Threatsense submission bug

[stackz]

Windows 7 x64 pro
ESS 4.2.35.0

Yesterday ESS detected a download as possibly suspicious. All my settings are notched so that I get asked what to do. I received a prompt and opted not to download the file.

The file never got to my computer, it is not in quarantine, it never executed etc. (in fact it was not malicious, I just didn't really want it)
Since that time, Threatsense.net was continually trying to submit a file that does not exist. The only way I could find to put an end to the submission cycle, other than disabling Threatsense.net or selecting not to submit files, was to close the handle to the relevant cache.ndb file, delete it, then reboot.

Hopefully ESET can reproduce this behavior and fix it.

[Marcos]

That's how submission of suspicious files work. The file was downloaded, detected and stored in the ThreatSense.Net (TS) cache. Since you have TS set to ask before submitting files, the prompt window kept asking you to approve or deny submission of that file. You ought to have click the notification bubble, uncheck the file and click on Submit to confirm your selection.

[stackz]

The file was given permission to be sent but was stuck in a loop because there was no file. After clicking submit numerous times, I changed it to automatically send the file and not ask. This resulted in a constant stream of file activity as ESS kept trying to submit the non-existent file (confirmed using process monitor).

Quote:

The file was downloaded, detected and stored in the ThreatSense.Net (TS) cache

The file was not downloaded. The cache was 4kb - the file in question is over 300 kb.

edit:
I can reproduce this behavior without fail, even on a different machine.
Click download link > ESS Suspicious file detected > select Terminate connection > file is stuck in TS.net submission cache.

[stackz]

Bug also reproduced on xpsp3 x86.
- File is never submitted, whatever is collected remains in the charon folder (FND?.NFI) and it's record remains in the TS.net submission cache (cache.ndb) - displayed in TS.net > Advanced setup... > Submission > Number of files pending for submission: (number of FND?.NFI files)

[Marcos]

Quote:

Originally Posted by stackz

Bug also reproduced on xpsp3 x86.
- File is never submitted, whatever is collected remains in the charon folder (FND?.NFI) and it's record remains in the TS.net submission cache (cache.ndb) - displayed in TS.net > Advanced setup... > Submission > Number of files pending for submission: (number of FND?.NFI files)

It doesn't mean that a file suitable for submission must necessarily be submitted. It has always worked that way since v2.

[stackz]

If a file is not suitable for submission, why does ESS keep its respective FND_.NFI file? Surely it would make more sense to delete them and adjust the cache.ndb file, so that no files are shown as pending submission.

I've always had ESS set to prompt me when submitting files, but never encountered this behavior where it is constantly asking for permission to send the same file. I OK the submission, but it still continually prompts. Once a file is OK'ed for submission and sent, shouldn't it be deleted and the number of files pending submission be decremented?

If I've misunderstood you I apologize.