For each downloaded file, Windows adds some zone information in an NTFS alternate data stream (ADS).
This "Zone.Identifier" information is used for showing warnings about running files downloaded from the Internet
and is also used by Windows Smart Screen to trigger a check of the reputation of downloaded executable files.
When files are recovered from a sandbox, this zone info is lost (i.e. the NTFS alternate data stream is not preserved).
This causes Smart Screen not to check the downloaded file, as it needs the zone info as a trigger.
It would be nice (security-wise) if the ADS info could be preserved for files recovered from a sandbox.
Steps to reproduce:
1) Run a browser (I used Firefox) in a sandbox
2) Go to https://demo.smartscreen.msft.net/
3) Download either the "Unknown program" or "Known Malware" app rep demo files at the bottom of the page.
3) Recover the downloaded file from the sandbox
4) Double-click the downloaded file in Explorer
5) Windows Smart Screen will NOT show any warnings. (The ADS zone info has been lost during the recovery process)
Compare:
1) DISABLE Sandboxie, run Browser unsandboxed
2) Go to https://demo.smartscreen.msft.net/
3) Download either the "Unknown program" or "Known Malware" app rep demo files at the bottom of the page.
4) Double-click the downloaded file in Explorer
5) Windows Smart Screen will show the proper warnings. (The ADS zone info is left untouched)
PS: This utility can be used for listing the ADS: http://www.nirsoft.net/utils/alternate_ ... reams.html
Security: Preserve ADS Zone Info When Recovering Files
-
- Posts: 33
- Joined: Sat Aug 08, 2015 4:20 pm
Re: Security: Preserve ADS Zone Info When Recovering Files
I'm not so sure that I would want that saved:
"In addition to the legitimate usage of alternate streams, this technique may also be used by Viruses/Trojans/Spywares for saving data and hiding it from the user. "
"In addition to the legitimate usage of alternate streams, this technique may also be used by Viruses/Trojans/Spywares for saving data and hiding it from the user. "
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
-
- Posts: 33
- Joined: Sat Aug 08, 2015 4:20 pm
Re: Security: Preserve ADS Zone Info When Recovering Files
I am pretty sure that any downloaded file will NEVER contain any ADS info by itself.
In other words, Alternate Data Streams cannot be transferred over the Internet when downloading a file.
They can only "live" within NTFS file systems.
https://superuser.com/questions/147922/ ... ta-streams
The Zone.Identifier Info is created locally by Firefox (or other browsers) only AFTER a download has finished
(for files that are saved on an NTFS drive, as other filesystems cannot contain that info).
So there should be no problem.
But of course, preserving the ADS info on file recovery should be optional, so an option should be created
in Sandboxie's settings.
In other words, Alternate Data Streams cannot be transferred over the Internet when downloading a file.
They can only "live" within NTFS file systems.
https://superuser.com/questions/147922/ ... ta-streams
The Zone.Identifier Info is created locally by Firefox (or other browsers) only AFTER a download has finished
(for files that are saved on an NTFS drive, as other filesystems cannot contain that info).
So there should be no problem.
But of course, preserving the ADS info on file recovery should be optional, so an option should be created
in Sandboxie's settings.
-
- Posts: 388
- Joined: Sun Oct 12, 2008 9:13 pm
Re: Security: Preserve ADS Zone Info When Recovering Files
ADS is created by system -> group policy, not a browser
https://bugzilla.mozilla.org/show_bug.cgi?id=1067467
nevertheless firefox ignores it
https://blogs.msdn.microsoft.com/oldnew ... 00/?p=1543
but i think that sandboxie preserve it when i copy downloads out of the box i still have it on the target drive.
(chrome, firefox, ie, download manager(s))
https://bugzilla.mozilla.org/show_bug.cgi?id=1067467
nevertheless firefox ignores it
https://blogs.msdn.microsoft.com/oldnew ... 00/?p=1543
but i think that sandboxie preserve it when i copy downloads out of the box i still have it on the target drive.
(chrome, firefox, ie, download manager(s))
Who is online
Users browsing this forum: No registered users and 0 guests