When some files are downloaded from the internet, they are blocked. Some files can still be opened even if they are blocked...
I can see whether a file is blocked by opening the file properties (right-click > properties) and looking at General tab > Security (right under the Attributes section).
See for reference:
What does it mean when a file is blocked? How does a file behave differently in a blocked state versus an unblocked state?
Answer
This is driven by the alternate data streams. Windows flags files as potentially untrusted if they have been downloaded (for example) from the internet zone and will disable execution.
As a side note, Sysinternals provide a free tool called 'streams' (via Microsoft) which allows you to remove (including recursively) all alternate streams from a file / directory.
As a second side-note, the reason Windows does this is because it's a fairly simple way to construct a trojan or virus. As discussion on this briefly here.
In 2009, the alternate data stream was used by a click fraud Trojan named FFSearcher. It used the stream name “Zone.Identifier” which is a stream name that Microsoft uses to mark executable files downloaded by Internet Explorer. Instead of a simple zone identifier however, the Trojan implanted a DLL file that contained the Trojan’s code.
No comments:
Post a Comment