Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File splitting misses final bytes of file resulting in false negatives #21

Open
t3hbb opened this issue Dec 23, 2021 · 1 comment
Open

File splitting misses final bytes of file resulting in false negatives #21

t3hbb opened this issue Dec 23, 2021 · 1 comment
Labels
good first issue Good for newcomers

Comments

@t3hbb
Copy link

t3hbb commented Dec 23, 2021
edited
Loading

The file split method appears to miss the final bytes of the file resulting in false negatives.

Scanning the original file from the command line give the following output :

"c:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "c:\users\test\desktop\file.exe" -DisableRemediation
Scan starting...
Scan finished.
Scanning c:\users\test\desktop\file.exe found 1 threats.

<===========================LIST OF DETECTED THREATS==========================>
----------------------------- Threat information ------------------------------
Threat                  : EUS:Win32/CustomEnterpriseBlock
Resources               : 1 total
    file                : c:\users\test\desktop\file.exe
-------------------------------------------------------------------------------

Using DefenderCheck the output is as follows:


C:\Users\test\Desktop>DefenderCheck.exe file.exe
Target file size: 271872 bytes
Analyzing...

Exhausted the search. The binary looks good to go!

However the testfile.exe in c:\temp\ and original file are different sizes (tempfile.exe is two bytes shorter).

C:\Users\test\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 22ED-CC37

 Directory of C:\Users\test\Desktop

12/23/2021  10:15 AM    <DIR>          .
12/23/2021  10:15 AM    <DIR>          ..
12/22/2021  03:50 PM           271,872 file.exe

Directory of c:\temp

12/23/2021  10:07 AM    <DIR>          .
12/23/2021  10:07 AM    <DIR>          ..
12/23/2021  10:26 AM           271,870 testfile.exe
               1 File(s)        271,870 bytes
               2 Dir(s)  40,053,174,272 bytes free

Manually scanning the file in the temp directory gives a clean result

"c:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "c:\temp\testfile.exe" -DisableRemediation
Scan starting...
Scan finished.
Scanning c:\temp\testfile.exe found no threats.

Edit to add :

Possibly just a clarification in the 'Good to go' output? Show the initial detection and why analysis started?
@t3hbb
Copy link
Author

t3hbb commented Dec 23, 2021
edited
Loading

This also occurs with a simple eicar.com file

image

Modified DefenderCheck (just with some extra output)

image

Modified code :

            Console.WriteLine("Target file size: {0} bytes", originalfilecontents.Length);
            Console.WriteLine("Analyzing...\n");
            
            // Requires full path to pass to MpCmdRun
            string OriginalTargetFileFP = Path.GetFullPath(targetfile);
            Console.WriteLine("Analyzing...\n");
            // Return Reason for analysing
            Scan(OriginalTargetFileFP, true);

Added the full path as I noticed I got different results if full path wasn't provided to DefenderCheck 🤷
image

@matterpreter matterpreter added the good first issue Good for newcomers label Feb 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matterpreter @t3hbb