why blocking file on windows NTFS system

Recently when we unzip our package and try to run deploy script from the extracted file, an message will be shown to ask for permission to run this script. This breaks our automation for deployment and CI environment.

We check the file's property and find there is an unblock button shown in the file's properties with a message to describe security information of this file, "This file came from another computer and might be blocked to help protect this computer".  I read some materias and find something interested, let's look into details.

 

1. Attachement Manager

 

This blocking feature is introduced since Windows XP SP2, actually it is a security feature of the Attachment Manager which gives protection to the windows NTFS system(inside windows local policy group), and it is enabled by default.

 

With this feature, when we download a file from internet or mail, the attachment manager will check the file's type and identify its risk level. When saving files to your NTFS system, the Web content zone information will be saved with the file. If the Attachment Manager identifies the file might be unsafe, it will prevent you from opening the file, or it will give you a warning message before you open the file.

 

For example,

1) script/installer file. There will be security confirmation prompted when you try to run this file.

2) chm file. The content may not be shown correctly.

3) zip file. If you unzip the content, all the files extracted will also be unblocked (this problem does not occur when you use a third-party tool, such as WinZip, to extract the files.).

 

The Local Group Policy console manages the configuration of this feature. If you want to disable it, you can go there to search for Attachment Manager.

 

For detail information of how this Attachment Manager works in Microsoft Windows. Please go to http://support.microsoft.com/kb/883260

 

2. Alternate Data Stream(ADS)

 

The above security zone information saved with the file is implemented by Alternate Data Stream(ADS) feature on NTFS file system. ADS is used to store meta-information about a file, such as security information, size, version, etc. There can be multiple data stream for one host file.

 

In the blocking scenario, the security zone information is saved into an stream called "Zone Identifier(the full qualified name is Zone.Identifier:$DATA)" and its content shows the information where it is coming from.

 

Let's check the zip file we downloaded from our CI server, and we can use "file:stream" grammar to get the ADS.

 

C:\Downloads> more < package.zip:Zone.Identifier

[ZoneTransfer]

ZoneId=3

  

2012-4-14  12:18        11.11.11 package.zip

                                 11 package.zip:Zone.Identifier:$DATA

 

There are four kinds of level of security web zone listed below, 3 means from internet.

• 1 = trusted;
• 2 = intranet;
• 3 = Internet;
• 4 = untrusted.

 

3. How to unblock

 

To solve our problem, we need to mark that file as unblocked. There is several ways to make this work.

 

Method 1: Unblock the compressed file by manually

1. Right-click the file, and then click Properties.
2. Click the General tab, click Unblock, and then click OK.
3. Extract the files from the compressed file.

 

Method 2: overwrite the Zone.Identifier value by command

 

echo.>package.zip:Zone.Identifier

type.>package.zip:Zone.Identifier

 

That's to rewrite the Zone.Identifier stream.

 

Method 3:  recreate the host file

 

Method 4:  Sysinternals utilities, streams

 

http://www.sysinternals.com/utilities/streams.html

streams -d package.zip

 

 

Reference:

http://support.microsoft.com/kb/942532

http://technet.microsoft.com/en-us/library/cc976808.aspx

http://www.forensicfocus.com/dissecting-ntfs-hidden-streams

转载于:https://www.cnblogs.com/adudu/archive/2012/04/12/2444653.html