Remove the 'Security Warning' on files downloaded with Firefox 3.0 and 3.5
First, the workaround:
To remove the 'Security Warning' dialog that comes up when launching a file downloaded with Firefox 3.0, set the browser.download.manager.scanWhenDone preference in about:config to false. To read about why this dialog is used, what causes it to be shown, and how this workaround was discovered, read on.
Update for Firefox 3.5:
If you are using Firefox 3.5, you will notice that setting this preference no longer bypasses the security warning. I have found that Firefox 3.5 users who wish to bypass this warning must instead set a new preference named browser.download.manager.alertOnEXEOpen to false. The browser.download.manager.scanWhenDone preference now only controls whether the OS is asked to invoke the virus scanner when the download completes, so for security reasons, if you had turned this off previously you should probably set it back to true.
The browser.download.manager.skipWinSecurityPolicyChecks preference previously mentioned here is not needed; its purpose is to allow a user to override the "Launching applications and unsafe files" setting in Windows Internet Options.
Good news for Firefox 3.6:
In Firefox 3.6 and above, a Zone.Identifier stream will no longer be added to downloaded files. Additionally, the browser.download.manager.skipWinSecurityPolicyChecks and browser.download.manager.alertOnEXEOpen preferences will be removed entirely.
Now, the story:
One of the new features of Windows XP SP2 was an enhanced security mode for downloads. When a program used one of the new APIs to save a file, Windows would automatically initiate a virus scan with the any installed antivirus software (provided that the antivirus software also used the new APIs). The new save API also flagged the download as having come from the internet, and when launched, if the download was not digitally signed, Windows would present the user with a warning box.
Prior to version 3.0, Firefox users were not invited to this party because Firefox did not use these APIs. In contrast, Microsoft updated its Internet Explorer browser in SP2 to use these new APIs so that IE users would be protected from the potentially 'dangerous' files they were downloading. In practice, however, the only software that was ever digitally signed was Microsoft's own programs. This meant that Windows would consider any other download potentially dangerous, and would annoy (or perhaps frighten) the user with the above dialog box.
Windows Vista took this mechanism a step further. In addition to downloaded applications (.exe files and scripts), Windows Vista also alerts the user with the following (somewhat cryptic) dialog if they attempt to extract files from an archive such as a .zip file:
What's worse, is that 'No' is the default action, so simply hitting enter will cancel the extraction operation. In Windows Vista, the security settings are also inherited for all files extracted from the archive. This means that if the user extracts a setup application from a .zip file they downloaded and then runs it, they will not only encounter the above dialog during extraction, but will also be shown the 'Security Warning' dialog when they try to run setup. The user could, of course, clear the 'Always ask' checkbox, or click the 'Unblock' button in the file's properties window. This would prevent Windows from bothering the user about this particular file, but there was no obvious way to stop Windows from doing this to every other file that was downloaded.
In seeking to disable this functionality, one might discover that there is a setting hidden within the Internet Options control panel's Security tab which can control the new behavior. To access it, the user would have to select the Internet Zone, and then choose "Custom" to access the list of security preferences. Changing the value of the "Launching applications and unsafe files" preference to "Enable" removes these prompts, but as the dialog box notes, is considered 'unsafe'. This setting also has the disadvantage of being a system-wide change, which is overkill if the user only wants to return Firefox's download behavior to its pre-3.0 state.
Returning to the search, one might wonder, "How does Windows know that a file has come from the internet?". A little investigation turns up the answer. On Mac OS X, downloaded files are flagged with an extended attribute, which the operating system reads and uses to determine whether it should take certain actions. As it turns out, a similar system is used in Windows. Windows does not support extended attributes in its NTFS filesystem, but it does support what are known as alternate data streams (ADS). These are hidden pieces of data that can be attached to any file stored on an NTFS-formatted drive. Using my NTFSADS tool for viewing alternate data streams, we can see what data streams are attached to a file that was just downloaded with Firefox 3.0:
A quick search for information about Zone.Identifier shows that this is an ADS that is added to files saved from the internet by Internet Explorer or Outlook. It seems that Firefox 3.0 is now doing this as well. Additionally, researching the contents of this ADS entry turns up that Zone ID 3 corresponds to the Internet Zone. This same link also gives some more information on how this ADS is added to the file:
“AES-participating applications call the Save method of IAttachmentExecute interface to add a Zone.Identifier alternate data stream to store the zone from which the file came.”
