19.7.4.1 ensure do not preserve zone information in file attachments is set to disabled
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch? Show CONTROL TYPE SUPPORTING AND SUPPORTED CONTROLSThis Control directly supports the implied Control(s):
There are no implementation support Controls. SELECTED AUTHORITY DOCUMENTS COMPLIED WITHThis article describes Attachment Manager in Windows. This article includes the methods to configure Attachment Manager and the workarounds for two issue with Attachment Manager. IntroductionThe Attachment Manager is included in Microsoft Windows to help protect your computer from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet. Workarounds when you cannot download a file or a programMany people encounter issues when they try to download a file or a program from the Internet. This could be caused by a number of reasons. Here we provide two general solutions for you to try if you are getting an error that your download is blocked, or if you get "virus scan failed" or "virus detected" messages. You cannot download any file if the "File download" option is disabled in the Internet security settings. Follow these steps to check the Internet security settings:
You may receive a "Virus scan failed" or "Virus detected" error message when you try to open or save a file or a program from Internet. In most cases, it is not caused by the Windows operating system, but by the antivirus software. If you are certain that the source you are trying to open is safe and trusted, try the following workaround to disable the virus scanning temporarily, and then enable the virus scanning immediately after you complete downloading the program or file. You have to be very cautious about using this workaround. Otherwise, you may be exposed to virus attacks.
Note We suggest you change the value of ScanWithAntiVirus subkey to 3 to enable the virus scan right after you completely open or save the program or file. Configuring the Attachment ManagerThere are several features of the Attachment Manager that can be configured by using Group Policy or the local registry. This policy setting lets you manage the default risk level for file types. To fully customize the risk level for file attachments, you may also have to configure the trust logic for file attachments:
If you enable this policy setting, you can specify the default risk level for file types. If you disable this policy setting, Windows sets the default risk level to moderate. If you do not configure this policy setting, Windows sets the default risk level to moderate. Group Policy Registry Subkey Registry Entry Entry Value User Configuration\Administrative Templates\Windows Components\Attachment Manager HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Policies\Associations DefaultFileTypeRisk High (6150) Note The default value of the DefaultFileTypeRisk registry entry is Moderate (6151). This policy setting lets you manage whether Windows marks file attachments that have information about their zone of origin. These zones or origin are Internet, intranet, and local. This policy setting requires the NTFS file system to function correctly and will fail without notice on systems that use FAT32. By not preserving the zone information, Windows cannot make appropriate risks assessments. If you enable this policy setting, Windows does not mark file attachments by using their zone information. If you disable this policy setting, Windows marks file attachments by using their zone information. If you do not configure this policy setting, Windows marks file attachments by using their zone information. Group Policy Registry Subkey Registry Entry Entry Value User Configuration\Administrative Templates\Windows Components\Attachment Manager HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments SaveZoneInformation
Note The default value of the DefaultFileTypeRisk registry entry is Off (2). Hide mechanisms to remove zone informationThis policy setting lets you manage whether users can manually remove the zone information from saved file attachments by clicking Group Policy Registry Subkey Registry Entry Entry Value User Configuration\Administrative Templates\Windows Components\Attachment Manager HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments HideZoneInfoOnProperties
Note The default value of the DefaultFileTypeRisk registry entry is Off (0). These policy settings let you configure the list of low, moderate, and high risk file types. The High list takes precedence over the Moderate and Low risk inclusion lists. Also, an extension is listed in more than one inclusion list. If you enable this policy setting you can create a custom list of low, moderate, and high risk file types. If you disable this policy setting, Windows uses its built in list of file types. If you do not configure this policy setting, Windows uses its built in list of file types. Group Policy Registry Subkey Registry Entry Entry Value User Configuration\Administrative Templates\Windows Components\Attachment Manager HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations HighRiskFileTypes This policy setting lets you configure the logic that Windows uses to determine the risk for file attachments. Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, it instructs Windows to trust Notepad.exe, but do not trust .txt files. Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation. This causes users to see more trust prompts than selecting the other options. If you enable this policy setting, you can select the order in which Windows processes risk assessment data. If you disable this policy, Windows uses its default trust logic which prefers the file handler over the file type. Group Policy Registry Subkey Registry Entry Entry Value User Configuration\Administrative Templates\Windows Components\Attachment Manager HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Policies\Attachments UseTrustedHandlers
Note The default value of the DefaultFileTypeRisk registry entry is Handler (2). This policy setting lets you manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer’s e-mail server, additional calls would be redundant. If you enable this policy, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened. If you disable this policy, Windows does not call the registered antivirus programs when file attachments are opened. If you do not configure this policy, Windows does not call the registered antivirus programs when file attachments are opened. Group Policy Registry Subkey Registry Entry Entry Value User Configuration\Administrative Templates\Windows Components\Attachment Manager HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments ScanWithAntiVirus
Note The default value of the DefaultFileTypeRisk registry entry is Off (1). When the value is set to Optional (2), all scanners are called even after one reports a detection. 182569 Internet Explorer security zones registry entries for advanced users More InformationThe following determine whether you are prevented from opening the file or whether you are warned before you open the file:
The Attachment Manager uses the IAttachmentExecute application programming interface (API) to find the file type, to find the file association, and to determine the most appropriate action.
High-risk file typesWhen you try to download or open a file from a Web site that is in the restricted Web content zone, you may receive a message that indicates that the file is blocked.
Medium-risk file typesFile types that the Attachment Manager does not label as high risk or low risk are automatically labeled as medium risk. Low-risk file typesThe Attachment Manager labels the following file types as low risk only when you open them by using Notepad. If you associate another program with this file type, the file type is no longer considered low risk.
The Attachment Manager labels the following file types as low risk only when you open the file by using the Microsoft Windows Picture and Fax Viewer:
Note Associating a file type with Notepad or with the Windows Picture and Fax Viewer does not add that file type to the list of low-risk file types. |