DefenderCheck icon indicating copy to clipboard operation
DefenderCheck copied to clipboard

Published 20 hours ago verified publisher icon matterpreter

File splitting misses final bytes of file resulting in false negatives

Open t3hbb opened this issue 3 years ago • 1 comments

The file split method appears to miss the final bytes of the file resulting in false negatives.

Scanning the original file from the command line give the following output :

"c:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "c:\users\test\desktop\file.exe" -DisableRemediation
Scan starting...
Scan finished.
Scanning c:\users\test\desktop\file.exe found 1 threats.

<===========================LIST OF DETECTED THREATS==========================>
----------------------------- Threat information ------------------------------
Threat                  : EUS:Win32/CustomEnterpriseBlock
Resources               : 1 total
    file                : c:\users\test\desktop\file.exe
-------------------------------------------------------------------------------

Using DefenderCheck the output is as follows:


C:\Users\test\Desktop>DefenderCheck.exe file.exe
Target file size: 271872 bytes
Analyzing...

Exhausted the search. The binary looks good to go!

However the testfile.exe in c:\temp\ and original file are different sizes (tempfile.exe is two bytes shorter).

C:\Users\test\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 22ED-CC37

 Directory of C:\Users\test\Desktop

12/23/2021  10:15 AM    <DIR>          .
12/23/2021  10:15 AM    <DIR>          ..
12/22/2021  03:50 PM           271,872 file.exe

Directory of c:\temp

12/23/2021  10:07 AM    <DIR>          .
12/23/2021  10:07 AM    <DIR>          ..
12/23/2021  10:26 AM           271,870 testfile.exe
               1 File(s)        271,870 bytes
               2 Dir(s)  40,053,174,272 bytes free

Manually scanning the file in the temp directory gives a clean result

"c:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "c:\temp\testfile.exe" -DisableRemediation
Scan starting...
Scan finished.
Scanning c:\temp\testfile.exe found no threats.

Edit to add :

Possibly just a clarification in the 'Good to go' output? Show the initial detection and why analysis started?

t3hbb avatar Dec 23 '21 10:12 t3hbb

This also occurs with a simple eicar.com file

image

Modified DefenderCheck (just with some extra output)

image

Modified code :

            Console.WriteLine("Target file size: {0} bytes", originalfilecontents.Length);
            Console.WriteLine("Analyzing...\n");
            
            // Requires full path to pass to MpCmdRun
            string OriginalTargetFileFP = Path.GetFullPath(targetfile);
            Console.WriteLine("Analyzing...\n");
            // Return Reason for analysing
            Scan(OriginalTargetFileFP, true);

Added the full path as I noticed I got different results if full path wasn't provided to DefenderCheck 🤷 image

t3hbb avatar Dec 23 '21 14:12 t3hbb