Zone.identifier in files during scan

Petersl
Petersl Defender of the month ✭✭✭✭
in Protection - Malware/ Firmware/etc.

Hi everyone,

When I run a bitdefender scan some files show "zone.identifier" after the files name when being scanned.

This zone.identifier shows mostly on jpg files or video files for example filename.jpgzone.identifier or filename.mp4zone.identifier.

This only shows during the files being scanned and this is only added to some jpg or video files but not all.

What is "zone.identifier" on files while bitdefender is running a scan? Is this a privacy concern?

Tagged:

Best Answers

  • camarie
    camarie Principal Software Developer BD Staff
    Answer ✓

    :Zone.identifier is a suffix used in alternate data streams, specifically, in this case, URL Security Zones (data zone associated to NTFS, think it as a some kind of metadata). Usually the browsers are adding this to indicate the source of the file. It is an assessment used by Windows to evaluate the risk of a file. A list of the registry entries for risks is here.

    About :mshield I cannot find a clear documentation about who set this. It can be legitimate, but frankly I cannot say. I suppose the scan process does not flag such files, but I will ask the antimalware team anyways about this.

  • camarie
    camarie Principal Software Developer BD Staff
    Answer ✓

    AFAIK Zone.Identifier usually contains 3 fields:

    ZoneID number between 0 and 4:

    0 My computer (local files). Equivalent of what was known as Local Machine Zone in legacy Internet Explorer.

    1 Intranet. Similar with Local Intranet Zone.

    2 Trusted sites. Similar with Trusted Internet Zone.

    3 Internet. Similar with Internet Zone. Means "do not belong to other zone"

    4 Untrusted (ex. flagged as risk by Microsoft Smart Screen, for example an unsigned executable file). Bear some similarilities with Restricted Sites Zone, but it is obviously not the same (one uses Smart Screen, the otehr the defined untrusted settings of Internet Explorer).

    ReferrerURL
    website from where a file has been downloaded, if applicable

    HostURL
    direct download link, if applicable (the website, for example, might be www.somereviewwebsite.com and the download url might be www.producer.com/exefile)

    From what I read, not all browsers (usually, since one can download files using scripts, powershell, cURL etc.) set all the files, depends if private browsing mode is ON, the registry setting of the local system.

    More details can be found here:
    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/6e3f7352-d11c-4d76-8c39-2516a9df36e8
    https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85)?redirectedfrom=MSDN

    For comparison, the legacy registry definition of Internet Explorer zones:
    https://superuser.com/questions/414097/how-to-view-all-ie-trusted-sites-when-security-settings-are-managed

    Now I did not extremely thoroughly worked with alternate streams zones, so if someone else knows more than me, it will be more than welcomed to add, complete or even correct what I said.

  • camarie
    camarie Principal Software Developer BD Staff
    Answer ✓

    I don't have a good tool to recommend now, but one can use the more command from the command line.

    Example usage from command line (on one of my downloaded files):

    $ more < 11-13-1007-00-00ac-sb2-resolutions-cids-11010-11024-11025-11026.docx:Zone.Identifier
    [ZoneTransfer]
    ZoneId=3
    ReferrerUrl=https://www.google.com/
    HostUrl=https://mentor.ieee.org/802.11/dcn/13/11-13-1007-00-00ac-sb2-resolutions-cids-11010-11024-11025-11026.docx

    image.png

    The file 11-13-1007-00-00ac-sb2-resolutions-cids-11010-11024-11025-11026.docx was referred via a Google search (ReferrerUrl) and its download link is HostUrl. Its ZoneId is 3, meaning Internet.

Answers

All Time Leaders

Categories

Defenders of the month - April