Windows blocks downloaded help file

Started by Dave Gilbert, Wed 09/09/2015 18:54:25

Previous topic - Next topic

Snarky

Quote from: morganw on Wed 30/09/2015 08:32:19
No it's not specific with trying to open help from the IDE. It's likely you were already asked to confirm that you wanted to run the IDE itself if the help will not open (it will have the same zone identifier saved in an alternate stream). The difference is you'll be prompted to confirm you really want to run a program you've downloaded (it's handled by the shell which has a mechanism to ask you), but you aren't prompted when the help viewer tries to open the help file (it's handled by the viewer itself which just blocks without asking).

Yes, that's what I meant: the problem is specific to trying to open help through the IDE, since it's blocked silently. I think every Windows user is by now familiar with the confirmation dialog that often pops up when you're trying to open a file / launch a program downloaded from the internet; that confirmation is not a problem, even if it has the same root cause, and isn't something we need a Wiki page to explain (though it might be worth mentioning in the context of discussing this problem).

morganw

It would also be blocked if you tried opening it outside of the IDE.
If the wiki page specifically talks about the using alpha builds and tells you to unblock the .chm file if it won't open correctly, that would seem worthwhile. Or perhaps just supply a note with the alphas builds.

Crimson Wizard

Quote from: morganw on Wed 30/09/2015 18:59:02
If the wiki page specifically talks about the using alpha builds and tells you to unblock the .chm file if it won't open correctly, that would seem worthwhile. Or perhaps just supply a note with the alphas builds.
Alpha builds are not he only ones we distribute as ZIP archives, all final releases have alternate zip download.

morganw

How do you feel about the editor attempting to remove the zone identifier? The click handler for the menu is already checking that the file exists so could it also check for the zone identifier alternate stream and try to remove it? In most cases people are going to extract the file to where they have write access, so the delete should usually succeed.

morganw

It looks like to implement an additional check and warning isn't very much work, you can follow the existing check that the help file is actually there and read the Zone Identifier using .NET.

In HelpCommandsComponent.cs:
Code: CSharp
 using System.Runtime.InteropServices;
 using System.Diagnostics;
+using System.Security;
+using System.Security.Policy;


In the CommandClick function:
Code: CSharp
 else if (!File.Exists(_helpFileName))
 {
     _guiController.ShowMessage("The help file '" + _helpFileName + "' is missing. You may need to reinstall AGS.", MessageBoxIcon.Warning);
 }
+else if (Zone.CreateFromUrl(_helpFileName).SecurityZone != SecurityZone.MyComputer)
+{
+    _guiController.ShowMessage("The help file '" + _helpFileName + "' is restricted by a Zone Identifier.", MessageBoxIcon.Warning);
+}


I've tried it out and this doesn't display the warning if you've manually unblocked the file, or if the Zone Identifier isn't present. Maybe the message can be clearer though. Apologies if this isn't the place to be throwing code around.

Crimson Wizard

#25
Quote from: morganw on Thu 01/10/2015 20:38:39
It looks like to implement an additional check and warning isn't very much work, you can follow the existing check that the help file is actually there and read the Zone Identifier using .NET.

Could you post this in the Editor issue tracker?
http://www.adventuregamestudio.co.uk/forums/index.php?project=5

I find it very hard to find suggestions in forum threads after time passes.

E: Alternatively, you may make a pull request to our repository (develop-3.3.5 branch).


morganw

I think the blocking issue can also be partially solved by supplying a self-extracting archive for the installer-less version, and directing people towards this. If the extraction is done outside of native Windows tools (e.g. with 7-Zip), the extracted contents are not blocked even though the downloaded file itself will be.

Installer.exe       <-- for people who want an installer
Installer.7z.exe    <-- for people who don't want to run an installer

For people who want to get access on other platforms, you can make a .zip file available (in smaller print?) or p7zip can extract the .7z.exe file.

Snarky

Part of the reason some prefer a zip (or other archive) file to an exe is a suspicion of blindly running executables downloaded from the internet. Granted, it doesn't make that much sense in this case, since you'll still need to run the AGS exe once the file is unzipped, but I think it would be better to stick with a zip file nevertheless, just for people's ease of mind.

I'm not exactly clear on how it can make a difference whether the CHM file was originally downloaded as a zip and then unzipped, or as a zip.exe and then self-extracted. Does Windows peek into the zip file and add the extra data stream to every file inside, or what? Or is it only if you use windows built-in functionality to extract the file, rather than 7zip/WinZip/WinRar or some other app?

morganw

Yes I agree that the archive should be preferable but unfortunately people are getting tripped up by functionality built into Windows. Maybe it's the same reason that this decision looks to have been made for another similar project, the self extractor being the suggested download choice.

There are no alternate streams stored in the zip file contents, they are added by the extraction tool.

  • If your zip file has a Zone Identifier, if you extract it with Windows tools the same Zone Identifier is applied to the extracted files
  • If your zip file has a Zone Identifier, if you press "unblock" on the zip and then extract it with Windows tools the extracted files won't have a Zone Identifier
  • If your zip file has a Zone Identifier, if you extract with some other program it's up to that program about how it wants to handle the Zone Identifier
  • Extracting with 7-zip or using a 7-zip self-extractor doesn't create them on extracted content even though it's present on the source file, other tools may choose to act differently

Perhaps the easiest solution is to switch from supplying a CHM file to another format, it's the CHM reader that's silently refusing to read the file and something simpler like HTML content would be more accessible for people on other platforms.

Crimson Wizard

#30
Quote from: Monsieur OUXX on Tue 29/09/2015 14:40:34
I've made a Wiki article : http://www.adventuregamestudio.co.uk/wiki/Prevent_AGS_from_triggering_antiviruses
Regarding this wiki article, I agree that it is confusing. Its title mentions antivirus, but the main problem we were having is that help file was marked as unsafe by Windows, not antivirus. Also, it was not any alternate data stream that caused this, but Zone identifier.
IMO this article gives too much unrelated information (file system, other platforms, etc).

Other things I noticed:
Quote from: http://www.adventuregamestudio.co.uk/wiki/Prevent_AGS_from_triggering_antiviruses
Specifically, attempts to access Help from the AGS editor may be blocked.
It does not block access from Editor; what happens is that help file is marked as unsafe, and Windows help viewing program refuses to open such file's content.
It does not matter whether you run help from Editor, or open it by double clicking in your explorer.

Quote from: http://www.adventuregamestudio.co.uk/wiki/Prevent_AGS_from_triggering_antivirusesAnd since AGS has started becoming cross-platform, there will be some alternate data streams in your files.
I tried really hard, but no avail, I cannot understand what does this mean, or where this information comes from?


Also, for me it always worked if I simply clicked "Unblock" button in file properies. Dave's case could be special for some reason. I think this article must explain that solution too, because if it works, it is much easier to do than downloading extra tool, etc.

Monsieur OUXX

Quote from: Crimson Wizard on Thu 08/10/2015 16:10:52
Regarding this wiki article, I agree that it is confusing. Its title mentions antivirus, but the main problem we were having is that help file was marked as unsafe by Windows, not antivirus. Also, it was not any alternate data stream that caused this, but Zone identifier.
Well originally when I started reading it was all about alternate data streams and antiviruses going paranoid for no good reason. I'm not sure if posts have been edited or what, but since then the thread went in a completely different direction. Feel free to heavily change the article.
 

morganw

I've heavily changed it, but I don't know how to rename the page to remove the references to anti-virus.

SMF spam blocked by CleanTalk