Threatsense submission bug

Discussion in 'ESET Smart Security' started by stackz, Mar 19, 2010.

Thread Status:
Not open for further replies.
  1. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    Windows 7 x64 pro
    ESS 4.2.35.0

    Yesterday ESS detected a download as possibly suspicious. All my settings are notched so that I get asked what to do. I received a prompt and opted not to download the file.

    The file never got to my computer, it is not in quarantine, it never executed etc. (in fact it was not malicious, I just didn't really want it)
    Since that time, Threatsense.net was continually trying to submit a file that does not exist. The only way I could find to put an end to the submission cycle, other than disabling Threatsense.net or selecting not to submit files, was to close the handle to the relevant cache.ndb file, delete it, then reboot.

    Hopefully ESET can reproduce this behavior and fix it.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    That's how submission of suspicious files work. The file was downloaded, detected and stored in the ThreatSense.Net (TS) cache. Since you have TS set to ask before submitting files, the prompt window kept asking you to approve or deny submission of that file. You ought to have click the notification bubble, uncheck the file and click on Submit to confirm your selection.
     
  3. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    The file was given permission to be sent but was stuck in a loop because there was no file. After clicking submit numerous times, I changed it to automatically send the file and not ask. This resulted in a constant stream of file activity as ESS kept trying to submit the non-existent file (confirmed using process monitor).

    The file was not downloaded. The cache was 4kb - the file in question is over 300 kb.

    edit:
    I can reproduce this behavior without fail, even on a different machine.
    Click download link > ESS Suspicious file detected > select Terminate connection > file is stuck in TS.net submission cache.
     
    Last edited: Mar 19, 2010
  4. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    Bug also reproduced on xpsp3 x86.
    - File is never submitted, whatever is collected remains in the charon folder (FND?.NFI) and it's record remains in the TS.net submission cache (cache.ndb) - displayed in TS.net > Advanced setup... > Submission > Number of files pending for submission: (number of FND?.NFI files)
     
    Last edited: Mar 20, 2010
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    It doesn't mean that a file suitable for submission must necessarily be submitted. It has always worked that way since v2.
     
  6. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    If a file is not suitable for submission, why does ESS keep its respective FND_.NFI file? Surely it would make more sense to delete them and adjust the cache.ndb file, so that no files are shown as pending submission.

    I've always had ESS set to prompt me when submitting files, but never encountered this behavior where it is constantly asking for permission to send the same file. I OK the submission, but it still continually prompts. Once a file is OK'ed for submission and sent, shouldn't it be deleted and the number of files pending submission be decremented?

    If I've misunderstood you I apologize.
     
    Last edited: Mar 21, 2010
Thread Status:
Not open for further replies.