Security: Preserve ADS Zone Info When Recovering Files

Ideas for enhancements to the software
Post Reply
Spaceman Spiff
Posts: 33
Joined: Sat Aug 08, 2015 4:20 pm

Security: Preserve ADS Zone Info When Recovering Files

Post by Spaceman Spiff » Sun May 21, 2017 4:06 pm

For each downloaded file, Windows adds some zone information in an NTFS alternate data stream (ADS).
This "Zone.Identifier" information is used for showing warnings about running files downloaded from the Internet
and is also used by Windows Smart Screen to trigger a check of the reputation of downloaded executable files.

When files are recovered from a sandbox, this zone info is lost (i.e. the NTFS alternate data stream is not preserved).

This causes Smart Screen not to check the downloaded file, as it needs the zone info as a trigger.

It would be nice (security-wise) if the ADS info could be preserved for files recovered from a sandbox.

Steps to reproduce:
1) Run a browser (I used Firefox) in a sandbox
2) Go to https://demo.smartscreen.msft.net/
3) Download either the "Unknown program" or "Known Malware" app rep demo files at the bottom of the page.
3) Recover the downloaded file from the sandbox
4) Double-click the downloaded file in Explorer
5) Windows Smart Screen will NOT show any warnings. (The ADS zone info has been lost during the recovery process)

Compare:
1) DISABLE Sandboxie, run Browser unsandboxed
2) Go to https://demo.smartscreen.msft.net/
3) Download either the "Unknown program" or "Known Malware" app rep demo files at the bottom of the page.
4) Double-click the downloaded file in Explorer
5) Windows Smart Screen will show the proper warnings. (The ADS zone info is left untouched)

PS: This utility can be used for listing the ADS: http://www.nirsoft.net/utils/alternate_ ... reams.html

Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Re: Security: Preserve ADS Zone Info When Recovering Files

Post by Guest10 » Mon May 22, 2017 6:39 am

I'm not so sure that I would want that saved:
"In addition to the legitimate usage of alternate streams, this technique may also be used by Viruses/Trojans/Spywares for saving data and hiding it from the user. "
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007

Spaceman Spiff
Posts: 33
Joined: Sat Aug 08, 2015 4:20 pm

Re: Security: Preserve ADS Zone Info When Recovering Files

Post by Spaceman Spiff » Mon May 22, 2017 9:46 am

I am pretty sure that any downloaded file will NEVER contain any ADS info by itself.
In other words, Alternate Data Streams cannot be transferred over the Internet when downloading a file.
They can only "live" within NTFS file systems.

https://superuser.com/questions/147922/ ... ta-streams

The Zone.Identifier Info is created locally by Firefox (or other browsers) only AFTER a download has finished
(for files that are saved on an NTFS drive, as other filesystems cannot contain that info).

So there should be no problem.

But of course, preserving the ADS info on file recovery should be optional, so an option should be created
in Sandboxie's settings.

Brummelchen
Posts: 388
Joined: Sun Oct 12, 2008 9:13 pm

Re: Security: Preserve ADS Zone Info When Recovering Files

Post by Brummelchen » Mon Jun 12, 2017 12:07 pm

ADS is created by system -> group policy, not a browser
https://bugzilla.mozilla.org/show_bug.cgi?id=1067467
nevertheless firefox ignores it
https://blogs.msdn.microsoft.com/oldnew ... 00/?p=1543

but i think that sandboxie preserve it when i copy downloads out of the box i still have it on the target drive.
(chrome, firefox, ie, download manager(s))

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests