Zone.identifier in files during scan

Hi everyone,

When I run a bitdefender scan some files show "zone.identifier" after the files name when being scanned.

This zone.identifier shows mostly on jpg files or video files for example filename.jpgzone.identifier or filename.mp4zone.identifier.

This only shows during the files being scanned and this is only added to some jpg or video files but not all.

What is "zone.identifier" on files while bitdefender is running a scan? Is this a privacy concern?

Find more posts tagged with

Virus Scanner

privacy

Accepted answers

camarie

:Zone.identifier is a suffix used in alternate data streams, specifically, in this case, URL Security Zones (data zone associated to NTFS, think it as a some kind of metadata). Usually the browsers are adding this to indicate the source of the file. It is an assessment used by Windows to evaluate the risk of a file. A list of the registry entries for risks is here.

About :mshield I cannot find a clear documentation about who set this. It can be legitimate, but frankly I cannot say. I suppose the scan process does not flag such files, but I will ask the antimalware team anyways about this.

camarie

AFAIK Zone.Identifier usually contains 3 fields:

ZoneID number between 0 and 4:

0 My computer (local files). Equivalent of what was known as Local Machine Zone in legacy Internet Explorer.

1 Intranet. Similar with Local Intranet Zone.

2 Trusted sites. Similar with Trusted Internet Zone.

3 Internet. Similar with Internet Zone. Means "do not belong to other zone"

4 Untrusted (ex. flagged as risk by Microsoft Smart Screen, for example an unsigned executable file). Bear some similarilities with Restricted Sites Zone, but it is obviously not the same (one uses Smart Screen, the otehr the defined untrusted settings of Internet Explorer).

ReferrerURL
website from where a file has been downloaded, if applicable

HostURL
direct download link, if applicable (the website, for example, might be www.somereviewwebsite.com and the download url might be www.producer.com/exefile)

From what I read, not all browsers (usually, since one can download files using scripts, powershell, cURL etc.) set all the files, depends if private browsing mode is ON, the registry setting of the local system.

More details can be found here:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/6e3f7352-d11c-4d76-8c39-2516a9df36e8
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85)?redirectedfrom=MSDN

For comparison, the legacy registry definition of Internet Explorer zones:
https://superuser.com/questions/414097/how-to-view-all-ie-trusted-sites-when-security-settings-are-managed

Now I did not extremely thoroughly worked with alternate streams zones, so if someone else knows more than me, it will be more than welcomed to add, complete or even correct what I said.

camarie

I don't have a good tool to recommend now, but one can use the more command from the command line.

Example usage from command line (on one of my downloaded files):

$ more < 11-13-1007-00-00ac-sb2-resolutions-cids-11010-11024-11025-11026.docx:Zone.Identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://www.google.com/
HostUrl=https://mentor.ieee.org/802.11/dcn/13/11-13-1007-00-00ac-sb2-resolutions-cids-11010-11024-11025-11026.docx

The file 11-13-1007-00-00ac-sb2-resolutions-cids-11010-11024-11025-11026.docx was referred via a Google search (ReferrerUrl) and its download link is HostUrl. Its ZoneId is 3, meaning Internet.

All comments

Flexx

https://community.bitdefender.com/en/discussion/104016/zone-identifier-in-files-during-scan

@camarie, can you check on this?

Regards

Petersl

Petersl

Hi,

What is mshield that appeared after some jpg files during scan?

camarie

Petersl

https://community.bitdefender.com/en/discussion/comment/353215#Comment_353215

Hi @camarie

When you say source of the file do you mean the website URL or which browser was used? What meta data does this contain exactly?

Does it contain personal information like account used or IP address if you for example download a file from social media and you're logged in to your account, is this information added to the file then?

camarie

AFAIK Zone.Identifier usually contains 3 fields:

ZoneID number between 0 and 4:

0 My computer (local files). Equivalent of what was known as Local Machine Zone in legacy Internet Explorer.

1 Intranet. Similar with Local Intranet Zone.

2 Trusted sites. Similar with Trusted Internet Zone.

3 Internet. Similar with Internet Zone. Means "do not belong to other zone"

For comparison, the legacy registry definition of Internet Explorer zones:
https://superuser.com/questions/414097/how-to-view-all-ie-trusted-sites-when-security-settings-are-managed

Now I did not extremely thoroughly worked with alternate streams zones, so if someone else knows more than me, it will be more than welcomed to add, complete or even correct what I said.

Petersl

https://community.bitdefender.com/en/discussion/comment/353232#Comment_353232

Hi @camarie

Is there a way to check a file to see which security zone is applied and the meta data that's included in it?

camarie

I don't have a good tool to recommend now, but one can use the more command from the command line.

Example usage from command line (on one of my downloaded files):

camarie

https://community.bitdefender.com/en/discussion/comment/353231#Comment_353231

I never heard of informations relating IP address, social media or similar (although one having ReferrerUrl and HostUrl can quickly get the information about the file, but not for the location from where the download has been initiated - this is recorded on the server side, but not on the local NTFS streams).

Petersl

https://community.bitdefender.com/en/discussion/comment/353237#Comment_353237

Hi @camarie

The more command worked to show the meta data.

Thanks for the explanation.