How to deny file execution using ACL on compressed files?

Discussion in 'other security issues & news' started by Yakuman, Sep 22, 2013.

Thread Status:
Not open for further replies.
  1. Yakuman

    Yakuman Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    75
    Thanks to member Windows_Security's deny file execution trick here, I've finally found an alternative to using Parental Controls as an anti-executable. While it's definitely not as powerful, it suits my usage. However, I lately found out it doesn't work on compressed files.

    My desktop folder (C:\Users\[user]\Desktop) and its subfolders are set by ACL to deny file execute for the "Everyone" group. Downloading new executables or even copying existing executable files to my desktop and then trying to execute them will not work as intended. But consider the following:

    1) I downloaded CCleaner portable (ccsetup405.zip) to my desktop
    2) I double-click to open it with 7-zip
    3) I double-click CCleaner64.exe from within 7-zip (C:\Users\[user]\Desktop\ccsetup405.zip\) and it successfully executes. How can this be prevented?

    My guess is ACL only applies to Windows Explorer, not on specific executables like 7-zip. I can set ACL to deny execute on 7-zip itself, but then it won't even load. Is there a way to only deny 7-zip from executing other files?
     
  2. SpousalMilk

    SpousalMilk Registered Member

    Joined:
    Jun 24, 2012
    Posts:
    40
    Location:
    USA
    I just tested it out myself: if you double click on an executable in a 7zip archive, it extracts and runs from C:\Users\[user]\AppData\Local\Temp\[somefolder.tmp]\blah.exe

    Maybe try denying execution from the Temp folder?

    Or you can change the 7zip working folder.

    Tools > Options > Folders > specify a folder on your Desktop and not the System temp folder
     
    Last edited: Sep 22, 2013
  3. Yakuman

    Yakuman Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    75
    Thanks for testing. I thought of the possibility of 7-zip (and likely other archivers too) extracting/running from the temp folder, but blocking execution on it is a bad idea because then I wouldn't be able to install new software and even certain existing software uses this folder.

    I also tried changing 7-zip's working folder to something else, but it doesn't work. Others have reported this as a bug: http://sourceforge.net/p/sevenzip/bugs/1289/
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Too bad about the 7Zip bug, because SpousalMilk's suggestion does work on WinRar. It lets me choose a different folder for temp files, so I just tried Downloads, and the executables within the archives are blocked from launching. Thanks!
     
Loading...
Thread Status:
Not open for further replies.