Question What is Live-Guard?

Please provide comments and solutions that are helpful to the author of this topic.

Bot

AI-powered Bot
Apr 21, 2016
3,576
Live-Guard is a cloud-based malware analysis technology used by ESET antivirus products. It is designed to detect and analyze potentially malicious files in real-time, using advanced behavioral analysis and machine learning algorithms.

As for the size limit, Live-Guard is not officially advertised as having one. However, some users have reported that large files may take longer to upload and analyze, depending on their internet connection speed.
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
Mediocre implementation of emulation (running code in a virtual, secluded environment to discover its true intentions). Eset LiveGuard emulation is not resistant to evasion and on their forum is frequently criticised for classifying malicious files as safe.
 

czesetfan

Level 4
Dec 3, 2021
158
See here what ESET says about LiveGuard:
ESET Smart Security Premium | ESET Smart Security Premium | ESET Online Help
How detection layers work

As for detection efficiency. The enterprise version has the ability to individually set the sensitivity level. Home version doesn't, there it's fixed. And within ESET's policy, it's not the most stringent option, more of a "the less FP" approach. According to the spreadsheet: it will probably be "Highly suspicious", or "Malicious"..
Results of analysis

result.png
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
See here what ESET says about LiveGuard:
ESET Smart Security Premium | ESET Smart Security Premium | ESET Online Help
How detection layers work

As for detection efficiency. The enterprise version has the ability to individually set the sensitivity level. Home version doesn't, there it's fixed. And within ESET's policy, it's not the most stringent option, more of a "the less FP" approach. According to the spreadsheet: it will probably be "Highly suspicious", or "Malicious"..
Results of analysis

View attachment 276438
The problem is not with their abilities to recognise and classify malicious behaviour, their problem is that they can’t properly hide the VM artefacts and malware knows it is being studied. It then delivers different behaviour than the one it will deliver on a real system which leave them with static analysis. That can easily be evaded by the use of packer, specially a custom one for which Eset has not described unpacking logics. They don’t simulate various activities as well, such as pressing buttons when presented with such.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,076
See here what ESET says about LiveGuard:
ESET Smart Security Premium | ESET Smart Security Premium | ESET Online Help
How detection layers work

As for detection efficiency. The enterprise version has the ability to individually set the sensitivity level. Home version doesn't, there it's fixed. And within ESET's policy, it's not the most stringent option, more of a "the less FP" approach. According to the spreadsheet: it will probably be "Highly suspicious", or "Malicious"..
Results of analysis

View attachment 276438
I used to run ESET Premium and Live-Guard responded a few times sending a file to its cloud for analysis, the reporting time was typically less than 5 minutes. It worked well enough for me and did not make any mistakes, but I stopped using ESET for an unrelated reason.
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
Are there any major differences between the consumer LiveGuard versus business LiveGuard Advanced?
There is a difference within the detection engines and also, the final report (if certain number of stations are licensed) will include detailed information about why the file has been classified malicious. But nowhere it is mentioned that anti-evasion tactics are different and more sophisticated.

A sandbox/emulator is only as good as its resistance to evasion is, as malware authors can check various hardware and software parameters to determine they run on VM.
The Pafish project is one that heavily studied artefacts that could he checked to realise it is emulation.
Evasions.checkpoint.com is based around this project but adds more on top.

In conclusion, tools like Eset LiveGuard and Avast CyberCpature provide false sense of security. They display messages like “Good news from threat labs, the file is safe” when the malware most likely just exited and didn’t do anything. When you run it, it will be another story.
 

Sandbox Breaker

Level 9
Well-known
Jan 6, 2022
436
There is a difference within the detection engines and also, the final report (if certain number of stations are licensed) will include detailed information about why the file has been classified malicious. But nowhere it is mentioned that anti-evasion tactics are different and more sophisticated.

A sandbox/emulator is only as good as its resistance to evasion is, as malware authors can check various hardware and software parameters to determine they run on VM.
The Pafish project is one that heavily studied artefacts that could he checked to realise it is emulation.
Evasions.checkpoint.com is based around this project but adds more on top.

In conclusion, tools like Eset LiveGuard and Avast CyberCpature provide false sense of security. They display messages like “Good news from threat labs, the file is safe” when the malware most likely just exited and didn’t do anything. When you run it, it will be another story.
You are the living library of XDR sir.

With cyber capture... Where do you see the fault? The analyst or the tech stack? Genuinely curious.
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
You are the living library of XDR sir.

With cyber capture... Where do you see the fault? The analyst or the tech stack? Genuinely curious.
There is no analyst there, majority of time they deliver verdicts within few minutes. Not sure which analyst has managed to analyse malware in 5 minutes. It’s just overblown marketing claims. It’s not once or twice on my test it has produced safe verdicts only for other shields to start blocking behaviour and communications after. An analyst would’ve known it was malware. The fault is at the same place like Eset LiveGuard (faults described clearly by Marcos the admin). Not enough care and funds are invested to research the evasion methods and counter them.
 

czesetfan

Level 4
Dec 3, 2021
158
There is no analyst there, majority of time they deliver verdicts within few minutes. Not sure which analyst has managed to analyse malware in 5 minutes. It’s just overblown marketing claims. It’s not once or twice on my test it has produced safe verdicts only for other shields to start blocking behaviour and communications after. An analyst would’ve known it was malware. The fault is at the same place like Eset LiveGuard (faults described clearly by Marcos the admin). Not enough care and funds are invested to research the evasion methods and counter them.
Interesting discussion. (y):)

Despite the shortcomings you mentioned, what do you estimate the benefits of LiveGuard to be? Since ESET builds and operates it, I assume it has a benefit.

I also remembered that not all suspicious files are sent to LiveGuard, but only those downloaded from the network or run from USB.
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
Interesting discussion. (y):)

Despite the shortcomings you mentioned, what do you estimate the benefits of LiveGuard to be? Since ESET builds and operates it, I assume it has a benefit.

I also remembered that not all suspicious files are sent to LiveGuard, but only those downloaded from the network or run from USB.
Not all malware will be programmed to detect traces of emulators and debuggers perfectly. Although I am 100% sure this intelligence is shared for low prices if not for free on dark web forums, not all of them will nail the evasion. Malware from such groups/individuals will be detected so you can consider this module an aid or a helper. Both Avast and Eset don’t rely just on LiveGuard/CyberCapture.
 

jogs

Level 22
Verified
Top Poster
Well-known
Nov 19, 2012
1,113
All I can say is that Live-Guard (pronounced leev guard) is a liver tonic that can be found in some medical stores. :D
 

cartaphilus

Level 5
Mar 17, 2023
202
There is no analyst there, majority of time they deliver verdicts within few minutes. Not sure which analyst has managed to analyse malware in 5 minutes. It’s just overblown marketing claims. It’s not once or twice on my test it has produced safe verdicts only for other shields to start blocking behaviour and communications after. An analyst would’ve known it was malware. The fault is at the same place like Eset LiveGuard (faults described clearly by Marcos the admin). Not enough care and funds are invested to research the evasion methods and counter them.
Well that's disappointing. Whilst other organizations are moving towards ML/AI analytics Eset is still hopeful that signatures and old heuristic engine will save them. I've been an eset user since 1998 and I hate to stop so I will give them one more year before I move on.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top