A search for this interface in the Firefox 3.0 code come up with a reference to bug 408153 which changed the save mechanism to use the IAttachmentExecute.Save method to save downloaded files so that they would be scanned by the installed antivirus software. This is what is responsible for attaching this Zone.Identifier ADS and ultimately causing the security warnings.
Reading through the comments turns up another bug, bug 412204 which contains a patch that adds an about:config preference to disable the new save behavior. Bingo! Looking at the patch, we can see that the new preference is named 'browser.download.manager.scanWhenDone'. After visiting about:config and setting this preference to false, I downloaded a .exe file and verified that Windows no longer displays its security warning. Checking out the file with NTFSADS shows no alternate data streams.
Mystery solved!
--Brandon
Comments
Awesome! Thanks
I've always loved Firefox, but when I saw those ugly MS pop-ups I was so upset and confused! Firefox tagging files like IE does? What the..? I've searched for some hours and only found some obscure bribes of solutions. But now I got the fully explained story. Well man, thank you a lot. You made my day.
Guillaume
Great sleuthing work - I'd like to write an article or two about this issue, which I would of course attribute to your good self, with a link back to this blog post.
Would it be OK to use one or two of your graphics to illustrate the point?
Cheers,
Karl Bailey
http://ezinearticles.com/?expert=Karl_Bailey
That would be great, go right ahead. Thanks!
--Brandon
Thank you! I HATE how FF is taking on these stupid so-called security features for mainstream users and then burying them in about:config. Things were much better back before it was mainstream.
Whew. Finally, a solution that's not XP Pro specific. Thanks.
Thank you! This was probably the most annoying change in FF3 for me. And you did an outstanding job investigating and explaining it. Sanity prevails!
You are a god among men.
Thanks!
Could you possibly write a small instruction set for the ntfsads tool, as I've never been too proficient in cmd related programs
Bill,
If you download the NTFSADS tool, the .zip file will contain a README.txt file which specifies exactly how to use the ntfsads.exe program. If you need more assistance than that, e-mail me at brandon at smartercode dot net.
--Brandon
Thank you so much! I also spent a lot of time looking for this fix until I found you - you saved a lot of time and work!
Thank you very much for looking into this matter. This has always annoyed me and I finally decided to look up how to disable this new functionality in Firefox 3. It definitely felt way too IE-esque for my taste.
Your discovery about the ADS in the files were very informative. I had wondered why files that were downloaded acted that way with Windows, as if it knew that I had downloaded the file. I'm glad to finally get rid of these annoying warning messages. I generally disable all bogus security measures that only serve to slow down my productivity and add extra steps to simple tasks.
Thanks!
I got to install driver for my camera every time.
I don't know why.
And this warning always showed up.
Now I can get rid of it.
There is another hidden pref, namely browser.download.manager.skipWinSecurityPolicyChecks
which, when set to true, tells firefox not to use IAttachmentExecute interface when downloading files.
http://kb.mozillazine.org/Browser.download.manager.skipWinSecurityPolicyChecks
Nice, finally I can get rid off the warning sign
unfortunately, neither method works with 3.5x
(scanWhenDone and skipWinSecurityPolicyChecks)
After some sleuthing, I have only been able to get Firefox 3.5 to skip using the IAttachmentExecute interface by setting all three of the following settings:
browser.download.manager.scanWhenDone = false
browser.download.manager.skipWinSecurityPolicyChecks = true
browser.download.manager.alertOnEXEOpen = false
I've updated the post to include this info, thanks for drawing my attention to it!
--Brandon
This issue has gotten a bit out of hand lately.
With firefox 3.0 it was possible to use the
Windows Group Policy Editor to globally disable
the creation of Zone.Identifiers by setting
"Do not preserve zone information in file attachments" to TRUE.
But Firefox 3.5 DOES NOT honor the abovementioned
Group Policy setting. It simply continues to
add Zone.Identifiers to downloaded files.
And this is a real shame, because the original argument for adding all that stuff to Firefox was
to "strengthen its integration into Windows by following the Windows security settings".
And now FFX 3.5 can't be bothered to follow
Group Policy Editor settings ...
