XP "Open File - Security Warning" problem

[deviantchild]

this'll teach me for allowing windows updates, as ms seems to be the only one who ever manages to bugger my streamlined and efficient setup

anyway...
wtf is this "open file - security warning" thing?!
it looks like a security centre warning but i have that service disabled
is it related to an ie6 hotfix/update that downloaded?
i haven't used ie since the days of mozilla suite. i have it locked down to the point that it can only perform its function within windows core
i want this nagging piece of sh!t gone
i already have a good firewall that i'm happy to have nag me - as i choose to run it that way
some googling on the subject pointed to things like servers and shares. i have all functions and services related to anything other than straightforward web access using tcp/ip switched off. anything related to anything "remote" is disabled also
i tried someone's suggestion of adding NO_ZONE_CHECKS, with the value 1, to environment variables under "user variables". when that didn't work 100% (in desperate frustration) i added the same under "system variables", which also didn't improve matters
i also looked for other settings related to certificate revocation but am clueless as to where stuff like that may hide
edit: i just found the certificate verification checks under internet options [ie only?] and disabled them but it did f'ck all to resolve my issue. it seems that this function has been ported across into windows core. help!

please somebody help me get rid of this thing. it's like they backdoored uac into my xp install - with no means to switch it off
any help would be seriously appreciated

cheers,
d3v

running xp pro sp3 x86

 

[Albuquerque]

Files transferred to your computer from other network locations can have a special flag set which indicates this "may not be safe" blah blah blah. I know how you can strip that bit off the executables once they're on your machine, but I don't know how to keep that bit from being set...

You can use the Microsoft Streams tool to remove these flags from your file(s) but that only fixes the files already on your machine.

 

[deviantchild]

thanks
got the tool. will play with it later
in my case "other network locations" could only mean the internet, as i only have local or the internet
the question still remains; why now? why did it not used to be here and now it is?
it's a massive inconvenience, as obviously i am choosing what i am opening and don't need to be fricken told that it isn't verified - not verified by whom? i verified it. i chose to open it
where's this flag coming from? is it happening during file creation? or is the analysis being done at my end?
either way, i don't remember being told that this was going to start happening and i sure as hell didn't ask for it
i make the decisions as to what runs on my computer
i hope somebody can shed some more light on the source of this virus so that i may disable it completely, because it's not as obvious as a service or an explorer setting although it should be

 

[Albuquerque]

I thought it came down with SP2; it's been around for a while now. The flag is set when the file is created by a Windows operating system that understands the locale -- meaning, you could potentially download the file with the flag already set from the source. We've run into that here at the office, where someone downloads a file from the internet directly to a server (a known good file mind you) and now everyone who tries to run it gets questioned. Use the STREAMS tool to "clean off" the file and all is back to normal.

Your box can also set that flag when it realizes the file was saved from an unknown or untrusted internet zone -- so at least part of your problem will come from IE. It's still possible to have the problem with other Mozilla / Opera browsers too based on how the filesystem sees the file get created.

 

[deviantchild]

so you're saying that the ie zones control ff?
because it's happeneing with every bloody file i download
there's a new section at the bottom when i select the properties of a file. every one has a new security bit that states "this file came from another computer and might be blocked to help protect this computer" with an "unblock" button next to it
it didn't happen with sp2 for me. it didn't happen with sp3 either. it only seemed to happen during the recent period that 10 or so updates have happened since sp3
i've disabled all i can in that internet options panel that seems to be for ie only
as a matter of course on my machines i manually hand control over to ff for certain protocols that it leaves in the hands of ie. before i did that i used to put a fake proxy in so that certain urls in stupid programs that tried to open ie just couldn't get through to the internet. i also disable activex and windows scripting host. i deny access to ie through program access and defaults. i use a decent firewall and have dodgy ports locked down amongst other general (non performance crippling) security measures such as disabling all dodgy services
what i'm saying is that i manage just fine to keep my machine safe, clean and never getting hit so i'm not appreciating this invasiveness and am still waiting on a method to make this flagging problem stop
i appreciate your help but why has ms not come forward and said what they've done? or is ff3 doing it with its certificate/list controls?

 

[deviantchild]

i just ran another scan and it said i have no alternate data streams. back to the drawing board?

 

[Davros]

move the files to a usb flash drive
then back to yor hdd
or use a flash drive as your download location fat32 should remove any daft attributes

 

[Albuquerque]

All I know is this -- that warning has been in place for more than a year on XP boxes. If you're "just now" getting them, then you were either VERY FAR behind on patches, or you're doing something differently than you once were.

We found the STREAMS.EXE answer to this problem when we first started doing Vista silent driver installation testing -- we had actually known about the problem for far longer on our XP driver install processes. It's been around for a very, very long time.

