Removing 'Security Warning' on files downloaded with Firefox 3.0

First, the workaround:

To remove the 'Security Warning' dialog that comes up when launching a file downloaded with Firefox 3.0, set the browser.download.manager.scanWhenDone preference in about:config to false. To read about why this dialog is used, what causes it to be shown, and how this workaround was discovered, read on.

Now, the story:

One of the new features of Windows XP SP2 was an enhanced security mode for downloads. When a program used one of the new APIs to save a file, Windows would automatically initiate a virus scan with the any installed antivirus software (provided that the antivirus software also used the new APIs). The new save API also flagged the download as having come from the internet, and when launched, if the download was not digitally signed, Windows would present the user with a warning box.

warning.png

Prior to version 3.0, Firefox users were not invited to this party because Firefox did not use these APIs. In contrast, Microsoft updated its Internet Explorer browser in SP2 to use these new APIs so that IE users would be protected from the potentially 'dangerous' files they were downloading. In practice, however, the only software that was ever digitally signed was Microsoft's own programs. This meant that Windows would consider any other download potentially dangerous, and would annoy (or perhaps frighten) the user with the above dialog box.

Windows Vista took this mechanism a step further. In addition to downloaded applications (.exe files and scripts), Windows Vista also alerts the user with the following (somewhat cryptic) dialog if they attempt to extract files from an archive such as a .zip file:

copy.png

What's worse, is that 'No' is the default action, so simply hitting enter will cancel the extraction operation. In Windows Vista, the security settings are also inherited for all files extracted from the archive. This means that if the user extracts a setup application from a .zip file they downloaded and then runs it, they will not only encounter the above dialog during extraction, but will also be shown the 'Security Warning' dialog when they try to run setup. The user could, of course, clear the 'Always ask' checkbox, or click the 'Unblock' button in the file's properties window. This would prevent Windows from bothering the user about this particular file, but there was no obvious way to stop Windows from doing this to every other file that was downloaded.

props.png

In seeking to disable this functionality, one might discover that there is a setting hidden within the Internet Options control panel's Security tab which can control the new behavior. To access it, the user would have to select the Internet Zone, and then choose "Custom" to access the list of security preferences. Changing the value of the "Launching applications and unsafe files" preference to "Enable" removes these prompts, but as the dialog box notes, is considered 'unsafe'. This setting also has the disadvantage of being a system-wide change, which is overkill if the user only wants to return Firefox's download behavior to its pre-3.0 state.

inetsec.png

Returning to the search, one might wonder, "How does Windows know that a file has come from the internet?". A little investigation turns up the answer. On Mac OS X, downloaded files are flagged with an extended attribute, which the operating system reads and uses to determine whether it should take certain actions. As it turns out, a similar system is used in Windows. Windows does not support extended attributes in its NTFS filesystem, but it does support what are known as alternate data streams (ADS). These are hidden pieces of data that can be attached to any file stored on an NTFS-formatted drive. Using my NTFSADS tool for viewing alternate data streams, we can see what data streams are attached to a file that was just downloaded with Firefox 3.0:

cmd.png

A quick search for information about Zone.Identifier shows that this is an ADS that is added to files saved from the internet by Internet Explorer or Outlook. It seems that Firefox 3.0 is now doing this as well. Additionally, researching the contents of this ADS entry turns up that Zone ID 3 corresponds to the Internet Zone. This same link also gives some more information on how this ADS is added to the file:

“AES-participating applications call the Save method of IAttachmentExecute interface to add a Zone.Identifier alternate data stream to store the zone from which the file came.”

A search for this interface in the Firefox 3.0 code come up with a reference to bug 408153 which changed the save mechanism to use the IAttachmentExecute.Save method to save downloaded files so that they would be scanned by the installed antivirus software. This is what is responsible for attaching this Zone.Identifier ADS and ultimately causing the security warnings.

Reading through the comments turns up another bug, bug 412204 which contains a patch that adds an about:config preference to disable the new save behavior. Bingo! Looking at the patch, we can see that the new preference is named 'browser.download.manager.scanWhenDone'. After visiting about:config and setting this preference to false, I downloaded a .exe file and verified that Windows no longer displays its security warning. Checking out the file with NTFSADS shows no alternate data streams.

