"Unblock" button missing on some exe's

"Unblock" button missing on some exe's [edit:1806 trick is not consistent!]

Hi all,

I've implemented the "1806" trick plus low intergrity /no execute on my default Downloads folder.

What I noticed is some exe's downloaded from Sysinternals result in the neat "unblock" button option but some don't.

For example, right-clicking a downloaded program such as Process Explorer (procexp.exe) from Live Sysinternals shows an "Unblock" button, but Autoruns.exe doesn't have this button. If I try to execute Autoruns.exe, it fails with the message that the internet settings denies me from opening it.

Why are some exe's missing the "Unblock" button?

Should be added that even if I unblock an executable in my Downloads folder, I'm still denied from opening it. I thought this had to do with the icacls no execute trick that the folder has taken advantage of, so I downloaded the exe file to my Chrome cache folder and tried opening it from there. I get the same "internet setting prevented" etc. message even after the exe is unblocked. I understood the 1806 trick will include all folders so this behavior is partly expected, but I wonder why I can't open the file after it has been unblocked?
Little confused here.

 

...Something weird is going on.
I've just downloaded "psservice.exe" to a folder that is "executable enabled" via SRP and it runs. No error /warning message.

Edit:
If I download "procdump.exe" and run it, it is blocked!! There's an "unblock" button available.

 

More testings:

1) Logged into my wife's account, downloaded *.exe from Sysinternals. Saved it on the Desktop. "Unblock" button is visible.

2) Logged out, logged into my account and downloaded the same *.exe on the Desktop - "Unblock" button is NOT there. But if I click on the exe, I get the "Your internet settings prevented one or more files from being opened", e.g. the typical message you get when 1806 trick has been implemented.

3) Logged out, logged into my wife's account, downloaded same *.exe file and "Unblock" button is gone! (SRP blocks the execute though)

4) Logged into my account, downloaded some other exe and got the "Unblock" button. But unblocking it does not let me open the file, I still get "Your internet settings prevented one or more files from being opened" message. In my wife's case, if the "Unblock" button isn't there or if it's there and I allow the file to execute, SRP blocks it with the typical Group policy warning message.

5) So in my account, whether there is an "Unblock" button or not, I am not allowed to open the file(s) (except when I download it to a permitted (via SRP) folder). From my wife's account, the files are opened if the "Unblock" button was altered. If there is no button, SRP stops the exe.

I'm all confused. Why this arbitrary behavior? It's very inconsistent.

In my wife's and my Internet Settings, file downloads are permitted but executing them is forbidden. Changing the registry dword "1806" to "1" or changing it via Internet Options allows me to run executables. Changing the dword to "3" also changes the setting in Internet Options' -> "Launching applications and unsafe files".

Edit: Found what may be a partial explanation to my "problem" with missing "Unblock" buttons, it has something to do with ADS -http://www.wilderssecurity.com/showpost.php?p=1895739&postcount=9 but that doesn't explain why the button is sometimes there and sometimes not.

 

I've been doing some more experiments and what I've found was :

1) If I download a file to the Desktop, the file won't execute even it's been unblocked.

2) If I download a file to my e.g. Picture / Documents folder, the file will not execute but runs if "unblocked" (but SRP blocks it).

3) If I download to "Music" folder, the file does not run even when unblocked. If same file is downloaded to my security folder (where I keep my security executables), it runs (but SRP blocks it)

4) If I download it to the "Videos" folder, the file will not execute.

Hm.. it seems Microsoft has decided some folders are riskier than others thus are protected by the system.. So far so good.

BUT :


5) If I keep experimenting / downloading various *.exe to various folders/subfolders, other partition and its sub-folders and downloading *.exe's to previously downloaded folders etc ; Windows gets confused and decides some files can be opened and some not! This is where the decisions turn arbitrary.

But, what I've found earlier in my wife's account contradicts this finding (e.g. unblocking a file on the Desktop will allow it to run).

The mystery indeed deepens!

 

I have noticed that the "1806 trick" seems to be applied inconsistently when I download through Dragon Portable. My flash drive is formatted NTFS. Some files show the unblock button and won't execute, while others don't show the unblock button and will execute. Haven't been able to figure out for some time now but have been to busy to pursue it.

On the other hand executables downloaded through installed Chrome behave appropriately.

Running as admin on 64 bit Vista and 7.

 

Interesting.
This sure looks like a bug to me. Microsoft probably think this is some cool feature. For now, I've disabled the 1806 trick due to its inconsistencies and have set the value back to "1".
It will give me a warning message and that's good enough for me.

 

but to put the value back to 1 is not safe when one or more people uses that computer,just think of an extra security blanket

 

For local protection, I agree it adds another layer on top of SRP.
As a defense against drive-by-downloads I find the 1806 + 3 trick little too inconsistent for my taste. It may only add a false sense of security.

 

didn't contribute to the post...

 

Whether or not the open file type is set correctly in the Alternative Data Stream is not depending on buggy microsoft but design team of the browser (Chrome follows IE9 defaults)

Setting the zone to 3 results in setting high level risk file types ro block (in stead of warn), also some setings explained of the attachment manager, read here http://support.microsoft.com/kb/883260

You vary the security setting per zone http://msdn.microsoft.com/en-us/library/ms537183(v=vs.85).aspx

You can also define your own set of high/medium/low file types in the attachement manager (through GPO or Regedit) key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\HighRiskFileTypes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\MediumRiskFileTypes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes


When you unzip a file which is NOT unblocked and it contains executables, you will see this warning http://theether.net/kb/100023

When playing with additional security settings it is best combined with (right click on folder, security tabs, add a deny "traverse folder/execute file" for everyone) through Windows Explorer. When you know the registry/GPO you can make it granular or personalize it. The defaults work fine (at least when you use IE or Chrome).

