blocked downloaded files,is better to disable it?

Discussion in 'other software & services' started by mantra, Jan 3, 2017.

  1. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,595
    hi
    i have never change the registry settings or the Group Policy

    but sometime i think it would be better because i guess my mtf zone information is full of these entries of every file i download from net , pictures , pdf and exe

    i don't know if i can clean them , i mean these entries

    may i ask you did you disable it ?

    i read here how disable http://winaero.com/blog/disable-downloaded-files-from-being-blocked-in-windows-10/

    if i disable via registry or Group Policy will my mtf zone information clean or at least won't grow up ?

    and is there a software that can search for files with the "blocked Tag" ?
    thanks
     
    Last edited: Jan 3, 2017
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    18,908
    The zone information in the data stream of your current files will not be removed after disabling this setting.
    Only new files will be affected and they don't receive the zone information after you enable: "Do not preserve zone information in file attachments"
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    18,908
  4. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,595
    hi
    thanks is not dangerous?
    deleting them?
    does for example anternatestreamview 1.51 delete these entry in the mft of my operation system or of my hard disk with only data ? i searched for E: is my hard disk with only data

    thanks
     
    Last edited: Jan 3, 2017
  5. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,595
    hi
    in short if i change the settings via registry and Group Policy Only the files i will download after "adding SaveZoneInformation=1" won't enter in the mtf zone information, right?
    thanks
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    18,908
    If you enable the option: "Do not preserve zone information in file attachments", (or "adding SaveZoneInformation=1") the zone information is not appended to downloaded files
    = No Prompt: "Are you sure you want to run this software?". And you don't have to unblock the file.
    Old files are not affected, but you can use utilities to delete the zone information (alternate data stream)
    It's not dangerous to delete zone information (:Zone.Identifier:$DATA), but you don't "have to" delete it.
    Only if you want to get rid of the prompt: "Are you sure you want to run this software?"

    You can have the same effect if you untick the option: "Always ask before opening this file", this removes the zone information too (but only for this specific file)
    If you want to remove it for hundreds of executables, it's better to use a tool for this (instead of unticking the option: "Always ask before opening this file" hundreds of times) ;)

    But if the zone information is not appended to executables, SmartScreen isn't checking them anymore.
     
  7. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    I've been using AlternativeStreamView from Nirsoft for a while now on my W7... had no dramas cleaning stuff through this app... but yeah, it ain't W10!

    You might want to run one of those tools, reboot, then change the Group Policy setting <--- if you want to muck around with this. Just seems like the logical approach, remove existing streams, reboot then change the setting.
     
  8. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,595
    hi
    thanks guys
    but about is the zone information in the mft ?
    if i clean the :Zone.Identifier:$DATA of hard disk with only data , does it clean the mft of my windows 10 or 7 too?
    thanks
     
  9. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    It only cleans what you allow it to clean...

    Typically, C drive is the OS partition. So if you scan for ADS on C, and something pops up, you are cleaning the Zone Information from the files you select to clean. The same thing would apply to any other drive you have, whether partitioned internally or attached externally.

    I doubt ADS has anything to do with MFT, I am not an expert so don't take my word as gold on this... the MFT is a layout of your files, doubt it documents anything about ADS.
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    18,908
    Basically ADS are hidden files attached to visible ones. It's a feature of the NTFS file system.

    To "see" the zone information from a downloaded file, simply append ":Zone.Identifier"
    "notepad downloaded_file.exe:Zone.Identifier"
    (Malware can use ADS to hide scripts,executables,etc.)

    The filename of the ADS is "Zone.Identifier" with a size of 26 bytes.
    I used Winhex to view a download file and the ADS can be seen. One additional cluster (8393) is associated with it:
    Winhex_Alternate_Data_Stream.png
    If the downloaded file is "unblocked" the ADS "Zone.Identifier" is gone.
    The NTFS file system is responsible for the ADS, not the MFT. If you copy a file to a FAT32-file system, the ADS is gone.
     
  11. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,595
    Mood great find!
    do or did you clean blocked files with some tools? do you think it's safe?
    i will avoid to clean the operation system files ...
    thanks MOOD!
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    18,908
    It's safe to clean it, but i don't do it myself. I leave it the way it is.
     
  13. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Damn, just uninstalled my Hex Editor... oh well!
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.