Version

7.2

Issue

Execution blocks are detected on newly downloaded files that should be Approved.

Symptoms

The files are downloaded through a browser (Chrome, Firefox or IE).

The block is associated with an executable where the hash leads to a file with .partial extension.

For example:

File C:\users\administrator\appdata\local\microsoft\windows\inetcache\ie\...\sp52283.exe is blocked

The hash associated to the block leads to C:\users\administrator\appdata\local\microsoft\windows\inetcache\ie\...\sp52283.exe.y12wsd4.partial

Cause

The file is analyzed while it is still downloading (on the .partial stage) which seems to interfere with the execution of the final version of the file (without the .partial extension).

Solution

Create the following Performance Optimization rule, to ignore the write of the file while it is still downloading:

• In the Bit9 console go to Rules --> Software Rules --> Custom --> Add Custom Rule
• The details for the rule are:

Rule Type - Performance Optimization

Path or File:

*.partial

*.crdownload

*.part

Processes:

*\iexplore.exe

*\chrome.exe

*\firefox.exe