File splitting misses final bytes of file resulting in false negatives #21
Description
The file split method appears to miss the final bytes of the file resulting in false negatives.
Scanning the original file from the command line give the following output :
"c:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "c:\users\test\desktop\file.exe" -DisableRemediation
Scan starting...
Scan finished.
Scanning c:\users\test\desktop\file.exe found 1 threats.
<===========================LIST OF DETECTED THREATS==========================>
----------------------------- Threat information ------------------------------
Threat : EUS:Win32/CustomEnterpriseBlock
Resources : 1 total
file : c:\users\test\desktop\file.exe
-------------------------------------------------------------------------------
Using DefenderCheck the output is as follows:
C:\Users\test\Desktop>DefenderCheck.exe file.exe
Target file size: 271872 bytes
Analyzing...
Exhausted the search. The binary looks good to go!
However the testfile.exe in c:\temp\ and original file are different sizes (tempfile.exe is two bytes shorter).
C:\Users\test\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 22ED-CC37
Directory of C:\Users\test\Desktop
12/23/2021 10:15 AM <DIR> .
12/23/2021 10:15 AM <DIR> ..
12/22/2021 03:50 PM 271,872 file.exe
Directory of c:\temp
12/23/2021 10:07 AM <DIR> .
12/23/2021 10:07 AM <DIR> ..
12/23/2021 10:26 AM 271,870 testfile.exe
1 File(s) 271,870 bytes
2 Dir(s) 40,053,174,272 bytes free
Manually scanning the file in the temp directory gives a clean result
"c:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "c:\temp\testfile.exe" -DisableRemediation
Scan starting...
Scan finished.
Scanning c:\temp\testfile.exe found no threats.
Edit to add :
Possibly just a clarification in the 'Good to go' output? Show the initial detection and why analysis started?