Difference between revisions of "Mark of the Web"

Revision as of 13:03, 14 March 2023

Full Title

Context

Files from the Internet or similar sources could contain malware. Therefore, Microsoft came up with a security mechanism years ago where these files are marked with a Mark of the Web (MOTW) flag. Windows can display a security warning before opening and starting an executable file with a MotW flag set.

Windows

Since Windows Vista files downloaded from the web into NTFS have a Alternate Data Stream named Zone.Identifier that is considered to the the MotW.

• The following shows an example displayed in PowerShell of a file downloaded from the web.

get-item ZoomInfoContactContributor.exe -Stream *

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads
PSChildName   : ZoomInfoContactContributor.exe::$DATA
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe
Stream        : :$DATA
Length        : 265600

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe:SmartScreen
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads
PSChildName   : ZoomInfoContactContributor.exe:SmartScreen
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe
Stream        : SmartScreen
Length        : 7

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe:Zone.Identifier
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads
PSChildName   : ZoomInfoContactContributor.exe:Zone.Identifier
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe
Stream        : Zone.Identifier
Length        : 201

• Following is the detail on what is in a Zone.Identifier (aka. Mark of the Web)

Get-Item * | Get-Content -Stream Zone.Identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://vscode.dev/
HostUrl=https://vscode.dev/

Mac OS/x

Since Mac OS X Leopard, applications that download files from the web have had the ability to mark files as being 'quarantined' [1]. A file being quarantined just means that you haven't yet approved the file. In Snow Leopard, this feature was enhanced to protect users against known malware such as Mac Defender. OS X stores quarantine information in extended file attributes [2]. Specifically, these are the relevant extended attributes:

• com.apple.metadata. This isn't specific to quarantining files, but it does appear to be used for the other information included in the quarantine prompt. This attribute contains two key-value pairs: kMDItemDownloadedDate (a date/time) and kMDItemWhereFroms (which contains two URLs: the direct download URL, and the download page URL). The kMDItemWhereFroms attribute also shows its data in the Get Info window in the Finder.
• com.apple.quarantine. This attribute contains the application's name that downloaded the file, the current quarantine status, among other things (presumably).

You can view a list of all extended attributes on a file by using the xattr shell command. Grab a DMG you have laying around, open the Terminal, and execute xattr -l path/to/file.dmg. You'll see something like this containing the extended attributes used for quarantining, as well as a couple of others:

On the developer side of things, to enable file quarantine for files downloaded through your application, simply set LSFileQuarantineEnabled to true in your Info.plist.

1. http://support.apple.com/kb/HT3662
2. http://en.wikipedia.org/wiki/Extended_file_attributes#Mac_OS_X

Problems

• Windows and the "Mark of the Web" (MotW) security problem 2023-01-09

References