Windows Box, MS Office 14: "FileBlock" Registry Keys?

Discussion in 'Anti-Virus' started by (PeteCresswell), Jun 27, 2011.

  1. I just troubleshot a Windows box where the user was unable to
    save any documents from MS Word (Office 2007).

    Googled a little, went down a few dead-end paths, then started
    looking around on my own.

    Found a "FileBlock" functionality where, if there is a
    "FileBlock" registry entry for a file type ("txt", "doc", "docx"
    and so-forth) and that entry's data is set to "2", MS Word will
    not allow saving the file and throws a dialog to that effect.

    Changed them all to "0" and everything looks copasetic.


    The Question:

    Is there malware that is known to set those entries? Seems
    awfully tempting to me - and, coincidentally, I had to remove a
    Windows Defender spoof from that same machine a couple of weeks
    ago.
    --
    PeteCresswell
     
    (PeteCresswell), Jun 27, 2011
    #1
    1. Advertisements

  2. (PeteCresswell)

    VanguardLH Guest

    (PeteCresswell) wrote:

    > I just troubleshot a Windows box where the user was unable to
    > save any documents from MS Word (Office 2007).


    Oh, a "Windows box", uh huh. Yep, thar be just one version of Windows,
    fer sure.

    > Found a "FileBlock" functionality where, if there is a
    > "FileBlock" registry entry for a file type ("txt", "doc", "docx"
    > and so-forth) and that entry's data is set to "2", MS Word will
    > not allow saving the file and throws a dialog to that effect.


    Oh, your registry's database has entries that aren't under a hive and
    there's no path to get to them because they're are some root level.
    Uh huh.

    > Changed them all to "0" and everything looks copasetic.
    >
    > The Question:
    >
    > Is there malware that is known to set those entries? Seems
    > awfully tempting to me - and, coincidentally, I had to remove a
    > Windows Defender spoof from that same machine a couple of weeks
    > ago.


    With the missing information (Windows version and registry key's path),
    I did a search on just "FileBlock" in Microsoft's support knowledgebase
    using:

    http://support.microsoft.com/kb/922848

    and got some hits:

    http://support.microsoft.com/kb/922848
    http://support.microsoft.com/kb/922850
    http://support.microsoft.com/kb/937696

    So it looks like you found a policy setting available since mid-2007.
    We don't know if this user is in a domain to have policies pushed onto
    their host. Policies are just registry settings. Obviously any program
    can create registry entries and set data items under it if the user is
    logging on under an admin-level account (and especially if not running
    their web browsers under a limited user access token to restrict
    privileges to them while using that admin account).
     
    VanguardLH, Jun 27, 2011
    #2
    1. Advertisements

  3. (PeteCresswell)

    VanguardLH Guest

    VanguardLH wrote:

    > With the missing information (Windows version and registry key's path),
    > I did a search on just "FileBlock" in Microsoft's support knowledgebase
    > using:


    Oops, submitted too soon. Forgot to include the Google search criteria
    that searches Microsoft's KB database *without* wasting time to get past
    all the garbage they include for forum posts in a search. I used:

    http://www.google.com/search?q=site:support.microsoft.com+fileblock
     
    VanguardLH, Jun 27, 2011
    #3
  4. Per VanguardLH:
    > Policies are just registry settings. Obviously any program
    >can create registry entries and set data items under it if the user is
    >logging on under an admin-level account (and especially if not running
    >their web browsers under a limited user access token to restrict
    >privileges to them while using that admin account).


    That's kind of what I pictured. Putting myself in the position
    of a malware author who knew about it, it seemed so tempting that
    I had to wonder if maybe some particular malware/virus was
    notorious for doing such.

    Otherwise, I would have to wonder how Joe User could create such
    a situation all on their own - knowing that this particular user
    doesn't even know what a Registry is and that they had installed
    Office 14 only a couple of weeks ago.
    --
    PeteCresswell
     
    (PeteCresswell), Jun 28, 2011
    #4
  5. (PeteCresswell)

    VanguardLH Guest

    (PeteCresswell) wrote:

    > Per VanguardLH:
    >> Policies are just registry settings. Obviously any program
    >>can create registry entries and set data items under it if the user is
    >>logging on under an admin-level account (and especially if not running
    >>their web browsers under a limited user access token to restrict
    >>privileges to them while using that admin account).

