Mark of the Web
Full Title
The Mark of the Web (MoTW) is a security feature first added to Microsoft Windows that marks files downloaded from the internet as potentially unsafe. It helps protect users by restricting certain actions on these files, such as running macros in Microsoft Office or executing scripts without warning.
Context
Files from the Internet or similar sources could contain malware. Therefore, Microsoft came up with a security mechanism years ago where these files are marked with a Mark of the Web (MOTW) flag. Windows can display a security warning before opening and starting an executable file with a MotW flag set.
Windows
Since Windows Vista files downloaded from the web into NTFS have a Alternate Data Stream named Zone.Identifier that is considered to the the MotW.
- The following shows an example displayed in PowerShell of a file downloaded from the web.
get-item ZoomInfoContactContributor.exe -Stream * PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe::$DATA PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads PSChildName : ZoomInfoContactContributor.exe::$DATA PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : False FileName : C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe Stream : :$DATA Length : 265600 PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe:SmartScreen PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads PSChildName : ZoomInfoContactContributor.exe:SmartScreen PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : False FileName : C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe Stream : SmartScreen Length : 7 PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe:Zone.Identifier PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\rp_to\Downloads PSChildName : ZoomInfoContactContributor.exe:Zone.Identifier PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : False FileName : C:\Users\rp_to\Downloads\ZoomInfoContactContributor.exe Stream : Zone.Identifier Length : 201
- Following is the detail on what is in a Zone.Identifier (aka. Mark of the Web)
Get-Item * | Get-Content -Stream Zone.Identifier [ZoneTransfer] ZoneId=3 ReferrerUrl=https://vscode.dev/ HostUrl=https://vscode.dev/
Mac OS/x
Since Mac OS X Leopard, applications that download files from the web have had the ability to mark files as being 'quarantined' [1]. A file being quarantined just means that you haven't yet approved the file. In Snow Leopard, this feature was enhanced to protect users against known malware such as Mac Defender. OS X stores quarantine information in extended file attributes [2]. Specifically, these are the relevant extended attributes:
- com.apple.metadata. This isn't specific to quarantining files, but it does appear to be used for the other information included in the quarantine prompt. This attribute contains two key-value pairs: kMDItemDownloadedDate (a date/time) and kMDItemWhereFroms (which contains two URLs: the direct download URL, and the download page URL). The kMDItemWhereFroms attribute also shows its data in the Get Info window in the Finder.
- com.apple.quarantine. This attribute contains the application's name that downloaded the file, the current quarantine status, among other things (presumably).
You can view a list of all extended attributes on a file by using the xattr shell command. Grab a DMG you have laying around, open the Terminal, and execute xattr -l path/to/file.dmg. You'll see something like this containing the extended attributes used for quarantining, as well as a couple of others:
On the developer side of things, to enable file quarantine for files downloaded through your application, simply set LSFileQuarantineEnabled to true in your Info.plist.
Problems
- 2025-05 Mark of the web is easily manipulated by a range of open-source tools
- 2023-01-09 Windows and the "Mark of the Web" (MotW) security problem
Unlike the Mandatory Access Control (MAC) the Mark of the Web is accessible in the file system. It is easy to remove by moving the file to a FAT directory and then back to a directory that supports multiple streams.
Cyber attackers sometimes attempt to bypass MoTW to execute malicious files without triggering security warnings. Techniques include:
- Using ISO files instead of ZIPs, as ISOs can evade MoTW restrictions.
- Embedding files in archives that strip MoTW metadata upon extraction.
- Manipulating alternate data streams to remove the security flag.
