"Unblock" button missing on some exe's

Discussion in 'other anti-malware software' started by new2security, Sep 6, 2012.

Thread Status:
Not open for further replies.
  1. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    "Unblock" button missing on some exe's [edit:1806 trick is not consistent!]

    Hi all,

    I've implemented the "1806" trick plus low intergrity /no execute on my default Downloads folder.

    What I noticed is some exe's downloaded from Sysinternals result in the neat "unblock" button option but some don't.

    For example, right-clicking a downloaded program such as Process Explorer (procexp.exe) from Live Sysinternals shows an "Unblock" button, but Autoruns.exe doesn't have this button. If I try to execute Autoruns.exe, it fails with the message that the internet settings denies me from opening it.

    Why are some exe's missing the "Unblock" button?

    Should be added that even if I unblock an executable in my Downloads folder, I'm still denied from opening it. I thought this had to do with the icacls no execute trick that the folder has taken advantage of, so I downloaded the exe file to my Chrome cache folder and tried opening it from there. I get the same "internet setting prevented" etc. message even after the exe is unblocked. I understood the 1806 trick will include all folders so this behavior is partly expected, but I wonder why I can't open the file after it has been unblocked?
    Little confused here. :)
     
    Last edited: Sep 8, 2012
  2. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    ...Something weird is going on.
    I've just downloaded "psservice.exe" to a folder that is "executable enabled" via SRP and it runs. No error /warning message.

    Edit:
    If I download "procdump.exe" and run it, it is blocked!! There's an "unblock" button available.
     
  3. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    More testings:

    1) Logged into my wife's account, downloaded *.exe from Sysinternals. Saved it on the Desktop. "Unblock" button is visible.

    2) Logged out, logged into my account and downloaded the same *.exe on the Desktop - "Unblock" button is NOT there. But if I click on the exe, I get the "Your internet settings prevented one or more files from being opened", e.g. the typical message you get when 1806 trick has been implemented.

    3) Logged out, logged into my wife's account, downloaded same *.exe file and "Unblock" button is gone! (SRP blocks the execute though)

    4) Logged into my account, downloaded some other exe and got the "Unblock" button. But unblocking it does not let me open the file, I still get "Your internet settings prevented one or more files from being opened" message. In my wife's case, if the "Unblock" button isn't there or if it's there and I allow the file to execute, SRP blocks it with the typical Group policy warning message.

    5) So in my account, whether there is an "Unblock" button or not, I am not allowed to open the file(s) (except when I download it to a permitted (via SRP) folder). From my wife's account, the files are opened if the "Unblock" button was altered. If there is no button, SRP stops the exe.

    I'm all confused. Why this arbitrary behavior? It's very inconsistent.

    In my wife's and my Internet Settings, file downloads are permitted but executing them is forbidden. Changing the registry dword "1806" to "1" or changing it via Internet Options allows me to run executables. Changing the dword to "3" also changes the setting in Internet Options' -> "Launching applications and unsafe files".

    Edit: Found what may be a partial explanation to my "problem" with missing "Unblock" buttons, it has something to do with ADS -http://www.wilderssecurity.com/showpost.php?p=1895739&postcount=9 but that doesn't explain why the button is sometimes there and sometimes not. :)
     
    Last edited: Sep 6, 2012
  4. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    I've been doing some more experiments and what I've found was :

    1) If I download a file to the Desktop, the file won't execute even it's been unblocked.

    2) If I download a file to my e.g. Picture / Documents folder, the file will not execute but runs if "unblocked" (but SRP blocks it).

    3) If I download to "Music" folder, the file does not run even when unblocked. If same file is downloaded to my security folder (where I keep my security executables), it runs (but SRP blocks it)

    4) If I download it to the "Videos" folder, the file will not execute.

    Hm.. it seems Microsoft has decided some folders are riskier than others thus are protected by the system.. So far so good.

    BUT :


    5) If I keep experimenting / downloading various *.exe to various folders/subfolders, other partition and its sub-folders and downloading *.exe's to previously downloaded folders etc ; Windows gets confused and decides some files can be opened and some not! This is where the decisions turn arbitrary.

    But, what I've found earlier in my wife's account contradicts this finding (e.g. unblocking a file on the Desktop will allow it to run).

    The mystery indeed deepens!
     
  5. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    526
    Location:
    USA
    I have noticed that the "1806 trick" seems to be applied inconsistently when I download through Dragon Portable. My flash drive is formatted NTFS. Some files show the unblock button and won't execute, while others don't show the unblock button and will execute. Haven't been able to figure out for some time now but have been to busy to pursue it.

    On the other hand executables downloaded through installed Chrome behave appropriately.

    Running as admin on 64 bit Vista and 7.
     
  6. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492

    Interesting.
    This sure looks like a bug to me. Microsoft probably think this is some cool feature. For now, I've disabled the 1806 trick due to its inconsistencies and have set the value back to "1".
    It will give me a warning message and that's good enough for me.
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    but to put the value back to 1 is not safe when one or more people uses that computer,just think of an extra security blanket:)
     
  8. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    For local protection, I agree it adds another layer on top of SRP.
    As a defense against drive-by-downloads I find the 1806 + 3 trick little too inconsistent for my taste. It may only add a false sense of security.
     
  9. DX2

    DX2 Guest

    didn't contribute to the post...
     
    Last edited by a moderator: Sep 8, 2012
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Whether or not the open file type is set correctly in the Alternative Data Stream is not depending on buggy microsoft but design team of the browser (Chrome follows IE9 defaults)

    Setting the zone to 3 results in setting high level risk file types ro block (in stead of warn), also some setings explained of the attachment manager, read here http://support.microsoft.com/kb/883260

    You vary the security setting per zone http://msdn.microsoft.com/en-us/library/ms537183(v=vs.85).aspx

    You can also define your own set of high/medium/low file types in the attachement manager (through GPO or Regedit) key
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\HighRiskFileTypes
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\MediumRiskFileTypes
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes


    When you unzip a file which is NOT unblocked and it contains executables, you will see this warning http://theether.net/kb/100023

    When playing with additional security settings it is best combined with (right click on folder, security tabs, add a deny "traverse folder/execute file" for everyone) through Windows Explorer. When you know the registry/GPO you can make it granular or personalize it. The defaults work fine (at least when you use IE or Chrome).
     
    Last edited: Sep 8, 2012
  11. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492

    Thanks for the links and explanations.
    It's not only the "unblock" button that sometimes isn't present, the thread's title is somewhat misleading. I've edited the title now.

    What I don't get is why a certain .exe sometimes triggers the "1806 denied" message and sometimes not. If you read my previous posts you'll see what I mean. This is the part where I call the system buggy.

    Edit: looking at the long list of what Microsoft considers "High-Risk file types", I wonder if some of those can be added on the SRP's list of executables?
     
    Last edited: Sep 8, 2012
  12. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Yeah, same things happen here. FF / IE cannot download any executables but Chrome is allowed to do it. Since I don't use FF or IE as my main browser, I don't see the benefit. :) I have already blocked execution in my Downloads folder via the icacls trick and probably not related, also on my Appdata/Local/Temp folder. I'm considering denying execution on my Chrome's cache folder also but I'm not sure what the consequence, if any, would be. On the other hand, all executions outside Program Files and Windows are prohibited via my SRP settings so applying the icacls execute deny would probably be fine...
     
  13. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    526
    Location:
    USA
    Kees, maybe you can answer this. Today I downloaded OTL and rkill through Majorgeeks using Dragon portable. rkill has unblock button and OTL does not. Both are exe files so why the inconsistency?
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    As said it is browser dependant, Chrome does set it correctly, see pic

    You know about quality assurance on Comodo programs, so that is my best explanation :D
     

    Attached Files:

    Last edited: Sep 8, 2012
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Try copying a exe out off deny execute, its DAC will be reset to allow. Do the same for cut and paste and you will see it keeps the deny execute. When you use SRP, why not download the Google offline installer, which installs in Program Files. Keeps your policies tidy and transparant.
     
