I just troubleshot a Windows box where the user was unable to
save any documents from MS Word (Office 2007).

Googled a little, went down a few dead-end paths, then started
looking around on my own.

Found a "FileBlock" functionality where, if there is a
"FileBlock" registry entry for a file type ("txt", "doc", "docx"
and so-forth) and that entry's data is set to "2", MS Word will
not allow saving the file and throws a dialog to that effect.

Changed them all to "0" and everything looks copasetic.


The Question:

Is there malware that is known to set those entries? Seems
awfully tempting to me - and, coincidentally, I had to remove a
Windows Defender spoof from that same machine a couple of weeks
ago.
--
PeteCresswell

(PeteCresswell) wrote:

> I just troubleshot a Windows box where the user was unable to
> save any documents from MS Word (Office 2007).

Oh, a "Windows box", uh huh. Yep, thar be just one version of Windows,
fer sure.

> Found a "FileBlock" functionality where, if there is a
> "FileBlock" registry entry for a file type ("txt", "doc", "docx"
> and so-forth) and that entry's data is set to "2", MS Word will
> not allow saving the file and throws a dialog to that effect.

Oh, your registry's database has entries that aren't under a hive and
there's no path to get to them because they're are some root level.
Uh huh.

> Changed them all to "0" and everything looks copasetic.
>
> The Question:
>
> Is there malware that is known to set those entries? Seems
> awfully tempting to me - and, coincidentally, I had to remove a
> Windows Defender spoof from that same machine a couple of weeks
> ago.

With the missing information (Windows version and registry key's path),
I did a search on just "FileBlock" in Microsoft's support knowledgebase
using:

http://support.microsoft.com/kb/922848

and got some hits:

http://support.microsoft.com/kb/922848
http://support.microsoft.com/kb/922850
http://support.microsoft.com/kb/937696

So it looks like you found a policy setting available since mid-2007.
We don't know if this user is in a domain to have policies pushed onto
their host. Policies are just registry settings. Obviously any program
can create registry entries and set data items under it if the user is
logging on under an admin-level account (and especially if not running
their web browsers under a limited user access token to restrict
privileges to them while using that admin account).

VanguardLH wrote:

> With the missing information (Windows version and registry key's path),
> I did a search on just "FileBlock" in Microsoft's support knowledgebase
> using:

Oops, submitted too soon. Forgot to include the Google search criteria
that searches Microsoft's KB database *without* wasting time to get past
all the garbage they include for forum posts in a search. I used:

http://www.google.com/search?q=site:....com+fileblock

Per VanguardLH:
> Policies are just registry settings. Obviously any program
>can create registry entries and set data items under it if the user is
>logging on under an admin-level account (and especially if not running
>their web browsers under a limited user access token to restrict
>privileges to them while using that admin account).

That's kind of what I pictured. Putting myself in the position
of a malware author who knew about it, it seemed so tempting that
I had to wonder if maybe some particular malware/virus was
notorious for doing such.

Otherwise, I would have to wonder how Joe User could create such
a situation all on their own - knowing that this particular user
doesn't even know what a Registry is and that they had installed
Office 14 only a couple of weeks ago.
--
PeteCresswell

(PeteCresswell) wrote:

> Per VanguardLH:
>> Policies are just registry settings. Obviously any program
>>can create registry entries and set data items under it if the user is
>>logging on under an admin-level account (and especially if not running
>>their web browsers under a limited user access token to restrict
>>privileges to them while using that admin account).
>
> That's kind of what I pictured. Putting myself in the position
> of a malware author who knew about it, it seemed so tempting that
> I had to wonder if maybe some particular malware/virus was
> notorious for doing such.
>
> Otherwise, I would have to wonder how Joe User could create such
> a situation all on their own - knowing that this particular user
> doesn't even know what a Registry is and that they had installed
> Office 14 only a couple of weeks ago.

There have long been startup locations in the registry that are hidden
simply because they aren't exposed to users by Microsoft's simplistic
tools, like msconfig.exe. You need to use SysInternals' AutoRuns to see
them all. I even had to notify the WinPatrol author of a couple startup
locations he missed in his Startup monitor (WinLogon notify events,
shell extensions loaded on startup).

