Didier Stevens

Tuesday 18 July 2017

.ISO Files With Zone.Identifier

Filed under: maldoc,Malware — Didier Stevens @ 22:20

An .iso file downloaded from the Internet (thus with a Zone.Identifier ADS) opened in Windows 10 will not propagate this “mark-of-the-web” to the contained files.

Here is an example with file demo.iso, marked as downloaded from the Internet:

When this file is opened (double-clicked), it is mounted as a drive (E: in this example), and we see the content (a Word document: demo.docx):

This file is not marked as downloaded from the Internet:

Word does not open it in Protected View:

6 Comments »

  1. […] He shows how Zone Identifiers are not transferred to files contained within ISO files. So when you download a file off the internet, the ISO will get the ZoneID, but the files inside do not .ISO Files With Zone.Identifier […]

    Pingback by Week 29 – 2017 – This Week In 4n6 — Sunday 23 July 2017 @ 11:07

  2. […] Blog posts: Quickpost: Analyzing .ISO Files Containing Malware, .ISO Files With Zone.Identifier, […]

    Pingback by .ISO Files With Zone.Identifier – Didier Stevens Videos — Sunday 30 July 2017 @ 10:26

  3. […] Blog posts: Quickpost: Analyzing .ISO Files Containing Malware, .ISO Files With Zone.Identifier […]

    Pingback by .ISO Files & autorun.inf – Didier Stevens Videos — Sunday 30 July 2017 @ 10:28

  4. […] Stevens posted a few times about analysing malicious ISO files and a reminder that ZoneIdentifier’s don’t follow […]

    Pingback by This Month In 4n6 – July – 2017 – This Week In 4n6 — Monday 31 July 2017 @ 13:55

  5. […] .ISO Files With Zone.Identifier […]

    Pingback by Overview of Content Published In July | Didier Stevens — Tuesday 1 August 2017 @ 21:52

  6. […] Blog posts: Quickpost: Analyzing .ISO Files Containing Malware, .ISO Files With Zone.Identifier […]

    Pingback by .ZIP Files With Zone.Identifier – Didier Stevens Videos — Thursday 10 August 2017 @ 20:03


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: