Jump to content

ESET LiveGuard Scanning Files for only 1 user


Recommended Posts

Endpoint Product: ESET Security

 

ESET LiveGuard keeps scanning downloaded files from a particular website for one staff member, but nobody else.

We don't want LiveGuard doing this.

The files are PDF's.

The website is a provincial government website.

 

Whenever this user clicks on any form, it downloads, then tries to open in Adobe Reader and that is where it gets stopped.

A LiveGuard popup comes up to say it needs to scan the file, then after several minutes, it says its clean and then the user is able to open the file.

Often, the user is on the phone with a client and so it becomes quite annoying to have to wait for each form to scan.

 

The user uses Google Chrome, its all up to date.

Adobe Reader is all up to date.

ESET product is all up to date.

They have Windows 10 Business and its up to date.

 

If the user sets the browser to open the PDF, then LiveGuard does not scan it and it opens right away. However, the PDF's have calendars and calculators built-in that no longer function if opened in a browser. They only work if opened in Adobe Reader. I'm guessing its those functions that are tripping ESET LiveGuard. But why for only a single user?

 

When I rolled out ESET, I did so using the same installer on over 20+ computers and only this one person is reporting to have this issue.

Other employees, and even myself can download the forms and open fine in Adobe Reader without LiveGuard needing to scan them.

I have not created any custom policies for anyone at this company, its a brand new rollout of ESET and no other antivirus is on any computers.

 

I’ve looked into making an URL List exception for the website in ESET, but it doesn't seem to affect LiveGuard.

I’ve gone into the PROTECT portal, I can see LiveGuard is scanning them, and it allows me to make an exception, but only for each individual file and only by its hash.

According to the user, these forms update a few times a year, so they will just run into this again in a few months.

 

Any idea’s on how to prevent LiveGuard from always scanning these forms for this one user?

Link to comment
Share on other sites

  • Administrators

The PDF file likely contains a JavaScript. PDF files without active content are not subject to analysis by LiveGuard.

You can add the domain to the submission exclusion list as per https://help.eset.com/ees/11/en-US/idh_charon_sample.html to prevent files downloaded from that particular site from being submitted.

 

Link to comment
Share on other sites

Thanks, Marcos.

I've tried adding both the domain and even the file extension (*.pdf) to the that exclusion filter.

No change, LiveGuard continues to scan the files.

Link to comment
Share on other sites

  • Administrators

According to your logs and configuration, the address is not listed in submission exclusions:

image.png

Link to comment
Share on other sites

That's because the user wanted it removed after we tested it and it didn't work.

Client is worried about leaving any exceptions in place if they are not needed/working.

Link to comment
Share on other sites

  • Administrators

I'm not aware of any case when submission exclusions would not work so please raise a support ticket for help with further troubleshooting.

Link to comment
Share on other sites

Ok, will do. Thank you.

I did exactly what your screenshot showed and the files are still being temporarily blocked and scanned.

Link to comment
Share on other sites

Posted (edited)

Reviewing Eset Cloud based protection settings, it appears the exclusion settings apply to Eset submissions overall. Since LiveGuard has a separate submission setting for documents, I believe that is overriding the global submission exclusion settings.

Note that the global default submission setting is not to submit documents. You might try setting this to all samples. Hopefully, this would allow the exclusions to apply to all files including documents.

Edited by itman
Link to comment
Share on other sites

  • Administrators

I've tested it myself and it worked. After adding *tribunalsontario.ca/* to submission exclusions, no PDF files downloaded from that website were submitted to LiveGuard. After removing it, they were sent. Please provide fresh ELC logs with the exclusion set up.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...