Welcome, Guest. Please Login or Register.
Search
Members
Login
Register
   Mischel Internet Security Forum
   TrojanHunter
   Bugs (Moderators: Helena, Gavin_Coe, Magnus)
   [OPEN] Right-click scanning downloaded file		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: [OPEN] Right-click scanning downloaded file  (Read 750 times)
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4523
[OPEN] Right-click scanning downloaded file
« on: Feb 27th, 2010, 4:17am »		 Quote Quote  Modify Modify
TrojanHunter versions: TrojanHunter 5.3 Beta 1 and later.
 
 
Complete steps to reproduce bug:
 
1. Download TrojanHunterSetup.exe and save to C:\Download
 
2. Right-click on C:\Download\TrojanHunterSetup.exe and select "Scan with TrojanHunter"
 
3. Windows will display "Do you want to run this file?" dialog
 
This only happens with files downloaded from the internet that have a Zone.Identifier alternate data stream. If you click Run in the dialog the file does not get executed. Instead, the file will be scanned by TrojanHunter as you would expect.
 
 
Expected behavior:
 
The "Do you want to run this file" dialog box should not be displayed. The file should be scanned by TrojanHunter immmediately.
 
 
Observed (buggy) behavior:
 
The "Do you want to run this file?" dialog is displayed by Windows.
 
 
More information/Resolution
 
This behavior is caused by Windows for any context-menu handler installed into HCKR\AllFileSystemObjects. This can be reproduced by creating an entry for Notepad and will cause the same behavior.  
 
The resolution is unknown at this time. If you have any more information about this, please post in this thread.
« Last Edit: Feb 27th, 2010, 4:18am by Magnus » IP Logged
Follow me on Twitter: http://twitter.com/mmischel
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4523
Re: [OPEN] Right-click scanning downloaded file
« Reply #1 on: Feb 27th, 2010, 4:25am »		 Quote Quote  Modify Modify
Some further information: In the Notepad test case, even if you set the right-click command to only open Notepad (not providing a command line to the file that was right-clicked) the "Do you want to run this file" dialog box still appears.
 
Notepad test case:
 
1. Create key Code:
HKCR\AllFileSystemObjects\shell\Notepad Test

 
2. Set (Default) value of Code:
HKCR\AllFileSystemObjects\shell\Notepad
to "Notepad Test"
 
3. Create key Code:
HKCR\AllFileSystemObjects\shell\Notepad Test\Command

 
4. Set (Default) value of Code:
Create key HKCR\AllFileSystemObjects\shell\Notepad Test\Command
to notepad.exe
IP Logged
Follow me on Twitter: http://twitter.com/mmischel
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: [OPEN] Right-click scanning downloaded file
« Reply #2 on: Mar 12th, 2010, 1:14am »		 Quote Quote  Modify Modify
Any progress on resolving this issue?
 
The current state is going to be a "scary" event to most TH users.  The most common use of right click scanning is to test a downloaded file for possible malicious content.  To have the RUN window pop up is going to result in "Holy Toledo, it's going to start installing if I click on RUN".  
 
JMO  Undecided
 
JFI, here is a way to prevent the zone identifier from being saved on downloaded files...on Windows 7.  (I think this works on Vista too; however, I do not a machine to test it).
 
-  Group Policy Option (Run... gpedit.msc )
 
-  Group Policy > User Configuration > Administrative Templates >
Windows Components > Attachment Manager.
 
-  Enable "Do not preserve zone information in file attachments".
 
-  No reboot required.  
 
-  After this change is made, any subsequently downloaded files will no longer have the zone identifier saved.  Therefore a right click scan by TH promptly opens TH scanner.  Of course, this also means that the "Always ask before opening this file">RUN window on an executable will no longer appear....which could be a security problem...although I suspect that any "drive by malicious download" has the zone identifier suppressed or does not have one.
« Last Edit: Mar 12th, 2010, 3:56am by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4523
Re: [OPEN] Right-click scanning downloaded file
« Reply #3 on: Mar 15th, 2010, 9:06am »		 Quote Quote  Modify Modify
I'm going to leave this as is right now but it will probably need to be fixed in a future version. It's a Windows problem and it looks like there's no easy way to fix it unless we want to revert to the old contmenu.dll extension.
IP Logged
Follow me on Twitter: http://twitter.com/mmischel
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »