Bug #7346
openeve/fileinfo: sha256 should not be logged on incomplete file
Description
fileinfo contains the sha256 even if the file is incomplete. This leads to confusion as incorrect values are used.
sha1 and md5 are not exhibiting this behavior so fixing sha256 seems the way to go.
Updated by Philippe Antoine 4 days ago
not sure, I vaguely remember someone showing some benefit for the current behavior...
Updated by Victor Julien 4 days ago
If we stored a file, it will be stored with the partial hash as the file name. So it should be logging that file name then for sure. Not sure about the non-file-store case. @Jason Ish ?
Updated by Victor Julien 4 days ago
- Subject changed from sha256 should not be logged on incomplete file to eve/fileinfo: sha256 should not be logged on incomplete file
Updated by Jason Ish 4 days ago
As these files are saved with file extraction, even when truncated, using the sha256 as the filename, we should still log the sha256 in the fileinfo record, so the fileinfo record can be associated with the file to disk.
I believe that is the intention, and why the sha256 is unconditionally logged. Code lacks a good comment around why we always log the sha256 though.
Truncated files can still be useful for further analysis was the argument I believe.
Updated by Eric Leblond 4 days ago ยท Edited
I think we can close this. Getting file even truncated for analysis is interesting.
Sorry for the noise.