Question What is Live-Guard?

Please provide comments and solutions that are helpful to the author of this topic.

Bot

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,460
Live-Guard is a cloud-based malware analysis technology used by ESET antivirus products. It is designed to detect and analyze potentially malicious files in real-time, using advanced behavioral analysis and machine learning algorithms.

As for the size limit, Live-Guard is not officially advertised as having one. However, some users have reported that large files may take longer to upload and analyze, depending on their internet connection speed.
 
  • Like
Reactions: Kongo, [correlate], Nevi and 2 others
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Mediocre implementation of emulation (running code in a virtual, secluded environment to discover its true intentions). Eset LiveGuard emulation is not resistant to evasion and on their forum is frequently criticised for classifying malicious files as safe.
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: Kongo, [correlate], Sandbox Breaker and 6 others
C

czesetfan

Level 4
Dec 3, 2021
155
See here what ESET says about LiveGuard:
ESET Smart Security Premium | ESET Smart Security Premium | ESET Online Help
How detection layers work

As for detection efficiency. The enterprise version has the ability to individually set the sensitivity level. Home version doesn't, there it's fixed. And within ESET's policy, it's not the most stringent option, more of a "the less FP" approach. According to the spreadsheet: it will probably be "Highly suspicious", or "Malicious"..
Results of analysis

result.png
 
  • Like
  • +Reputation
Reactions: Kongo, [correlate], simmerskool and 2 others
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
czesetfan said:
See here what ESET says about LiveGuard:
ESET Smart Security Premium | ESET Smart Security Premium | ESET Online Help
How detection layers work

As for detection efficiency. The enterprise version has the ability to individually set the sensitivity level. Home version doesn't, there it's fixed. And within ESET's policy, it's not the most stringent option, more of a "the less FP" approach. According to the spreadsheet: it will probably be "Highly suspicious", or "Malicious"..
Results of analysis

View attachment 276438
Click to expand...
The problem is not with their abilities to recognise and classify malicious behaviour, their problem is that they can’t properly hide the VM artefacts and malware knows it is being studied. It then delivers different behaviour than the one it will deliver on a real system which leave them with static analysis. That can easily be evaded by the use of packer, specially a custom one for which Eset has not described unpacking logics. They don’t simulate various activities as well, such as pressing buttons when presented with such.
 
  • Like
  • +Reputation
Reactions: Spartan, Kongo, [correlate] and 4 others
simmerskool

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
czesetfan said:
See here what ESET says about LiveGuard:
ESET Smart Security Premium | ESET Smart Security Premium | ESET Online Help
How detection layers work

As for detection efficiency. The enterprise version has the ability to individually set the sensitivity level. Home version doesn't, there it's fixed. And within ESET's policy, it's not the most stringent option, more of a "the less FP" approach. According to the spreadsheet: it will probably be "Highly suspicious", or "Malicious"..
Results of analysis

View attachment 276438
Click to expand...
I used to run ESET Premium and Live-Guard responded a few times sending a file to its cloud for analysis, the reporting time was typically less than 5 minutes. It worked well enough for me and did not make any mistakes, but I stopped using ESET for an unrelated reason.
 
  • Like
Reactions: roger_m, Kongo and [correlate]
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Ink said:
Are there any major differences between the consumer LiveGuard versus business LiveGuard Advanced?
Click to expand...
There is a difference within the detection engines and also, the final report (if certain number of stations are licensed) will include detailed information about why the file has been classified malicious. But nowhere it is mentioned that anti-evasion tactics are different and more sophisticated.

A sandbox/emulator is only as good as its resistance to evasion is, as malware authors can check various hardware and software parameters to determine they run on VM.
The Pafish project is one that heavily studied artefacts that could he checked to realise it is emulation.
Evasions.checkpoint.com is based around this project but adds more on top.

In conclusion, tools like Eset LiveGuard and Avast CyberCpature provide false sense of security. They display messages like “Good news from threat labs, the file is safe” when the malware most likely just exited and didn’t do anything. When you run it, it will be another story.
 
  • Like
Reactions: cartaphilus, mlnevese, roger_m and 1 other person
Sandbox Breaker

Sandbox Breaker

Level 9
Verified
Well-known
Jan 6, 2022
435
Trident said:
There is a difference within the detection engines and also, the final report (if certain number of stations are licensed) will include detailed information about why the file has been classified malicious. But nowhere it is mentioned that anti-evasion tactics are different and more sophisticated.

A sandbox/emulator is only as good as its resistance to evasion is, as malware authors can check various hardware and software parameters to determine they run on VM.
The Pafish project is one that heavily studied artefacts that could he checked to realise it is emulation.
Evasions.checkpoint.com is based around this project but adds more on top.

