- Jun 12, 2023
- 684
What is Live-Guard? Is it a cloud sandbox like Kaspersky Opentip, Triage, etc, and does it have a size limit?
What is Live-Guard?
- Thread starter Xeno1234
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
Bot
AI-powered Bot
- Apr 21, 2016
- 4,808
Live-Guard is a cloud-based malware analysis technology used by ESET antivirus products. It is designed to detect and analyze potentially malicious files in real-time, using advanced behavioral analysis and machine learning algorithms.
As for the size limit, Live-Guard is not officially advertised as having one. However, some users have reported that large files may take longer to upload and analyze, depending on their internet connection speed.
As for the size limit, Live-Guard is not officially advertised as having one. However, some users have reported that large files may take longer to upload and analyze, depending on their internet connection speed.
- Feb 7, 2023
- 2,357
Mediocre implementation of emulation (running code in a virtual, secluded environment to discover its true intentions). Eset LiveGuard emulation is not resistant to evasion and on their forum is frequently criticised for classifying malicious files as safe.
See here what ESET says about LiveGuard:
ESET Smart Security Premium | ESET Smart Security Premium | ESET Online Help
How detection layers work
As for detection efficiency. The enterprise version has the ability to individually set the sensitivity level. Home version doesn't, there it's fixed. And within ESET's policy, it's not the most stringent option, more of a "the less FP" approach. According to the spreadsheet: it will probably be "Highly suspicious", or "Malicious"..
Results of analysis
ESET Smart Security Premium | ESET Smart Security Premium | ESET Online Help
How detection layers work
As for detection efficiency. The enterprise version has the ability to individually set the sensitivity level. Home version doesn't, there it's fixed. And within ESET's policy, it's not the most stringent option, more of a "the less FP" approach. According to the spreadsheet: it will probably be "Highly suspicious", or "Malicious"..
Results of analysis
- Feb 7, 2023
- 2,357
The problem is not with their abilities to recognise and classify malicious behaviour, their problem is that they can’t properly hide the VM artefacts and malware knows it is being studied. It then delivers different behaviour than the one it will deliver on a real system which leave them with static analysis. That can easily be evaded by the use of packer, specially a custom one for which Eset has not described unpacking logics. They don’t simulate various activities as well, such as pressing buttons when presented with such.
- Apr 16, 2017
- 2,931
I used to run ESET Premium and Live-Guard responded a few times sending a file to its cloud for analysis, the reporting time was typically less than 5 minutes. It worked well enough for me and did not make any mistakes, but I stopped using ESET for an unrelated reason.
- Apr 16, 2017
- 2,931
still available
www.eset.com
Download NOD32 Antivirus protection for Windows
Download essential protection with award-winning antivirus. Protects against hackers, ransomware and phishing with the optimum balance of speed, detection and usability.
Last edited by a moderator:
- Jan 6, 2022
- 559
still available
Download NOD32 Antivirus protection for Windows
Download essential protection with award-winning antivirus. Protects against hackers, ransomware and phishing with the optimum balance of speed, detection and usability.
This one
- Feb 25, 2017
- 2,622
- Jan 6, 2022
- 559
Yes son.Back then everything was better
- Feb 7, 2023
- 2,357
There is a difference within the detection engines and also, the final report (if certain number of stations are licensed) will include detailed information about why the file has been classified malicious. But nowhere it is mentioned that anti-evasion tactics are different and more sophisticated.
A sandbox/emulator is only as good as its resistance to evasion is, as malware authors can check various hardware and software parameters to determine they run on VM.
The Pafish project is one that heavily studied artefacts that could he checked to realise it is emulation.
Evasions.checkpoint.com is based around this project but adds more on top.
In conclusion, tools like Eset LiveGuard and Avast CyberCpature provide false sense of security. They display messages like “Good news from threat labs, the file is safe” when the malware most likely just exited and didn’t do anything. When you run it, it will be another story.
- Jan 6, 2022
- 559
You are the living library of XDR sir.
With cyber capture... Where do you see the fault? The analyst or the tech stack? Genuinely curious.
- Feb 7, 2023
- 2,357
There is no analyst there, majority of time they deliver verdicts within few minutes. Not sure which analyst has managed to analyse malware in 5 minutes. It’s just overblown marketing claims. It’s not once or twice on my test it has produced safe verdicts only for other shields to start blocking behaviour and communications after. An analyst would’ve known it was malware. The fault is at the same place like Eset LiveGuard (faults described clearly by Marcos the admin). Not enough care and funds are invested to research the evasion methods and counter them.
Interesting discussion.
Despite the shortcomings you mentioned, what do you estimate the benefits of LiveGuard to be? Since ESET builds and operates it, I assume it has a benefit.
I also remembered that not all suspicious files are sent to LiveGuard, but only those downloaded from the network or run from USB.
- Feb 7, 2023
- 2,357
Not all malware will be programmed to detect traces of emulators and debuggers perfectly. Although I am 100% sure this intelligence is shared for low prices if not for free on dark web forums, not all of them will nail the evasion. Malware from such groups/individuals will be detected so you can consider this module an aid or a helper. Both Avast and Eset don’t rely just on LiveGuard/CyberCapture.Interesting discussion.
Despite the shortcomings you mentioned, what do you estimate the benefits of LiveGuard to be? Since ESET builds and operates it, I assume it has a benefit.
I also remembered that not all suspicious files are sent to LiveGuard, but only those downloaded from the network or run from USB.
- Nov 19, 2012
- 1,124
All I can say is that Live-Guard (pronounced leev guard) is a liver tonic that can be found in some medical stores.
- Mar 17, 2023
- 578
Well that's disappointing. Whilst other organizations are moving towards ML/AI analytics Eset is still hopeful that signatures and old heuristic engine will save them. I've been an eset user since 1998 and I hate to stop so I will give them one more year before I move on.
- Jan 6, 2022
- 559
- Apr 1, 2017
- 1,796
Same with Ahn lab Smart Defense. The AV upload the malware to ASD infrastructure but after 2 days when the Analyze is done it show me the file is unidentified and you can run it without any issue.
360 is also like that.
Similar threads
