how to check large downloads?

[shmu26]

yesterday I needed to update my realtek sound driver, so I went over to the official realtek download site, which by the way did not have a secure connection, and from there I downloaded a 200MB, unsigned exe file that purported to be the driver I needed.
In fact it was. But how could I have checked it out before running the file?

 

[SHvFl]

If they don't provide a hash to confirm if you got a non corrupted file nothing you can do.

EDIT: Ignore the text below, i thought you meant you were not sure if the file got corrupted.
If the connection is fast maybe download twice. If the 2 files hash matches then you probably have the correct file.

 

[Myriad]

It's a problem , I know .
Virustotal has a maximum file upload size of 125 MB .

Short of finding a reliable checksum from somewhere you can't do much more than run a virus scan on it .

BTW - that seems like a big file for a driver !

 

[509322]

yesterday I needed to update my realtek sound driver, so I went over to the official realtek download site, which by the way did not have a secure connection, and from there I downloaded a 200MB, unsigned exe file that purported to be the driver I needed.
In fact it was. But how could I have checked it out before running the file?

The generally accepted method for large file validation is file hash comparison - but that only works if the file hash is provided at the point of download. And all that tells you is that the downloaded file has not been modified in-transit; it doesn't tell you if the file is safe or malicious.

RealTek doesn't provide the file hash if I remember correctly.

You can set some AV scanners to scan large files by manually increasing the maximum file size to be scanned. Doing so is unlikely to yield any meaningful result since large size malicious files are rarely submitted and thereby signatures created for them. You might get lucky and get an accurate heuristics detection - but it isn't likely. You're probably more likely to get a false positive.

Large size file validation has always been a problem, but then again, large size malware is quite rare.

You can always decompile the file and manually inspect each line of code.

 

[shmu26]

large size malware is quite rare.

that's good to know.

I do remember one notable exception, where tainted ISOs of linux were planted on a legit download site. Although in that case, you can get the file hash

 

[SHvFl]

that's good to know.

I do remember one notable exception, where tainted ISOs of linux were planted on a legit download site. Although in that case, you can get the file hash

The hash was also fake. They had access to the website. If you download a malware from a legit site it's basically game over except if you anti malware stops it.

 

[Bryan Lam]

Large malware size sure is rare, but those who use it to their capability are smart. This is because things known as file pumpers are used to generate random strings of text and inject them in. This is a good and effective way to bypass anti-virus programs due to the fact that they cannot scan such large files. Though, Hash comparison is the way to go. Also...Go to your previous downloads (Ctrl + J) in chrome and look at the site

 

[askmark]

yesterday I needed to update my realtek sound driver, so I went over to the official realtek download site, which by the way did not have a secure connection, and from there I downloaded a 200MB, unsigned exe file that purported to be the driver I needed.
In fact it was. But how could I have checked it out before running the file?

You could either test it in a sandbox (Sandboxie/Comodo Firewall) or inside a virtual machine.

 

[Evjl's Rain]

1/ VoodooAi standalone app
http://www.voodooshield.com/Download/InstallVoodooAiPortable90.exe

2/ sandbox

 

[Zero Knowledge]

What about all those huge gigabyte sized Windows .iso files on torrent sites? I'm sure some of those files are infected with malware.

 

[Evjl's Rain]

What about all those huge gigabyte sized Windows .iso files on torrent sites? I'm sure some of those files are infected with malware.

1/ use your AV's context scanner, make sure you add .iso file to the scan list
2/ download -> update -> scan the file with Kaspersky Virus Removal Tool
3/ more AVs if you want

 

[askmark]

What about all those huge gigabyte sized Windows .iso files on torrent sites? I'm sure some of those files are infected with malware

1/ use your AV's context scanner, make sure you add .iso file to the scan list
2/ download -> update -> scan the file with Kaspersky Virus Removal Tool
3/ more AVs if you want

I would use WinRAR to extract the contents of the iso to a folder - your realtime scanner should then pickup any malware when the files are written to disk. Afterwards use an on demand scanner like Hitman Pro or Zemana for a second opinion

 

[SHvFl]

I would use WinRAR to extract the contents of the iso to a folder - your realtime scanner should then pickup any malware when the files are written to disk. Afterwards use an on demand scanner like Hitman Pro or Zemana for a second opinion

Or you just downloads from msdn and things like that so you can check the hash of the iso that MS provides.

 

[askmark]

Or you just downloads from msdn and things like that so you can check the hash of the iso that MS provides.

A very good idea for official MS iso's. Use my method for everything else

 

[Stas]

You can also load iso to virtual drive then scan it with av.

 

[Vasudev]

Simple way is to Test Integrity of Setup file using 7-zip. Just right the file > 7zip > Test archive. If it is successful the setup file isn't tampered. Do know, that company include self hash feature built into exe's to verify integrity and its transparent to end users.

 

[askmark]

Simple way is to Test Integrity of Setup file using 7-zip. Just right the file > 7zip > Test archive. If it is successful the setup file isn't tampered. Do know, that company include self hash feature built into exe's to verify integrity and its transparent to end users.

However this will not prove the content is safe.

 

[509322]

Ask Fabian Wosar over at Wilders. If anyone will have better ideas on how to handle this specific situation, then it would be him.

 

[Myriad]

The hash was also fake.

My point exactly !

But in all fairness to the distro referred to , that vulnerability existed for only one day !
They fixed it super-fast , and all credit to them for doing so ..... it would have taken M$ a month

If I have doubts in these download situations I look for mirror sites that are hosted by well-known universities.
If you poke around in the "parent directory " , you can often find a set of checksums , or zipped keys that
originate from those same institutions .

That's what I meant when I said " reliable " checksum .