Bryan Owen

CHM files on the intrinsically unsafe list!

Blog Post created by Bryan Owen on May 7, 2010

Perhaps old news for many of you but early March, Microsoft Security Research added compiled help files to the intrinsically unsafe list.


We paused for a moment to consider ramifications.  How dangerous is F1 anyway - does anyone really use online help? Please don't answer, I'm sure help is right up there with finding answers on Bing.


Well life goes on and next thing I know it was time to download documentation for the Web services beta.  Wouldn't you know that blasted CHM file wouldn't open!  And yes I did use Bing to look for the answer.


It turns out my new, smokin' hot, Window 2008 R2 machine enforces "Attachment Manager" and blocked the CHM file by default. File blocking has been around since XP but enforcement had been kind of loose until Vista.  Unblock is pretty simple just right click for file properties and select unblock.


Looking into how "Blocked File Protection Control" works is worth additional commentary. The system doesn't mess with security ACLs, instead the stream feature of NTFS is used to tag downloads (and other file receipt mechanisms) with zone information.


Most of the web discussions center on how to delete the streams and set attachment manager policy using group policy. The Sysinternals 'streams' utility is a simple answer if you need to unblock a batch of files (for instance if a zip file gets tagged the container zone will propagate to all extracted files).  Powershell scripts to test for and kill existence of a zone stream are also available.


Of course manually unblocking a download every now and then is no big deal.  In fact, I kind of like the idea of a permissive before allowing downloaded files to execute - especially on a server. While attachment manager policies can easily be disabled or relaxed; it's our intent to NOT weaken security defaults on the platforms we support.