    >
    > That's kind of what I pictured. Putting myself in the position
    > of a malware author who knew about it, it seemed so tempting that
    > I had to wonder if maybe some particular malware/virus was
    > notorious for doing such.
    >
    > Otherwise, I would have to wonder how Joe User could create such
    > a situation all on their own - knowing that this particular user
    > doesn't even know what a Registry is and that they had installed
    > Office 14 only a couple of weeks ago.


    There have long been startup locations in the registry that are hidden
    simply because they aren't exposed to users by Microsoft's simplistic
    tools, like msconfig.exe. You need to use SysInternals' AutoRuns to see
    them all. I even had to notify the WinPatrol author of a couple startup
    locations he missed in his Startup monitor (WinLogon notify events,
    shell extensions loaded on startup).

    BTW, the Microsoft KB articles say it is a FileOpenBlock policy setting.
    You said FileBlock. What's the real name of the registry key (including
    the full path to it) that you found?

    I tried looking for the FileOpenBlock or something similarly named in
    the group policy editor (gpedit.msc) but couldn't find anything. From
    the articles, it looks like a template (of security settings) has to get
    loaded to incorporate the additional security settings for
    FileOpenBlock. Was this host in a domain where policies get enforced
    and where the Office template could be pushed?

    http://technet.microsoft.com/en-us/library/cc179081.aspx
    http://technet.microsoft.com/en-us/library/gg490629.aspx

    That explains why I don't see any security settings related to
    FileOpenBlock. I've never right-clicked on the local or user
    Administrative Templates node in gpedit.msc to install a new security
    template (to add its settings) and my home host has never been in a
    domain to have policies pushed onto it.
     
    VanguardLH, Jun 28, 2011
    #5
  6. VanguardLH wrote:
    [...]

    > So it looks like you found a policy setting available since mid-2007.
    > We don't know if this user is in a domain to have policies pushed onto
    > their host. Policies are just registry settings.


    Not all of them.

    Check out the group policy reference to see where settings
    are kept for each policy.

    http://www.microsoft.com/download/en/details.aspx?id=25250

    [...]
     
    FromTheRafters, Jun 28, 2011
    #6
  7. (PeteCresswell) wrote:
    > I just troubleshot a Windows box where the user was unable to
    > save any documents from MS Word (Office 2007).
    >
    > Googled a little, went down a few dead-end paths, then started
    > looking around on my own.
    >
    > Found a "FileBlock" functionality where, if there is a
    > "FileBlock" registry entry for a file type ("txt", "doc", "docx"
    > and so-forth) and that entry's data is set to "2", MS Word will
    > not allow saving the file and throws a dialog to that effect.
    >
    > Changed them all to "0" and everything looks copasetic.
    >
    >
    > The Question:
    >
    > Is there malware that is known to set those entries? Seems
    > awfully tempting to me - and, coincidentally, I had to remove a
    > Windows Defender spoof from that same machine a couple of weeks
    > ago.


    Is there an advantage to be had by malware if it prevents
    the user from file manipulations in MS Word or Office in
    general?

    Chances are, if there is no advantage to it, malware won't be doing it.
     
    FromTheRafters, Jun 28, 2011
    #7
  8. Per VanguardLH:
    >BTW, the Microsoft KB articles say it is a FileOpenBlock policy setting.
    >You said FileBlock. What's the real name of the registry key (including
    >the full path to it) that you found?


    Give me a day on this. I neglected to make myself a copy of the
    file I created on the user's PC that documents the exact
    locations/key names.

    They'll be sending me a copy pretty soon.
    --
    PeteCresswell
     
    (PeteCresswell), Jun 28, 2011
    #8
  9. Per (PeteCresswell):
    >Give me a day on this.


