File splitting misses final bytes of file resulting in false negatives

Question

File splitting misses final bytes of file resulting in false negatives

t3hbb opened this issue 3 years ago · 1 comments

The file split method appears to miss the final bytes of the file resulting in false negatives.

Scanning the original file from the command line give the following output :

"c:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "c:\users\test\desktop\file.exe" -DisableRemediation
Scan starting...
Scan finished.
Scanning c:\users\test\desktop\file.exe found 1 threats.

<===========================LIST OF DETECTED THREATS==========================>
----------------------------- Threat information ------------------------------
Threat                  : EUS:Win32/CustomEnterpriseBlock
Resources               : 1 total
    file                : c:\users\test\desktop\file.exe
-------------------------------------------------------------------------------

Using DefenderCheck the output is as follows:


C:\Users\test\Desktop>DefenderCheck.exe file.exe
Target file size: 271872 bytes
Analyzing...

Exhausted the search. The binary looks good to go!

However the testfile.exe in c:\temp\ and original file are different sizes (tempfile.exe is two bytes shorter).

C:\Users\test\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 22ED-CC37

 Directory of C:\Users\test\Desktop

12/23/2021  10:15 AM    <DIR>          .
12/23/2021  10:15 AM    <DIR>          ..
12/22/2021  03:50 PM           271,872 file.exe

Directory of c:\temp

12/23/2021  10:07 AM    <DIR>          .
12/23/2021  10:07 AM    <DIR>          ..
12/23/2021  10:26 AM           271,870 testfile.exe
               1 File(s)        271,870 bytes
               2 Dir(s)  40,053,174,272 bytes free

Manually scanning the file in the temp directory gives a clean result

"c:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "c:\temp\testfile.exe" -DisableRemediation
Scan starting...
Scan finished.
Scanning c:\temp\testfile.exe found no threats.

Edit to add :

Possibly just a clarification in the 'Good to go' output? Show the initial detection and why analysis started?

Answer 1 · 2021-12-23T14:18:45.000Z

This also occurs with a simple eicar.com file

Modified DefenderCheck (just with some extra output)

Modified code :

            Console.WriteLine("Target file size: {0} bytes", originalfilecontents.Length);
            Console.WriteLine("Analyzing...\n");
            
            // Requires full path to pass to MpCmdRun
            string OriginalTargetFileFP = Path.GetFullPath(targetfile);
            Console.WriteLine("Analyzing...\n");
            // Return Reason for analysing
            Scan(OriginalTargetFileFP, true);

Added the full path as I noticed I got different results if full path wasn't provided to DefenderCheck 🤷