An .iso file downloaded from the Internet (thus with a Zone.Identifier ADS) opened in Windows 10 will not propagate this “mark-of-the-web” to the contained files.
Here is an example with file demo.iso, marked as downloaded from the Internet:
When this file is opened (double-clicked), it is mounted as a drive (E: in this example), and we see the content (a Word document: demo.docx):
This file is not marked as downloaded from the Internet:
Word does not open it in Protected View:
[…] He shows how Zone Identifiers are not transferred to files contained within ISO files. So when you download a file off the internet, the ISO will get the ZoneID, but the files inside do not .ISO Files With Zone.Identifier […]
Pingback by Week 29 – 2017 – This Week In 4n6 — Sunday 23 July 2017 @ 11:07
[…] Blog posts: Quickpost: Analyzing .ISO Files Containing Malware, .ISO Files With Zone.Identifier, […]
Pingback by .ISO Files With Zone.Identifier – Didier Stevens Videos — Sunday 30 July 2017 @ 10:26
[…] Blog posts: Quickpost: Analyzing .ISO Files Containing Malware, .ISO Files With Zone.Identifier […]
Pingback by .ISO Files & autorun.inf – Didier Stevens Videos — Sunday 30 July 2017 @ 10:28
[…] Stevens posted a few times about analysing malicious ISO files and a reminder that ZoneIdentifier’s don’t follow […]
Pingback by This Month In 4n6 – July – 2017 – This Week In 4n6 — Monday 31 July 2017 @ 13:55
[…] .ISO Files With Zone.Identifier […]
Pingback by Overview of Content Published In July | Didier Stevens — Tuesday 1 August 2017 @ 21:52
[…] Blog posts: Quickpost: Analyzing .ISO Files Containing Malware, .ISO Files With Zone.Identifier […]
Pingback by .ZIP Files With Zone.Identifier – Didier Stevens Videos — Thursday 10 August 2017 @ 20:03
[…] regularly want to test the behavior of applications opening files downloaded from the […]
Pingback by zoneidentifier.exe | Didier Stevens — Wednesday 25 December 2019 @ 13:52