rfdjr1 said:
How do I permanently disable this box that comes up when I try to open
files in Windows Explorer. If I uncheck the box that says "Always
ask before opening this file" its only for that particular file. I
don't want to see this box again.
To add to Paul's reply, a file in NTFS can have multiple alternate data
streams (ADS). In your case, the ADS to add protection for files
downloaded using IE is called "Zone.Identifier". It records under which
secure zone a file was acquired into the file system.
You can use ADS utilities to see them. For example, Rekenwonder has
their Stream Explorer that lets you pick a file to see if it has
alternate data streams assigned to it. Because you can attach an ADS
onto a file, this is how, for example, you could have a .txt file with
only a few bytes inside but a malicious person or program could attach
megabytes of extra bytes onto the file so you couldn't copy the file
into, say, an NTFS partition whose free space isn't that big.
http://www.rekenwonder.com/streamexplorer.htm
For a file downloaded using IE, and looking at the downloaded file using
Stream Explorer, you'll see an ADS named "Zone.Identifier". Selecting
it you will see its content has a line "ZoneID=<n>" where <n> is the
security zone under which the file got downloaded. 3 means the file was
downloaded under the Internet security zone so the file is considered
unsafe. 1 means the file was downloaded under the Local Intranet
security zone and the file is considered safe.
Stream Explorer only lets you view the main/default and alternate(s)
streams. If you want to delete the streams, you'll need a utility that
lets you do that, like the one from SysInternals:
http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
File system forks allow a file to contain multiple attached metadata.
Normally the user only gets to access the main or default fork as the
others are normally for special use. In Windows, a file system fork is
called an alternate data stream.
http://en.wikipedia.org/wiki/Alternate_data_stream
http://www.heysoft.de/en/information/ntfs-ads.php?lang=EN
http://www.flexhex.com/docs/articles/alternate-streams.phtml
Use can be malicious, like a file carrying an payload of code that some
other malware can access - so the malware executor is small and the its
payload is elsewhere but that piggybacked file looks tiny in normal file
utilities and looks like a benign text file. The code in an ADS is not
normally executable but must be called by a parent program (which is
what gets detected by anti-malware programs) or by using a special
command line that specifies the ADS (but then something had to run that
command so, again, anti-malware needs to detect the caller). For
example, if you had a .txt file onto which you attached an ADS that was
notepad.exe and called the text file at a command prompt using:
mytextfile.txt:notepad.exe
To the casual observer, it looks like you are trying to execute a .txt
file (with some fluff after it) which would normally fail or load the
default viewer associated with .txt filetypes; however, because of
putting executable code in the named ADS, you would see Notepad get
loaded. In this case, it's obvious or suspicious that an .exe is shown
in the command line so the user may get alerted something isn't kosher
here. However, the ADS payload could be something inocuous looking,
like "mytextfile.txt:index" and the caller program would simply get at
the "index" named ADS for more executable code. Normal user-level tools
in the OS don't reveal there is an ADS, or several, on a file.
This is why many knowledgeable users had to push anti-virus makers to
include scanning of ADS'es since malware might lurk there (but something
else has to call it). Despite that ADS was available when NTFS was
introduced, it was several years before AV makers got around to scanning
the ADS'es on a file (and primarily as a reaction to when malware
started using ADS to hide their code).
The Zone.Identfier ADS is one use that is beneficial since files
downloaded from the Internet are not, by default, considered safe.
However, there are uses of ADS that are malicious (another reason why
files from the Internet aren't safe) and why you need some security
software that can inspect any ADS on a file. I've seen users claim they
need no anti-virus software because they always practice safe hex;
however, when confronted with the possibility of malicious code in an
ADS, and because they *do* download files files from the Internet, then
they stare like deer caught at night in headlights. They don't know
about it, don't have the tools to check, and have decided not to use AV
software that can inspect an ADS on a file. They claim they're safe
based on their own behavior but they're actually running blind.
