Firefox's "typical virus behavior"

Folder (with everything inside it) is in the “Protected files\folders” list. *.zip file is saved from web page to that folder with the help of default download manager of Firefox.
There is a number of D+ alerts with last one shown on attached screenshot.

How to understand this ???

[attachment deleted by admin]

I got that warning for Adobe Digital Editions 1.6 (it’s now 1.7.1).

[attachment deleted by admin]

Zone.Identifier doesn’t appear to be a malicious behaviour.

AFAIK it ought to be related to File Download Security Warning layer.

Just in case please confirm its content using Stream Explorer 1.0.3

If the destination folder in Protected Files/Folder features a trailing * (eg: C:\Users\user\Download*) maybe the ADS are enabled as well triggering the alert.

Adding Zone.Identifier to Firefox Alllow list (eg: C:\Users\user\Download*:Zone.Identifier) could be a workaround though maybe developer should look at this scenario to eventually confirm the color coded rating for Zone.Identifier ADS

CIS has been able to trap ADS for a long time now. Did the same ruleset/protected folder config trigger those ADS alerts with previous Firefox and/or CIS versions?

Thanks :-TU :-TU

Just in case please confirm its content using Stream Explorer 1.0.3
Would be no problem if there would be portable version of it, otherwise no.
If the destination folder in Protected Files/Folder features a trailing * (eg: C:\Users\user\Download\*)...
It is my case.
Did the same ruleset/protected folder config trigger those ADS alerts with previous Firefox and/or CIS versions?
Not sure. Don't remember i saw this before :-\

PS. Seems like blocking that alert does not invalidate in some way or another downloaded file (MD5 hash sum check).

There should be a number of applications able to display Alternate Data Streams or export them to a file.

ADS are special files so the hash of a visible file linked to a hidden ADS won’t change.

Windows NTFS Alternate Data Streams -Security focus article
Hidden Threat: Alternate Data Streams
NTFS Multiple Data Streams

Removing Security from Downloaded PowerShell Scripts with Alternative Data Streams

Wow. That’s a lot of stuff to learn :o Thanks :slight_smile:

Done quite the opposite. Added “C:\Users\user\docs*” to allowed exception list of Protected files\folders of firefox.exe. Added “C:\Users\user\docs*:Zone.Identifier” to blocked exception list. Result: everything is allowed :cry:

Maybe it is time to make Comodo’s allow\deny rules (exceptions in this case) according to model by wich deny rules have higher priority (e.g. implementation of NTFS DACLs) :-\

Indeed ATM the precedence for each access right is:

[ol]- Allowed Exception

  • Blocked Exceptions
  • Default Action[/ol]

A way to harness the most out of D+ would be a good thing though it would make for more complex rulesets and GUI (Something appears to stir many KISS abiding critics)
In some cases existing Access rights are even re-purposed (DLL: execution, Clipboard logging: Keyboard) whereas in others there is no way to make a distinction (read/write/delete)

I guess adding only “C:\Users\user\docs*:Zone.Identifier” to blocked exception list would preserve other file alerts as well.
Though allowing Zone.Identifier alone would enforce another windows security layer (Downloaded file Zone warning) while preserving other file alerts for that protected path

Desired result for me was: supress (silently allow) all alerts except for Zone.Identifier (silently block this single alert).

Then probably using an unprotected folder and a block rule based on a wildcarded Zone.Identifier in Protected files\folders settings could yield such outcome.

Eventually blocking Zone.Identifier in All application policy is an option as well or maybe using a wildcarded policy matching part of firefox.exe path (which should allow to control rule priority sorting their relative order)

I wanted that folder to be under protected group to trigger alerts for all apps (except some “trusted”).

Eventually blocking Zone.Identifier in All application policy is an option as well or maybe using a wildcarded policy matching part of firefox.exe path (which should allow to control rule priority sorting their relative order)
Didn't touch "All applications" policy. Added new group (under protected files UI dialog) named "Wildcarded Firefox" and added one unit there: [b]%programfiles%\mozilla firefox\firef?x.exe[/b]. This was done because Computer Security policy (CSP) does not allow to modify path to app or add wildcarded path :-\ Then added group "Wildcarded Firefox" to CSP, placed it before (closer to top of the list) firefox.exe. For "Wildcarded Firefox" everything is set to ask with only one [i]block[/i] exception for "protected files" unit: [b]C:\Users\user\docs\*:Zone.Identifier[/b]. For firefox.exe usual permissions with some [i]allow[/i] exceptions for "protected files" unit, including: [b]C:\Users\user\docs\*[/b].

Result is achieved: everything is allowed silently, except Zone.Identifier (which is blocked silently: judge by D+ log).
Thanks :-TU