 

Thanks for the links and explanations.
It's not only the "unblock" button that sometimes isn't present, the thread's title is somewhat misleading. I've edited the title now.

What I don't get is why a certain .exe sometimes triggers the "1806 denied" message and sometimes not. If you read my previous posts you'll see what I mean. This is the part where I call the system buggy.

Edit: looking at the long list of what Microsoft considers "High-Risk file types", I wonder if some of those can be added on the SRP's list of executables?

 

Yeah, same things happen here. FF / IE cannot download any executables but Chrome is allowed to do it. Since I don't use FF or IE as my main browser, I don't see the benefit. I have already blocked execution in my Downloads folder via the icacls trick and probably not related, also on my Appdata/Local/Temp folder. I'm considering denying execution on my Chrome's cache folder also but I'm not sure what the consequence, if any, would be. On the other hand, all executions outside Program Files and Windows are prohibited via my SRP settings so applying the icacls execute deny would probably be fine...

 

Kees, maybe you can answer this. Today I downloaded OTL and rkill through Majorgeeks using Dragon portable. rkill has unblock button and OTL does not. Both are exe files so why the inconsistency?

 

As said it is browser dependant, Chrome does set it correctly, see pic

You know about quality assurance on Comodo programs, so that is my best explanation

 

Try copying a exe out off deny execute, its DAC will be reset to allow. Do the same for cut and paste and you will see it keeps the deny execute. When you use SRP, why not download the Google offline installer, which installs in Program Files. Keeps your policies tidy and transparant.

 

Hi,

I've installed the enterprise version of Chrome.
I haven't played too much with cut-paste etc, but the problem I'm having is, for example, AAA.exe (downloaded via Chrome) to Folder A behaves differently compared to when AAA.exe is downloaded to Folder B. In case of Folder A (just a generic folder) the "Unblock" button is visible. In case of Folder B (also generic folder), the "Unblock button is not there. This is just one example on how inconsistent the system behaves.

 

Look at the high-medium-low executables of http://support.microsoft.com/kb/883260

Now look at the name of those directories and imagine which extensions would fall in that category and apply the rules. You will see the consistency behind it.

Chrome defaults to a download directory and you won't have that issue. Downloading to a fixed folder is much safer as you can right click this folder, choose security tab, click advanced, add a deny "traverse folder/deny execute" for everyone. To apply a double lock on this front door. 1806 will kick in when you copy/move something out of this deny execute box.

Windows uses hardening/security mechanisms from different perspectives. When you mix them, you should know about the priority which they are applied. Not understanding this order may seem like buggy behaviour to you. This complexity can be easily prevented by not mixing more than two features at the same time. Try searching some older posts of Sully. This will clarify things.

 

Hi Kees,

Yes, this part is important :

- High Risk
If the attachment is in the list of high risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file.

- Moderate Risk
If the attachment is in the list of moderate risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file.
Low Risk
- If the attachment is in the list of low risk file types, Windows will not prompt the user before accessing the file, regardless of the file’s zone information.

Of course all above makes sense.

But when the behavior of the _same_ executable is different when it has been downloaded via Chrome and saved at two separate occasions in the _same_ folder, is this not a bug?

I have a fixed Downloads folder, from which execution is denied ( icacls (oi)(ci)(x) ) but the files I've been downloading just to perform the testing, have been saved in other "vanilla" foldes, no extra tweaks.

 

When you like playing with icacls, it is easier to apply a deny execute through right click properties (traverse folder/execte file) for everyone.

 

Yes, I agree. Sometimes GUI is better.
But with ACL's I find the GUI little too complicated to fully grasp, with inheritance and too many options to choose from.

If you're up to it, try experimenting by downloading some exe's from Sysinternals. Save them to e.g. your Desktop. See if Unblock is available on those files. Delete the files. Download them and other files again ~2-3 times and see if the behavior is consistent.

 

An update on my situation:

Dragon installed is applying the ADS correctly while portable is not.

I tried Iron Portable from Portable Apps (not the Iron version) and the ADS is correctly applied. I guess Iron will become my portable of choice from now on.

No more Comodo Dragon 50% ADS bypass syndrome for me.

 

Inconsitent behaviour here: unblock missing! after second download and unblocked, blocked downloads kept consistently blocked. So there seems to be some remembering function (storing of unblocks) Have searched the registry on program name, but could not find an entry.

Nice find

 

Sort of weird huh? I also found that if I delete the browser's cache, the inconsistency, sometimes, disappears.
Also, the SRP settings sometimes triggers faster than IE "no execute" rule. Often though, the SRP warning pops up right after the executable is unblocked. That is, if the unblocked remains unblocked, which is not always the case. :-D

Anyhoo, inconsistency or not I have reverted to "3" in the 1806 settings. Gives me a slightly better protection than without.
Drive-by-downloads are what I fear, not those exes I deliberately download.
(with only "warn" setting, the system behaves very consistently!)

 

It seems this behavior only occurs when you have the box checked to ask what folder to download into.

Set the default download folder to the desktop (or any other folder you noticed this behavior) and uncheck the box to ask where to download. The unblock button will be there every time.

As to why one exe was blocked and the next did not show the block button; file size maybe? Somewhere around 1mb maybe?

 

Going into the basement of your windows OS and or the browser pecularities , before you know you are addicted to exploring the frontieres of the OS