Blocking execution of downloads [registry tweak]

Discussion in 'other security issues & news' started by Kees1958, Dec 24, 2009.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    I would like some experienced Wilders members to check on this tweak. I have it running on XP Pro. Could others try it on XP and Vista, Windows 7?

    I have back tracked the registry changes made by Group Policy. Sully has told me he would have a look at it, when this works correctly he might implement it in PGS.


    Intended for whome?
    People using Chrome and FireFox as their primary browser (not IE8 Note Windows update still works, but this tweak does not let you download executables with IE8, FF and Chrome/Iron will allow downloads though )


    What does it do?
    Downloaded items from the internet zone are blocked for excution, see
    https://www.wilderssecurity.com/showpost.php?p=1593695&postcount=18


    It allows users to remove this block with right click on download, see
    https://www.wilderssecurity.com/showpost.php?p=1593698&postcount=19


    This are the tweaks[ (so it will also run on XP, hopefully Vista and WIndows7)/B]
    *** Disabling programs to be downloaded with IE (not with FF and Chrome/Iron)
    *** Disabling downloads/attachements to be run when having internet zone block
    *** Setting default risk level to high

    Toggle to KEY
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    add a REG_DWORD rename it to 1806 and give it a hexidecimal value 3, it should show
    1806 REG_DWORD 0x00000003 (3)


    EDIT: only the above TWEAK is needed (in blue, thanks to Jmonge's testing).


    Note
    Only tested on XP Pro, so please make a registry backup before trying. I have also set to scan attachements with my AV, is setting ScanWithAntiVirus. This to keep AV sleeping until wakened by my OS (and reducing AV overhead to near zero, My AV runs in real time, but evertything is disabled)

    Thanks Kees
     
    Last edited: Dec 26, 2009
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    @Kees1958 - yeah sure, I'll have a look this evening.

    You can pretty much tweak until you have a system working the way you want it, IT guys that manage a company's severs, workstations I've found are usually maestros.
    Apart from managing your account, the only other thing my bank's lobby computer will let you do is minimize IE.

    A good place to look and get information about settings, policy, is Microsoft Help and Support and MSDN.
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i test it with my xp2 home edition and it works fine using internet explorer 6:D it works:)Toggle to KEY
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    add a REG_DWORD rename it to 1806 and give it a hexidecimal value 3, it should show
    1806 REG_DWORD 0x00000003 (3)

    very simple i just modify the line and changed it to 3 instead of 1 and it works like anti-execute:) from the browser

    it displayed a small yellow alert that my current security settings do not allow this file to be downloaded :)
     
    Last edited: Dec 24, 2009
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep,

    JMonge,

    That is the idea. When you download it (with FireFox and Chrome - they also set the internet zone ADS meta data), you can unlock the block by right clicking the downloaded file and remove the block.

    So it works outof the box with just that one registry tweak on XP, great and thanks for testing I had added the other settings to make sure you were not locked out. They are the defaults so it seems, so the can be omitted.


    Regards Kees
     
    Last edited: Dec 24, 2009
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, thankls, but I have a Dutch XP Pro

    Problem it is easer for me to read the English text than the Dutch. The translation sometimes just does not make sense and then it is easier to read the original US text. Also the US to Dutch translation is difficult to understand in Dutch :cautious: So getting clear what refers to what is quite a challenge.

    I have found at least two Group Policy settings which were translated (from English to Dutch), where the explanation was wrong (instead of de-activating, you had to activate it to get it working (problably the trouble some negative question with a double denial in the explanation, which I interpretated as a positive. In has a positive egative: Yes I do not want that :D )
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Try downloading it with another browser (e.g. Iron), then right click the file (properties, general tab) and remove the block, see picture
     

    Attached Files:

  7. Fuzzydice45

    Fuzzydice45 Registered Member

    Joined:
    May 13, 2009
    Posts:
    108
    Location:
    Australia
    It works on XP SP3 using chrome, but the key was located at:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

    Blocked the .exe from executing, went to properties and clicked the unblock button and apply, .exe was allowed to run.

