Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Execution blocks on downloaded approved files originated in .partial files

Execution blocks on downloaded approved files originated in .partial files

Version

7.2

 

Issue

Execution blocks are detected on newly downloaded files that should be Approved.

 

Symptoms

The files are downloaded through a browser (Chrome, Firefox or IE).

The block is associated with an executable where the hash leads to a file with .partial extension.

 

For example:

File C:\users\administrator\appdata\local\microsoft\windows\inetcache\ie\...\sp52283.exe is blocked

The hash associated to the block leads to C:\users\administrator\appdata\local\microsoft\windows\inetcache\ie\...\sp52283.exe.y12wsd4.partial

 

Cause

The file is analyzed while it is still downloading (on the .partial stage) which seems to interfere with the execution of the final version of the file (without the .partial extension).

 

Solution

Create the following Performance Optimization rule, to ignore the write of the file while it is still downloading:

    • In the Bit9 console go to Rules --> Software Rules --> Custom --> Add Custom Rule
    • The details for the rule are:

Rule Type - Performance Optimization

Path or File:

*.partial

*.crdownload

*.part

Processes:

*\iexplore.exe

*\chrome.exe

*\firefox.exe

Tags (3)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎08-28-2015
Views:
972