Version
7.2
Issue
Execution blocks are detected on newly downloaded files that should be Approved.
Symptoms
The files are downloaded through a browser (Chrome, Firefox or IE).
The block is associated with an executable where the hash leads to a file with .partial extension.
For example:
File C:\users\administrator\appdata\local\microsoft\windows\inetcache\ie\...\sp52283.exe is blocked
The hash associated to the block leads to C:\users\administrator\appdata\local\microsoft\windows\inetcache\ie\...\sp52283.exe.y12wsd4.partial
Cause
The file is analyzed while it is still downloading (on the .partial stage) which seems to interfere with the execution of the final version of the file (without the .partial extension).
Solution
Create the following Performance Optimization rule, to ignore the write of the file while it is still downloading:
- In the Bit9 console go to Rules --> Software Rules --> Custom --> Add Custom Rule
- The details for the rule are:
Rule Type - Performance Optimization
Path or File:
*.partial
*.crdownload
*.part
Processes:
*\iexplore.exe
*\chrome.exe
*\firefox.exe