    Thanks!
    :D
     
    Last edited: Dec 24, 2009
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    kees the experiment is all fine. now i will try iron browser,by the way merry christmas kees and all my friends at the forum;) :thumb: :thumb:
     
  9. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I'm not seeing the option to unlock the block in file properties. Is this for Pro versions only?
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    it is for the pro only cause i dont see it in the home edition:D
     
  11. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Ah, then the next tweak should be to enable that in Home Edition. I mostly run Firefox and was looking forward to the file unblock on downloads. Works great for blocking the download of files in IE8 though.
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Found and modified the key in Win 7 at:
    After setting the above and killing/restarting explorer I tried to download a coupla exes but the downloads seem to be auto-cancelled?

    I then tried to download a sample posted over at MBAM's forum which is a rar file and it downloaded ok.

    FF running Sandboxed.

    Down.JPG
     
  13. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    On further testing I ran FF unsandboxed and the download is cancelled but I am still getting a zero byte file downloaded to desktop.

    Properties.JPG
     
  14. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Code:
    Toggle to KEY
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    add a REG_DWORD rename it to HideZoneInfoOnProperties and give it a hexidecimal value 0, it should show
    HideZoneInfoOnProperties REG_DWORD 0x00000000(0)
    This is the key that adds the "Unblock" button
    Well, at least it did once,lol. Now it doesn't show up anymore.
     
    Last edited: Dec 25, 2009
  15. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Are these suppose to be added to the "Attachments" key and are they even needed?

    Nevermind, here's the total package info on it. http://support.microsoft.com/kb/883260
    Using the info in the link posted, this works well for Win XP SP 3 and IE8. It does nothing for Firefox.
     
    Last edited: Dec 25, 2009
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks greg:)
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @Greg,

    YEs, these entries should make sure you will get the unblock option

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    add a REG_DWORD rename it to HideZoneInfoOnProperties and give it a hexidecimal value 0, it should show
    HideZoneInfoOnProperties REG_DWORD 0x00000000(0)

    add a REG_DWORD rename it to SaveZoneInformation and give it a hexidecimal value 2, it should show
    SaveZoneInformation REG_DWORD 0x00000002(2)

    add a REG_DWORD rename it to UseTrustedHandlers and give it a hexidecimal value 1, it should show
    SaveZoneInformation REG_DWORD 0x00000001(1)


    I know XP Pro and Vista home premium have this option, so WIndows 7 should have it also. It seems that only the XP Home users can't work with it. May be when downloading FAJOXPSE this will give you the option.

    After you have unlocked it, the unblock will not show anymore.


    @Franklin,

    I knew FF would set the alternatde data stream meta data bit. I did not know it would behave the same as Internet Explorer. Seems that this trick works best with Chrome (you have a sandbox, can download executables, but have to explicitely allow execution ==> no drive by infection through ACL registry tweak). Anyway thanks for testing, happy christmas and keep up the good work for MBAM
     
  18. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I have a modified home edition. This tweak does work and with the Unblock button but it's limited to IE. Doesn't seem to affect Firefox. I kinda wish it did or could work with Firefox.
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I can download files with Iron. I like Chrome/Iron over FF. It is so well designed (sandbox and all). So maybe when plug ins come available you could swithc to Iron or something simular (for downloading).
     
  20. arjunned

    arjunned Registered Member

    Joined:
    Apr 1, 2008
    Posts:
    191
    hi Kees,

    Is it possible to add the Unblock option in the right-click context menu, in W7?

    Also, another thing i noticed is that a downloaded zip or rar file is blocked, but after extraction, the files within the archive are not blocked. Any work around for this? or am i doing something wrong?

    Thanks & Cheers.
     
    Last edited: Jan 2, 2010
  21. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    It appears that it does work with Firefox. I'm just not using the versions that it works in. I'm still using an ancient version of Firefox. I think I read somewhere that the ADS wasn't written to downloaded files until version 3.0. Anyway, it's a nice addition to IE8.
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    ad 1
    Nope, even with the GPO policies of mime sniffing and filtering and adding zone info to the downloads, denying packed digital content in webpages, I have the same issue.

    ad 2
    Well it allready is through the properties. Wait a sec I will download something and add the pictures.
     
  23. arjunned

    arjunned Registered Member

    Joined:
    Apr 1, 2008
    Posts:
    191
    Hey Kees,

    Any update as to how to add a direct "unblock" option in the right click context menu, instead of have to go to Properties and then unblock?

    Cheers.
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Have a look at https://www.wilderssecurity.com/showthread.php?t=262475 This is all tested with some easy reg files to switch it OFF and ON.

    As for your question: sorry I do not know how to this.
     
Loading...
Thread Status:
Not open for further replies.