    Here it is:

    HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock

    Entries for following file types changed from 2 to 0 (Decimal):
    HtmlFiles
    OpenDocumentText
    OpenXmlFiles
    RtfFiles
    TextFiles
    Word2000Files
    Word2003Files
    Word2007Files
    Word97Files
    WordXmlFiles
    WordXpFiles
    --
    PeteCresswell
     
    (PeteCresswell), Jun 28, 2011
    #9
  10. (PeteCresswell)

    VanguardLH Guest

    (PeteCresswell) wrote:

    > Here it is:
    >
    > HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock
    >
    > Entries for following file types changed from 2 to 0 (Decimal):
    > HtmlFiles
    > OpenDocumentText
    > OpenXmlFiles
    > RtfFiles
    > TextFiles
    > Word2000Files
    > Word2003Files
    > Word2007Files
    > Word97Files
    > WordXmlFiles
    > WordXpFiles


    Since the security change is dated back to mid-2007, and since the
    registry key names would be FileSaveBlock and FileOpenBlock (not
    FileBlock), and since these only appear after an Office adminstrative
    template (.adm file) gets installed or pushed onto a host (and you never
    mentioned the user was operating a host in a domain where policies can
    get pushed), it could be some malware thought it was going to use these
    settings in the registry to **** over the operation of Office components
    (Word, Excel) but they screwed up and used the wrong key name in the
    registry.

    If the host has been disinfected from prior malware, the disinfection
    may only target those registry entries the anti-malware author knows
    about and only for those keys that have an actual impact on OS or app
    behavior or functionality. Disinfection is rarely 100% clean. Even if
    the pest has been squashed, there could still be some remnants of it
    (like using your wipers and fluid to clean your windshield from a bug
    squash but still getting stuck with the streak of splatter).

    Since you mentioned the problem was with saving files edited in Word
    2007, I suspect the responsible key is FileSaveBlock.

    http://support.microsoft.com/kb/945800
    "an administrator can add to the registry to restrict the types of files
    that can be opened or that can be saved. The administrator can do this
    by using the FileSaveBlock subkey."
     
    VanguardLH, Jun 29, 2011
    #10
  11. Per VanguardLH:
    >Since you mentioned the problem was with saving files edited in Word
    >2007, I suspect the responsible key is FileSaveBlock.


    Might be a couple days, but I'll post a screen snap of REGEDIT
    if/when I am able to hook back into the user's PC and confirm
    whether I got it right or not with just plain "FileBlock".
    --
    PeteCresswell
     
    (PeteCresswell), Jun 29, 2011
    #11
  12. Per (PeteCresswell):
    >Might be a couple days, but I'll post a screen snap of REGEDIT


    Yup... It really is "FileBLock"

    HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock

    viz: http://tinyurl.com/3w35ogu
    --
    PeteCresswell
     
    (PeteCresswell), Jul 1, 2011
    #12
  13. (PeteCresswell)

    VanguardLH Guest

    (PeteCresswell) wrote:

    > Per (PeteCresswell):
    >>Might be a couple days, but I'll post a screen snap of REGEDIT

    >
    > Yup... It really is "FileBLock"
    >
    > HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock
    >
    > viz: http://tinyurl.com/3w35ogu


    I haven't any MS info that mentions FileBlock, only FileSaveBlock and
    FileOpenBlock. Maybe it's an undocumented "feature".
     
    VanguardLH, Jul 1, 2011
    #13
  14. Per VanguardLH:
    >I haven't any MS info that mentions FileBlock, only FileSaveBlock and
    >FileOpenBlock. Maybe it's an undocumented "feature".


    Drove me nuts for awhile - having the same experience and only
    finding FileOpen... and FileSave...

    --
    PeteCresswell
     
    (PeteCresswell), Jul 2, 2011
    #14
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Devast8or, work

    Set auto update on Norton AV in the registry?

    Devast8or, work, Aug 20, 2003, in forum: Anti-Virus
    Replies:
    0
    Views:
    447
    Devast8or, work
    Aug 20, 2003
  2. TX2

    RAV.EXE in registry RUN key

    TX2, Sep 1, 2003, in forum: Anti-Virus
    Replies:
    1
    Views:
    573
    your name
    Sep 1, 2003
  3. Replies:
    9
    Views:
    194
    speedlever
    Dec 22, 2004
  4. Ian Kenefick

    Windows - Office update amalgamation

    Ian Kenefick, Feb 16, 2005, in forum: Anti-Virus
    Replies:
    0
    Views:
    181
    Ian Kenefick
    Feb 16, 2005
  5. Bob Brown
    Replies:
    6
    Views:
    170
    Bob Brown
    Jun 28, 2006
Loading...

Share This Page