.

ESET product is all up to date.

They have Windows 10 Business and its up to date.

 

If the user sets the browser to open the PDF, then LiveGuard does not scan it and it opens right away. However, the PDF's have calendars and calculators built-in that no longer function if opened in a browser. They only work if opened in Adobe Reader. I'm guessing its those functions that are tripping ESET LiveGuard. But why for only a single user?

 

When I rolled out ESET, I did so using the same installer on over 20+ computers and only this one person is reporting to have this issue.

Other employees, and even myself can download the forms and open fine in Adobe Reader without LiveGuard needing to scan them.

I have not created any custom policies for anyone at this company, its a brand new rollout of ESET and no other antivirus is on any computers.

 

I’ve looked into making an URL List exception for the website in ESET, but it doesn't seem to affect LiveGuard.

I’ve gone into the PROTECT portal, I can see LiveGuard is scanning them, and it allows me to make an exception, but only for each individual file and only by its hash.

According to the user, these forms update a few times a year, so they will just run into this again in a few months.

 

Any idea’s on how to prevent LiveGuard from always scanning these forms for this one user?

  • Administrators
Posted

The PDF file likely contains a JavaScript. PDF files without active content are not subject to analysis by LiveGuard.

You can add the domain to the submission exclusion list as per https://help.eset.com/ees/11/en-US/idh_charon_sample.html to prevent files downloaded from that particular site from being submitted.

 

Posted

Thanks, Marcos.

I've tried adding both the domain and even the file extension (*.pdf) to the that exclusion filter.

No change, LiveGuard continues to scan the files.

  • Administrators
Posted

According to your logs and configuration, the address is not listed in submission exclusions:

image.png

Posted

That's because the user wanted it removed after we tested it and it didn't work.

Client is worried about leaving any exceptions in place if they are not needed/working.

  • Administrators
Posted

I'm not aware of any case when submission exclusions would not work so please raise a support ticket for help with further troubleshooting.

Posted

Ok, will do. Thank you.

I did exactly what your screenshot showed and the files are still being temporarily blocked and scanned.

Posted (edited)

Reviewing Eset Cloud based protection settings, it appears the exclusion settings apply to Eset submissions overall. Since LiveGuard has a separate submission setting for documents, I believe that is overriding the global submission exclusion settings.

Note that the global default submission setting is not to submit documents. You might try setting this to all samples. Hopefully, this would allow the exclusions to apply to all files including documents.

Edited by itman
  • Administrators
Posted

I've tested it myself and it worked. After adding *tribunalsontario.ca/* to submission exclusions, no PDF files downloaded from that website were submitted to LiveGuard. After removing it, they were sent. Please provide fresh ELC logs with the exclusion set up.

Posted

Sure. We did test it again and it still wants to submit them to LiveGuard.

Attached is the logs with the exclusion entered.

 

ees_logs2.zip

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...