BTW, the Microsoft KB articles say it is a FileOpenBlock policy setting.
You said FileBlock. What's the real name of the registry key (including
the full path to it) that you found?

I tried looking for the FileOpenBlock or something similarly named in
the group policy editor (gpedit.msc) but couldn't find anything. From
the articles, it looks like a template (of security settings) has to get
loaded to incorporate the additional security settings for
FileOpenBlock. Was this host in a domain where policies get enforced
and where the Office template could be pushed?

http://technet.microsoft.com/en-us/l.../cc179081.aspx
http://technet.microsoft.com/en-us/l.../gg490629.aspx

That explains why I don't see any security settings related to
FileOpenBlock. I've never right-clicked on the local or user
Administrative Templates node in gpedit.msc to install a new security
template (to add its settings) and my home host has never been in a
domain to have policies pushed onto it.

VanguardLH wrote:
[...]

> So it looks like you found a policy setting available since mid-2007.
> We don't know if this user is in a domain to have policies pushed onto
> their host. Policies are just registry settings.

Not all of them.

Check out the group policy reference to see where settings
are kept for each policy.

http://www.microsoft.com/download/en....aspx?id=25250

[...]

(PeteCresswell) wrote:
> I just troubleshot a Windows box where the user was unable to
> save any documents from MS Word (Office 2007).
>
> Googled a little, went down a few dead-end paths, then started
> looking around on my own.
>
> Found a "FileBlock" functionality where, if there is a
> "FileBlock" registry entry for a file type ("txt", "doc", "docx"
> and so-forth) and that entry's data is set to "2", MS Word will
> not allow saving the file and throws a dialog to that effect.
>
> Changed them all to "0" and everything looks copasetic.
>
>
> The Question:
>
> Is there malware that is known to set those entries? Seems
> awfully tempting to me - and, coincidentally, I had to remove a
> Windows Defender spoof from that same machine a couple of weeks
> ago.

Is there an advantage to be had by malware if it prevents
the user from file manipulations in MS Word or Office in
general?

Chances are, if there is no advantage to it, malware won't be doing it.

Per VanguardLH:
>BTW, the Microsoft KB articles say it is a FileOpenBlock policy setting.
>You said FileBlock. What's the real name of the registry key (including
>the full path to it) that you found?

Give me a day on this. I neglected to make myself a copy of the
file I created on the user's PC that documents the exact
locations/key names.

They'll be sending me a copy pretty soon.
--
PeteCresswell

Per (PeteCresswell):
>Give me a day on this.

Here it is:

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock

Entries for following file types changed from 2 to 0 (Decimal):
HtmlFiles
OpenDocumentText
OpenXmlFiles
RtfFiles
TextFiles
Word2000Files
Word2003Files
Word2007Files
Word97Files
WordXmlFiles
WordXpFiles
--
PeteCresswell

(PeteCresswell) wrote:

> Here it is:
>
> HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock
>
> Entries for following file types changed from 2 to 0 (Decimal):
> HtmlFiles
> OpenDocumentText
> OpenXmlFiles
> RtfFiles
> TextFiles
> Word2000Files
> Word2003Files
> Word2007Files
> Word97Files
> WordXmlFiles
> WordXpFiles

Since the security change is dated back to mid-2007, and since the
registry key names would be FileSaveBlock and FileOpenBlock (not
FileBlock), and since these only appear after an Office adminstrative
template (.adm file) gets installed or pushed onto a host (and you never
mentioned the user was operating a host in a domain where policies can
get pushed), it could be some malware thought it was going to use these
settings in the registry to **** over the operation of Office components
(Word, Excel) but they screwed up and used the wrong key name in the
registry.

If the host has been disinfected from prior malware, the disinfection
may only target those registry entries the anti-malware author knows
about and only for those keys that have an actual impact on OS or app
behavior or functionality. Disinfection is rarely 100% clean. Even if
the pest has been squashed, there could still be some remnants of it
(like using your wipers and fluid to clean your windshield from a bug
squash but still getting stuck with the streak of splatter).

Since you mentioned the problem was with saving files edited in Word
2007, I suspect the responsible key is FileSaveBlock.

http://support.microsoft.com/kb/945800
"an administrator can add to the registry to restrict the types of files
that can be opened or that can be saved. The administrator can do this
by using the FileSaveBlock subkey."