Mystery solved!

--Brandon

Trackbacks

Trackback URL for this entry is: http://blog.case.edu/bes7/mt-tb.cgi/17622

Comments

Awesome! Thanks

Posted by Miles on April 30, 2008 03:51 AM

I've always loved Firefox, but when I saw those ugly MS pop-ups I was so upset and confused! Firefox tagging files like IE does? What the..? I've searched for some hours and only found some obscure bribes of solutions. But now I got the fully explained story. Well man, thank you a lot. You made my day.

Guillaume

Posted by on May 27, 2008 10:03 PM

Great sleuthing work - I'd like to write an article or two about this issue, which I would of course attribute to your good self, with a link back to this blog post.

Would it be OK to use one or two of your graphics to illustrate the point?

Cheers,

Karl Bailey
http://ezinearticles.com/?expert=Karl_Bailey

Posted by Antivirus Protection on July 22, 2008 03:04 AM

That would be great, go right ahead. Thanks!

--Brandon

Posted by Brandon Siegel on July 22, 2008 11:15 AM

Thank you! I HATE how FF is taking on these stupid so-called security features for mainstream users and then burying them in about:config. Things were much better back before it was mainstream.

Posted by Dan on August 2, 2008 09:32 PM

Whew. Finally, a solution that's not XP Pro specific. Thanks.

Posted by Datalyss on August 13, 2008 03:20 PM

Thank you! This was probably the most annoying change in FF3 for me. And you did an outstanding job investigating and explaining it. Sanity prevails!

Posted by Tom on August 29, 2008 08:16 PM

You are a god among men.

Posted by Prio on September 26, 2008 07:19 PM

Thanks!

Could you possibly write a small instruction set for the ntfsads tool, as I've never been too proficient in cmd related programs

Posted by Bill on October 3, 2008 11:58 PM

Bill,

If you download the NTFSADS tool, the .zip file will contain a README.txt file which specifies exactly how to use the ntfsads.exe program. If you need more assistance than that, e-mail me at brandon at smartercode dot net.

--Brandon

Posted by Brandon Siegel on October 4, 2008 12:28 AM

Thank you so much! I also spent a lot of time looking for this fix until I found you - you saved a lot of time and work!

Posted by Lee Thomas on November 17, 2008 08:04 PM

Thank you very much for looking into this matter. This has always annoyed me and I finally decided to look up how to disable this new functionality in Firefox 3. It definitely felt way too IE-esque for my taste.

Your discovery about the ADS in the files were very informative. I had wondered why files that were downloaded acted that way with Windows, as if it knew that I had downloaded the file. I'm glad to finally get rid of these annoying warning messages. I generally disable all bogus security measures that only serve to slow down my productivity and add extra steps to simple tasks.

Posted by Daniel on November 24, 2008 03:28 PM

Thanks!
I got to install driver for my camera every time.
I don't know why.
And this warning always showed up.
Now I can get rid of it.

Posted by xlei on December 21, 2008 08:50 PM

There is another hidden pref, namely browser.download.manager.skipWinSecurityPolicyChecks

which, when set to true, tells firefox not to use IAttachmentExecute interface when downloading files.

http://kb.mozillazine.org/Browser.download.manager.skipWinSecurityPolicyChecks

Posted by Ivan on May 17, 2009 04:48 PM

Nice, finally I can get rid off the warning sign

Posted by GoldSEO on June 15, 2009 10:59 PM

unfortunately, neither method works with 3.5x
(scanWhenDone and skipWinSecurityPolicyChecks)

Posted by MoFoQ on June 19, 2009 02:17 AM

After some sleuthing, I have only been able to get Firefox 3.5 to skip using the IAttachmentExecute interface by setting all three of the following settings:

browser.download.manager.scanWhenDone = false
browser.download.manager.skipWinSecurityPolicyChecks = true
browser.download.manager.alertOnEXEOpen = false

Hope this works for you as well.

--Brandon

Posted by Brandon Siegel on June 19, 2009 02:37 AM

Post a comment