how to check large downloads?

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
yesterday I needed to update my realtek sound driver, so I went over to the official realtek download site, which by the way did not have a secure connection, and from there I downloaded a 200MB, unsigned exe file that purported to be the driver I needed.
In fact it was. But how could I have checked it out before running the file?
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
If they don't provide a hash to confirm if you got a non corrupted file nothing you can do.

EDIT: Ignore the text below, i thought you meant you were not sure if the file got corrupted.
If the connection is fast maybe download twice. If the 2 files hash matches then you probably have the correct file.
 

Myriad

Level 7
Verified
Well-known
May 22, 2016
349
It's a problem , I know .
Virustotal has a maximum file upload size of 125 MB .

Short of finding a reliable checksum from somewhere you can't do much more than run a virus scan on it .

BTW - that seems like a big file for a driver !
 
5

509322

yesterday I needed to update my realtek sound driver, so I went over to the official realtek download site, which by the way did not have a secure connection, and from there I downloaded a 200MB, unsigned exe file that purported to be the driver I needed.
In fact it was. But how could I have checked it out before running the file?

The generally accepted method for large file validation is file hash comparison - but that only works if the file hash is provided at the point of download. And all that tells you is that the downloaded file has not been modified in-transit; it doesn't tell you if the file is safe or malicious.

RealTek doesn't provide the file hash if I remember correctly.

You can set some AV scanners to scan large files by manually increasing the maximum file size to be scanned. Doing so is unlikely to yield any meaningful result since large size malicious files are rarely submitted and thereby signatures created for them. You might get lucky and get an accurate heuristics detection - but it isn't likely. You're probably more likely to get a false positive.

Large size file validation has always been a problem, but then again, large size malware is quite rare.

You can always decompile the file and manually inspect each line of code. :D
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
large size malware is quite rare.
that's good to know.

I do remember one notable exception, where tainted ISOs of linux were planted on a legit download site. Although in that case, you can get the file hash
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
that's good to know.

I do remember one notable exception, where tainted ISOs of linux were planted on a legit download site. Although in that case, you can get the file hash
The hash was also fake. They had access to the website. If you download a malware from a legit site it's basically game over except if you anti malware stops it.
 
Last edited:

Bryan Lam

Level 3
Verified
Well-known
Apr 19, 2015
130
Large malware size sure is rare, but those who use it to their capability are smart. This is because things known as file pumpers are used to generate random strings of text and inject them in. This is a good and effective way to bypass anti-virus programs due to the fact that they cannot scan such large files. Though, Hash comparison is the way to go. Also...Go to your previous downloads (Ctrl + J) in chrome and look at the site
 

askmark

Level 12
Verified
Top Poster
Well-known
Aug 31, 2016
578
yesterday I needed to update my realtek sound driver, so I went over to the official realtek download site, which by the way did not have a secure connection, and from there I downloaded a 200MB, unsigned exe file that purported to be the driver I needed.
In fact it was. But how could I have checked it out before running the file?
You could either test it in a sandbox (Sandboxie/Comodo Firewall) or inside a virtual machine.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
What about all those huge gigabyte sized Windows .iso files on torrent sites? I'm sure some of those files are infected with malware.
1/ use your AV's context scanner, make sure you add .iso file to the scan list
2/ download -> update -> scan the file with Kaspersky Virus Removal Tool
3/ more AVs if you want
 

askmark

Level 12
Verified
Top Poster
Well-known
Aug 31, 2016
578
What about all those huge gigabyte sized Windows .iso files on torrent sites? I'm sure some of those files are infected with malware
1/ use your AV's context scanner, make sure you add .iso file to the scan list
2/ download -> update -> scan the file with Kaspersky Virus Removal Tool
3/ more AVs if you want
I would use WinRAR to extract the contents of the iso to a folder - your realtime scanner should then pickup any malware when the files are written to disk. Afterwards use an on demand scanner like Hitman Pro or Zemana for a second opinion
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
I would use WinRAR to extract the contents of the iso to a folder - your realtime scanner should then pickup any malware when the files are written to disk. Afterwards use an on demand scanner like Hitman Pro or Zemana for a second opinion
Or you just downloads from msdn and things like that so you can check the hash of the iso that MS provides.
 
  • Like
Reactions: askmark and shmu26

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
Simple way is to Test Integrity of Setup file using 7-zip. Just right the file > 7zip > Test archive. If it is successful the setup file isn't tampered. Do know, that company include self hash feature built into exe's to verify integrity and its transparent to end users.
 

askmark

Level 12
Verified
Top Poster
Well-known
Aug 31, 2016
578
Simple way is to Test Integrity of Setup file using 7-zip. Just right the file > 7zip > Test archive. If it is successful the setup file isn't tampered. Do know, that company include self hash feature built into exe's to verify integrity and its transparent to end users.
However this will not prove the content is safe.
 
  • Like
Reactions: SHvFl and shmu26
5

509322

Ask Fabian Wosar over at Wilders. If anyone will have better ideas on how to handle this specific situation, then it would be him.
 
  • Like
Reactions: Vasudev and SHvFl

Myriad

Level 7
Verified
Well-known
May 22, 2016
349
The hash was also fake.

My point exactly !

But in all fairness to the distro referred to , that vulnerability existed for only one day !
They fixed it super-fast , and all credit to them for doing so ..... it would have taken M$ a month :)

If I have doubts in these download situations I look for mirror sites that are hosted by well-known universities.
If you poke around in the "parent directory " , you can often find a set of checksums , or zipped keys that
originate from those same institutions .

That's what I meant when I said " reliable " checksum .
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top