In conclusion, tools like Eset LiveGuard and Avast CyberCpature provide false sense of security. They display messages like “Good news from threat labs, the file is safe” when the malware most likely just exited and didn’t do anything. When you run it, it will be another story.
Click to expand...
You are the living library of XDR sir.

With cyber capture... Where do you see the fault? The analyst or the tech stack? Genuinely curious.
 
  • Applause
  • Like
Reactions: simmerskool and Kongo
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Sandbox Breaker said:
You are the living library of XDR sir.

With cyber capture... Where do you see the fault? The analyst or the tech stack? Genuinely curious.
Click to expand...
There is no analyst there, majority of time they deliver verdicts within few minutes. Not sure which analyst has managed to analyse malware in 5 minutes. It’s just overblown marketing claims. It’s not once or twice on my test it has produced safe verdicts only for other shields to start blocking behaviour and communications after. An analyst would’ve known it was malware. The fault is at the same place like Eset LiveGuard (faults described clearly by Marcos the admin). Not enough care and funds are invested to research the evasion methods and counter them.
 
  • Like
Reactions: cartaphilus, roger_m and simmerskool
C

czesetfan

Level 4
Dec 3, 2021
155
Trident said:
There is no analyst there, majority of time they deliver verdicts within few minutes. Not sure which analyst has managed to analyse malware in 5 minutes. It’s just overblown marketing claims. It’s not once or twice on my test it has produced safe verdicts only for other shields to start blocking behaviour and communications after. An analyst would’ve known it was malware. The fault is at the same place like Eset LiveGuard (faults described clearly by Marcos the admin). Not enough care and funds are invested to research the evasion methods and counter them.
Click to expand...
Interesting discussion. (y):)

Despite the shortcomings you mentioned, what do you estimate the benefits of LiveGuard to be? Since ESET builds and operates it, I assume it has a benefit.

I also remembered that not all suspicious files are sent to LiveGuard, but only those downloaded from the network or run from USB.
 
  • Like
Reactions: roger_m, simmerskool and Trident
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
czesetfan said:
Interesting discussion. (y):)

Despite the shortcomings you mentioned, what do you estimate the benefits of LiveGuard to be? Since ESET builds and operates it, I assume it has a benefit.

I also remembered that not all suspicious files are sent to LiveGuard, but only those downloaded from the network or run from USB.
Click to expand...
Not all malware will be programmed to detect traces of emulators and debuggers perfectly. Although I am 100% sure this intelligence is shared for low prices if not for free on dark web forums, not all of them will nail the evasion. Malware from such groups/individuals will be detected so you can consider this module an aid or a helper. Both Avast and Eset don’t rely just on LiveGuard/CyberCapture.
 
  • Like
Reactions: roger_m and simmerskool
jogs

jogs

Level 22
Verified
Top Poster
Well-known
Nov 19, 2012
1,113
All I can say is that Live-Guard (pronounced leev guard) is a liver tonic that can be found in some medical stores. :D
 
cartaphilus

cartaphilus

Level 5
Mar 17, 2023
202
Trident said:
There is no analyst there, majority of time they deliver verdicts within few minutes. Not sure which analyst has managed to analyse malware in 5 minutes. It’s just overblown marketing claims. It’s not once or twice on my test it has produced safe verdicts only for other shields to start blocking behaviour and communications after. An analyst would’ve known it was malware. The fault is at the same place like Eset LiveGuard (faults described clearly by Marcos the admin). Not enough care and funds are invested to research the evasion methods and counter them.
Click to expand...
Well that's disappointing. Whilst other organizations are moving towards ML/AI analytics Eset is still hopeful that signatures and old heuristic engine will save them. I've been an eset user since 1998 and I hate to stop so I will give them one more year before I move on.
 
  • Like
Reactions: Dimitriss, roger_m, simmerskool and 1 other person
Sandbox Breaker

Sandbox Breaker

Level 9
Verified
Well-known
Jan 6, 2022
435
cartaphilus said:
Well that's disappointing. Whilst other organizations are moving towards ML/AI analytics Eset is still hopeful that signatures and old heuristic engine will save them. I've been an eset user since 1998 and I hate to stop so I will give them one more year before I move on.
Click to expand...
Used to be me.
 
  • Like
Reactions: simmerskool

Similar threads

S
Question How to use ESET Live Guard
Replies
2
Views
1,438
ESET
Silverwing
S
silversurfer
    • Like
    • +Reputation
Deprecated Microsoft to discontinue Application Guard app and browser extensions in May 2024
Replies
3
Views
261
Web Extensions
nickstar1
nickstar1
oldschool
    • Like
    • +Reputation
New Update Malwarebytes Browser Guard Beta for Manifest V3
Replies
2
Views
609
Web Extensions
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top