  16. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Hi,

    I've installed the enterprise version of Chrome.
    I haven't played too much with cut-paste etc, but the problem I'm having is, for example, AAA.exe (downloaded via Chrome) to Folder A behaves differently compared to when AAA.exe is downloaded to Folder B. In case of Folder A (just a generic folder) the "Unblock" button is visible. In case of Folder B (also generic folder), the "Unblock button is not there. This is just one example on how inconsistent the system behaves.
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Look at the high-medium-low executables of http://support.microsoft.com/kb/883260

    Now look at the name of those directories and imagine which extensions would fall in that category and apply the rules. You will see the consistency behind it.

    Chrome defaults to a download directory and you won't have that issue. Downloading to a fixed folder is much safer as you can right click this folder, choose security tab, click advanced, add a deny "traverse folder/deny execute" for everyone. To apply a double lock on this front door. 1806 will kick in when you copy/move something out of this deny execute box.

    Windows uses hardening/security mechanisms from different perspectives. When you mix them, you should know about the priority which they are applied. Not understanding this order may seem like buggy behaviour to you. This complexity can be easily prevented by not mixing more than two features at the same time. Try searching some older posts of Sully. This will clarify things.
     
    Last edited: Sep 8, 2012
  18. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Hi Kees,

    Yes, this part is important :

    - High Risk
    If the attachment is in the list of high risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file.

    - Moderate Risk
    If the attachment is in the list of moderate risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file.
    Low Risk
    - If the attachment is in the list of low risk file types, Windows will not prompt the user before accessing the file, regardless of the file’s zone information.

    Of course all above makes sense.

    But when the behavior of the _same_ executable is different when it has been downloaded via Chrome and saved at two separate occasions in the _same_ folder, is this not a bug?

    I have a fixed Downloads folder, from which execution is denied ( icacls (oi)(ci)(x) ) but the files I've been downloading just to perform the testing, have been saved in other "vanilla" foldes, no extra tweaks.
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    When you like playing with icacls, it is easier to apply a deny execute through right click properties (traverse folder/execte file) for everyone.
     
  20. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Yes, I agree. Sometimes GUI is better. :)
    But with ACL's I find the GUI little too complicated to fully grasp, with inheritance and too many options to choose from.

    If you're up to it, try experimenting by downloading some exe's from Sysinternals. Save them to e.g. your Desktop. See if Unblock is available on those files. Delete the files. Download them and other files again ~2-3 times and see if the behavior is consistent.
     
  21. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    526
    Location:
    USA
    An update on my situation:

    Dragon installed is applying the ADS correctly while portable is not.

    I tried Iron Portable from Portable Apps (not the Iron version) and the ADS is correctly applied. I guess Iron will become my portable of choice from now on.

    No more Comodo Dragon 50% ADS bypass syndrome for me.
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Inconsitent behaviour here: unblock missing! after second download and unblocked, blocked downloads kept consistently blocked. So there seems to be some remembering function (storing of unblocks)o_O Have searched the registry on program name, but could not find an entry.

    Nice find
     
    Last edited: Sep 9, 2012
  23. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Sort of weird huh? I also found that if I delete the browser's cache, the inconsistency, sometimes, disappears.
    Also, the SRP settings sometimes triggers faster than IE "no execute" rule. Often though, the SRP warning pops up right after the executable is unblocked. That is, if the unblocked remains unblocked, which is not always the case. :-D

    Anyhoo, inconsistency or not I have reverted to "3" in the 1806 settings. Gives me a slightly better protection than without.
    Drive-by-downloads are what I fear, not those exes I deliberately download.
    (with only "warn" setting, the system behaves very consistently!)
     
  24. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    526
    Location:
    USA
    It seems this behavior only occurs when you have the box checked to ask what folder to download into.

    Set the default download folder to the desktop (or any other folder you noticed this behavior) and uncheck the box to ask where to download. The unblock button will be there every time.

    As to why one exe was blocked and the next did not show the block button; file size maybe? Somewhere around 1mb maybe?
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Going into the basement of your windows OS and or the browser pecularities:thumb: , before you know you are addicted to exploring the frontieres of the OS :cool:
     
Loading...
Thread Status:
Not open for further replies.