Livelinx 0 Posted June 6 Posted June 6 Endpoint Product: ESET Security ESET LiveGuard keeps scanning downloaded files from a particular website for one staff member, but nobody else. We don't want LiveGuard doing this. The files are PDF's. The website is a provincial government website. Whenever this user clicks on any form, it downloads, then tries to open in Adobe Reader and that is where it gets stopped. A LiveGuard popup comes up to say it needs to scan the file, then after several minutes, it says its clean and then the user is able to open the file. Often, the user is on the phone with a client and so it becomes quite annoying to have to wait for each form to scan. The user uses Google Chrome, its all up to date. Adobe Reader is all up to date. ESET product is all up to date. They have Windows 10 Business and its up to date. If the user sets the browser to open the PDF, then LiveGuard does not scan it and it opens right away. However, the PDF's have calendars and calculators built-in that no longer function if opened in a browser. They only work if opened in Adobe Reader. I'm guessing its those functions that are tripping ESET LiveGuard. But why for only a single user? When I rolled out ESET, I did so using the same installer on over 20+ computers and only this one person is reporting to have this issue. Other employees, and even myself can download the forms and open fine in Adobe Reader without LiveGuard needing to scan them. I have not created any custom policies for anyone at this company, its a brand new rollout of ESET and no other antivirus is on any computers. I’ve looked into making an URL List exception for the website in ESET, but it doesn't seem to affect LiveGuard. I’ve gone into the PROTECT portal, I can see LiveGuard is scanning them, and it allows me to make an exception, but only for each individual file and only by its hash. According to the user, these forms update a few times a year, so they will just run into this again in a few months. Any idea’s on how to prevent LiveGuard from always scanning these forms for this one user?
Administrators Marcos 5,450 Posted June 6 Administrators Posted June 6 The PDF file likely contains a JavaScript. PDF files without active content are not subject to analysis by LiveGuard. You can add the domain to the submission exclusion list as per https://help.eset.com/ees/11/en-US/idh_charon_sample.html to prevent files downloaded from that particular site from being submitted.
Livelinx 0 Posted June 6 Author Posted June 6 Thanks, Marcos. I've tried adding both the domain and even the file extension (*.pdf) to the that exclusion filter. No change, LiveGuard continues to scan the files.
Administrators Marcos 5,450 Posted June 6 Administrators Posted June 6 Please provide logs collected with ESET Log Collector from that machine.
Administrators Marcos 5,450 Posted June 6 Administrators Posted June 6 According to your logs and configuration, the address is not listed in submission exclusions:
Livelinx 0 Posted June 6 Author Posted June 6 That's because the user wanted it removed after we tested it and it didn't work. Client is worried about leaving any exceptions in place if they are not needed/working.
Administrators Marcos 5,450 Posted June 6 Administrators Posted June 6 I'm not aware of any case when submission exclusions would not work so please raise a support ticket for help with further troubleshooting.
Livelinx 0 Posted June 6 Author Posted June 6 Ok, will do. Thank you. I did exactly what your screenshot showed and the files are still being temporarily blocked and scanned.
itman 1,801 Posted June 6 Posted June 6 (edited) Reviewing Eset Cloud based protection settings, it appears the exclusion settings apply to Eset submissions overall. Since LiveGuard has a separate submission setting for documents, I believe that is overriding the global submission exclusion settings. Note that the global default submission setting is not to submit documents. You might try setting this to all samples. Hopefully, this would allow the exclusions to apply to all files including documents. Edited June 6 by itman
Administrators Marcos 5,450 Posted June 7 Administrators Posted June 7 I've tested it myself and it worked. After adding *tribunalsontario.ca/* to submission exclusions, no PDF files downloaded from that website were submitted to LiveGuard. After removing it, they were sent. Please provide fresh ELC logs with the exclusion set up.
Livelinx 0 Posted June 7 Author Posted June 7 Sure. We did test it again and it still wants to submit them to LiveGuard. Attached is the logs with the exclusion entered. ees_logs2.zip
Recommended Posts