 

[deviantchild]

very far behind? that's not what belarc advisor nor automatic updates ever tell me

All required security hotfixes (using the 07/08/2008 Microsoft Security Bulletin Summary) have been installed.

how far behind do you think i can possibly be when i've already stated i'm on sp3 with about 10-15 patches on top of that?
i run my machine optimally. i am what you call a power-user. i keep up to date with all patches, all drivers and keep all my chosen apps updated
despite you saying this thing showing up on other machines it never showed on mine until recently. i do remember letting an ie6 patch download. i just thought "what the hell". obviously my version of the patch was for ie6 not ie7 because i don't use ie and don't have version 7 installed, but i do understand that it partly runs alongside other services such as help and support centre and the event id lookup thingy, as things like that didn't work when i used to spoof ie's proxy to make it unable to dial out
so, nobody knows how to disable this? i can't believe you all put up with it? i don't know anybody that would put up with uac on vista and this behaves like that. even tools downloaded from ms' site throw up a warning!
thanks for the help but i hope you can understand my frustration. i don't want an extra layer of bs security popping up and asking me if i'm sure i want to run things when i obviously do, because it was i that clicked on each damned executable to - surprise - run it. for that same reason i have services like security centre switched off; because i have my own, more effective, securities already in place
i just want this disabled. it's getting on my tits
cheers

 

[deviantchild]

move the files to a usb flash drive
then back to yor hdd
or use a flash drive as your download location fat32 should remove any daft attributes

all executables?
i have some sd cards which are fat or fat32 but it would take me ages to transfer most of what is on a 320gig drive and a 400gig driver back and forth, and some would never fit
i'm being faecetious
i've seen this solution suggested on the web but i'm sure my instance of this is not occurring for the same reason. it's more likely that i'm "doing something different" like the other poster suggests. like a service that i have disabled which ms has just updated and has now become essential because it is now co-dependent on another, whereby it never used to be. something like that, possibly?

 

[deviantchild]

i just notice that, when i ran another ms file - the wga genuinecheck.exe, it didn't even whinge about the publisher or anything not being verified but still came up asking if i wanted to run it when all was verified and in order; just because it came from another computer
i hope you can understand why i'm seriously frustrated - it's happening with everything i download!

 

[Davros]

btw i dont get that security warning

 

[deviantchild]

well, i wasn't getting anywhere here, so, in desperation i asked my good buds over at my regular irc haunt
some of them were getting it too
my brain was fried from all the differing information regarding different circumstances that may give rise to this, but no solution conclusive
so i showed them this very thread and sat back
my good friend dklon said that he had been suffering this on his only win box and it seemed like it had only started happeningwith the upgrade to ff3!
he had a look on behalf of us both and came across this gem: http://forums.mozillazine.org/viewtopic.php?p=3398533&sid=101d4e58bf2df805b1490963642359b0#p3398533 (browser will open at the relevant post)
gingerbreadman's regedit did the trick in both our cases
i can't be bothered to read it all so forgive me if i'm wrong, but it looks to me like in my case it arose because ff3 is honouring ms windows' bollox dep settings and causing this unnecessary alert

for those also suffering (who may google and find this thread) i give you a c&p version for you to enter as a txt file and rename to a reg file for ease of use:-

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:00000001

big thanks go to my bud dklon for saving my irritated and fried brain and doing the shitwork and, obviously, gingerbreadman for the actual solution
anyway, thanks for trying guys
out,
d3v

endnote: is everybody trying their hardest to make us all go linux or what?

 

[deviantchild]

ok, so why the hell is my quote showing with the [typo] text "Curre ntVersion" in my post???!!!
is it just on my machine?
i check my post source and it is fine, only it is showing up in my browser with the space present as i quote it here

 

[BRiT]

It's wordwrap feature of the forum. It will place a space in a lengthy phrase so the line can be wrapped, if needed. To prevent that, a code block can be used.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:00000001

 

[deviantchild]

thanks for the info, and the code post
in my impatience i just pressed the most visible [to me] button
sorry
will remember that feature is implemented if ever i need it in future
ta,
d3v

 

[Albuquerque]

See, you were doing something different

Sorry we weren't more help, but that feature has been in Windows for eons -- looks like you just got around it because of your choice of browser. At least you were able to find the solution and get it solved

 

[deviantchild]

aye
to be on the safe side i ran adsspy.exe again today. this time i unchecked the part that says "ignore safe system info data streams..." and sure enough, instead of coming up empty, it found a load of recent files on both my drives that had "zone information" tags added. i wiped all those tags
i'll see how things go
if i get this problem again in the future i may have to consider disabling dep entirely, via a boot.ini switch change from /noexecute=optin to /noexecute=alwaysoff
cheers once more,
d3v