Can an incorrect program size indicate malware?

4

Example File Sizes from "Programs and Features":

enter image description here

Windows is reporting vastly incorrect file sizes. In the example given, Python 3.4.1 is listed as taking 30 GB of space. This isn't the only program on this machine that should be very small (under 100 MB) and is listed as at least 30 GB.

Could this indicate something else on my computer disguising itself as such a program that MalwareBytes and my anti-virus do not pick up (or have taken care of but have not cleaned up after)?

There is no slowness or indication of any problem related to Malware or any such thing. I originally attributed this as a quirk of Windows 10, as it hadn't been noticed before then. It hasn't changed throughout Windows 10 updates, so I'm considering otherwise.

If it is something bad or the remnants of such thing, is there any way to determine where that data is that Windows is looking at so it can be removed? If not, is this a common issue that has a solution so that Windows reports the correct sizes?

adisib

Posted 2016-03-07T20:42:21.917

Reputation: 43

Traditionally Rootkits sit under the API in the kernel, and routinely present fake information to the API in order to hide traces of the malware's resources and activities. That said, I would hardly call this smoking-gun evidence. I'd perform checks with chkdsk and sfc, and a full malware scan with a decent AV platform. – Frank Thomas – 2016-03-07T20:52:17.883

Someone else has this problem: Wrong installation date and size in Programs and Features

– DavidPostill – 2016-03-07T20:55:37.603

What you describe isn't new. The size reported on this screen shouldn't be trusted, but it is not an indication of malware. – Ramhound – 2016-03-07T22:25:54.957

Answers

1

Probably not.

The Size column isn't actually a total of any file sizes. As of Windows 7, the value that appears there is always supplied by the installer at install time. If no value is specified by the program, the column is left blank. Even if malware added a boatload of files to those programs' installation folders, the reported size in that window wouldn't increase at all. The only possible reason for the value to change would be that something intentionally updated the program's uninstall registration, and I doubt malware would do that.

The most likely cause is that those programs simply provided an incorrect value for their estimated size. Either that, or the Windows 10 upgrade did strange things to the registration.

For the curious, you can find uninstall registration in the Registry here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Each program's subkey can contain a value called EstimatedSize, which is the reported size in kilobytes.

Historical note: Before Windows 7, in the absence of the EstimatedSize entry, Windows would crawl around your disk to guess how big the program is.

Ben N

Posted 2016-03-07T20:42:21.917

Reputation: 32 973