It is high time to strip out all the Zone.idientifier / download manager virus scan /
block downloads / ... code altogether IMHO as
this has caused numerous problems, and, as you
can see, it's getting worse with each Firefox
version ...
looks like it works if all three are set.
though I had to create a new boolean: browser.download.manager.alertOnEXEOpen as it didn't exist (it was a clean install of FF3.5)
It looks like the only option you actually need is browser.download.manager.alertOnEXEOpen, which for some reason controls whether or not Firefox adds the Zone.Identifier stream to the file (any file, not just EXEs).
Thanks for sharing. I'll try it and hopefully I get rid of this bothering warning....
Thanks for the information it very useful for me.
Great post. I usually run my Cell Phone Forum in Firefox and this was bugging me . And now its gone. Thanks again
Yup looks like it.
This has to be one of the best posts on the interwebs.
When I installed Firefox 3.0 I spent hours on finding a solution and this site was the only(!) help I could find.
Now I installed Win7 (and Firefox 3.5.2) and scanWhenDone just wouldn't do the trick. So AGAIN I spent hours searching.. why didn't I return here in the first place? Your last comment (go edit it in your article) solved it.. again :)
Thank you SO much.
That is quite strange actually. If one is operating an online account then it doesn’t mean that he is a computer techie. There might be many people who don’t even know how to install a new browser, so it clearly leaves ‘do it yourself’ kinds of patches for those guys. Obviously on technical grounds, it doesn’t make sense either. Firefox version is also not a problem because it gives the same error in all Firefox versions. To be very frank, it doesn’t look like the software is having any sort of problem.
Thank you for this. Firefox is a great browser, but every so often, unexplained, undocumented, unnecessary features like this somehow sneak in. I'd call it feature creep, but what feature?
It looks like download.manager.skipWinSecurityPolicyChecks isn't in about:config anymore.
Oh my gosh! I have searched for quite a while on how to workaround the "Security Warning" issue. Thank you SO much for sharing this.
Pretty cool post. I just came by your blog and wanted to say that I have really enjoyed browsing your posts.I was wondering this info only.The detail which is provided here is awesome and very useful for me.Thanks for sharing it here...
Thaks you just saved me hours possibly days of time troubleshooting this issue. Thanks again!
wow..great..this is very useful for some beginners like me.
Thanks, very very much!
It was looking the ¿WHY? and HOW to disable this function.
But, here mi question: is there any app or utility to remove this "block" but in all folder?
Because, now, i must unblock: file by file! :(
(sorry my english)
1. Control Panel
2. Admin tools
3. system config
4. tools
5. Disable UAC(Disable User account control)
click launch and reboot, life should be much easier then..
Thanks for putting a long standing problem to rest for me. Fantastic!!
Looks like Firefox 3.6 has returned to working exactly as explained in the article. Took me some searching to find this page, but I am glad I did as this was starting to drive me batty!
In my case I'm just fetching text/plain report data from a Linux intranet server, using Content-Disposition: attachment; filename="foo", and these files, and these files alone, were displaying the security warning, despite being PLAIN TEXT FILES! (Literally, as in the file extension is associated with HKCR\txtfile and everything. Microsoft have never trusted text files. Moreover, exactly how would one contain a digital signature?)
That one setting did fix it, thank goodness!
it works thanks
Very easy steps to get rid of "Security Warning" issue. Nice information for computer user.
Thank goodness there is a clear resolution on this Fire Fox issue! I have been looking everywhere.
Thanks for this article, and thanks TANGER, for your post. THAT was worth all the finding I had to go thru to find this post
Very useful post, thank you and waiting for more
This behavior with Vista is one I still do not understand. What on earth was MS thinking? I mean I get the run in elevated mode for executables, but this never made sense. Thanks for the article.
Until someone suggests a better solution, my workaround for now is simply to automatically press enter *twice* whenever I submit data at the page in question. The first press brings up the warning dialog, but the second press clicks "continue."
Hey thanks for the tips. There's so much crap out there regarding FF and how to speed it up and make it more secure.
It's best for most to stay away from the whole "about:config" within FF
This was a complete pain in the butt. I am glad someone figured it out.
Great Article, thanks tanger for your post also. This is for those users who don't want to be reminded about their downloads. Make sense, for most of the downloadable content have their own built-in scanning software to detect viruses prior the download and it will tell you if the item you want is free from virus or not. However, you should be cautious too.
Thanks Brandon.. you the man! :-) The whole 'where did this file come from' seems to be a lot more visible in Win7 i've noticed!
Yeah, it works for me too! This problem has been bugging me for a while and just got round to finding a solution. Glad I found this post!