XP Native Zip Support Nightmare

[Guest]

Prior to Windows XP, .zip file support required a third party solution such as WinZip and virus writers pretty much ignored this format as a vehicle for infection. As this was one of the few file extensions for which attachments were not stripped at our mail gateway, all was well. Now, we are being overrun with infected zip files since the virus writers know that support is directly built into XP. Ninety percent of our users don't even need zip support. Our mail servers are being overpowered due to the CPU resources required to unzip and inspect the attachments for viral content. The zip features of XP are protected by 'Windows File Protection' so one must edit SFC_OS.dll with a binary editor to disable WFP to kill off zip support. What a nasty mess when attempting such a solution out to a large domain not to mention the loss of system file protection. Please don't tell me to simply run regsrv32 /u zipfldr.dll as this won't do the job.

WE NEED A HOTFIX NOW WHICH PROVIDES ONE REGISTRY KEY TO DISABLE ALL NATIVE SUPPORT FOR ZIP FILES AND FOLDERS

 

[Colin Nash [MVP]]

If you associate ZIP files with Winzip, Winzip will take over. Or associate
it with a dummy program that does nothing.

Or look here: http://www.updatexp.com/tip15.html


--
Colin Nash
Microsoft MVP
Windows Printing/Imaging/Hardware

Prior to Windows XP, .zip file support required a third party solution

such as WinZip and virus writers pretty much ignored this format as a
vehicle for infection. As this was one of the few file extensions for which
attachments were not stripped at our mail gateway, all was well. Now, we
are being overrun with infected zip files since the virus writers know that
support is directly built into XP. Ninety percent of our users don't even
need zip support. Our mail servers are being overpowered due to the CPU
resources required to unzip and inspect the attachments for viral content.
The zip features of XP are protected by 'Windows File Protection' so one
must edit SFC_OS.dll with a binary editor to disable WFP to kill off zip
support. What a nasty mess when attempting such a solution out to a large
domain not to mention the loss of system file protection. Please don't tell
me to simply run regsrv32 /u zipfldr.dll as this won't do the job.

WE NEED A HOTFIX NOW WHICH PROVIDES ONE REGISTRY KEY TO DISABLE ALL NATIVE

SUPPORT FOR ZIP FILES AND FOLDERS.

 

[Colin Nash [MVP]]

and regsrv32 /u zipfldr.dll worked for me (although I will admit I didn't
see that last line in your original message)

Prior to Windows XP, .zip file support required a third party solution

such as WinZip and virus writers pretty much ignored this format as a
vehicle for infection. As this was one of the few file extensions for which
attachments were not stripped at our mail gateway, all was well. Now, we
are being overrun with infected zip files since the virus writers know that
support is directly built into XP. Ninety percent of our users don't even
need zip support. Our mail servers are being overpowered due to the CPU
resources required to unzip and inspect the attachments for viral content.
The zip features of XP are protected by 'Windows File Protection' so one
must edit SFC_OS.dll with a binary editor to disable WFP to kill off zip
support. What a nasty mess when attempting such a solution out to a large
domain not to mention the loss of system file protection. Please don't tell
me to simply run regsrv32 /u zipfldr.dll as this won't do the job.

WE NEED A HOTFIX NOW WHICH PROVIDES ONE REGISTRY KEY TO DISABLE ALL NATIVE

SUPPORT FOR ZIP FILES AND FOLDERS.

 

[Lanwench [MVP - Exchange]]

What antivirus software are you running for e-mail, presuming you're
concerned about mail-borne viruses such as Bagle, etc? Most of the good ones
can scan zip files and let you specify what to block....although I will
admit a lot of the Exchange folks I know are now starting to block zip files
as well. It's a crazy world.

 

[CPCSysAdmin]

Ok, then double click on a zip file and see what
happens. Zipfldr will automatically re-register itself
and you will again see zip in the explorer file type
list. Unregistering zipfldr doesn't remove the ability
to open zip files and execute their contents.

 

[CPCSysAdmin]

The point is 90% of our users don't need zip support and
now they can open any of these new zip file viruses that
may get past the gateway virus scanner. The link that
you reference only says to run regsvr32 /u zipfldr.dll
which I mentioned in my post. This doesn't work. The
next time our double-click on a zip file, zipfldr.dll re-
registers itself and opens up the zip file.

 

[Guest]

We use a Trend Micro product on our exchange server and
strip just about all attachments which have the ability
to carry a viral payload before they are ever scanned for
viruses. But we can't strip zip files due to our
business needs. Trend scans and detects viruses in the
zip files just fine and we check for new pattern files on
an hourly basis but this current wave of viruses are
spreading with amazing speed. We have only had 3 slip
through as they beat the definitions by 27 minutes.
Luckly, the recipients were running Windows 2000 and they
were unable to open them. Like I said before, it is our
belief that Windows XP native zip file support has
attracted virus writers to this format, much to our
dismay. We need a hotfix that removes native XP zip
support in its entirety.

 

[Torgeir Bakken (MVP)]

Now, we are being overrun with infected zip files since the virus writers
know that support is directly built into XP. Ninety percent of our users
don't even need zip support. Our mail servers are being overpowered due
to the CPU resources required to unzip and inspect the attachments for
viral content. The zip features of XP are protected by 'Windows File
Protection' so one must edit SFC_OS.dll with a binary editor to disable
WFP to kill off zip support. What a nasty mess when attempting such a
solution out to a large domain not to mention the loss of system file
protection. Please don't tell me to simply run regsrv32 /u zipfldr.dll
as this won't do the job.

WE NEED A HOTFIX NOW WHICH PROVIDES ONE REGISTRY KEY TO
DISABLE ALL NATIVE SUPPORT FOR ZIP FILES AND FOLDERS.

Hi

Not exactly what you ask for, but try the script below that I have
created now. I think it for the most part should do the trick.

--------------------8<----------------------

' Disable the the builtin zip support pretty good (but only as long
' as it is the default zip file handler). Note that it will not touch
' the registry part if a 3rd party zip manager have taken control
' over the .zip file extension.
'
' Author: Torgeir Bakken
' Date: 2004-03-06
'

' remove entry in Sendto for current user (this part of the script
' can only be run locally)
Set oShell = CreateObject("WScript.Shell")
oShell.Run "%comspec% /c del ""%USERPROFILE%\SendTo" _
& "\Compressed (zipped) Folder.ZFSendToTarget""", 0, True

' To do the above for all users defined on a computer (in e.g.
' a GPO startup script), or remotely (using the admin share C$,
' see this post for a starting point:
' http://groups.google.com/[email protected]


' the following part can be run against a remote computer
' as well as locally, using WMI only.

Const HKLM = &H80000002

sComputer = "." ' use "." for local computer

Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& sComputer & "\root\default:StdRegProv")

' get default value
oReg.GetStringValue HKLM, "SOFTWARE\Classes\.ZIP", "", sValue

If Not IsNull(sValue) Then
If LCase(sValue) = "compressedfolder" Then

' prepare for launching regsvr32.exe /s when zip file is launched
' this will do nothing and will be silent.
oReg.CreateKey HKLM, "SOFTWARE\Classes\dummyfile\shell\open\command"
oReg.SetStringValue HKLM, _
"SOFTWARE\Classes\dummyfile\shell\open\command", "", "regsvr32.exe /s"

' change the .zip handling and do some cleanup
oReg.SetStringValue HKLM, "SOFTWARE\Classes\.ZIP", "", "dummyfile"
oReg.DeleteValue HKLM, "SOFTWARE\Classes\.ZIP", "Content Type"
oReg.DeleteValue HKLM, "SOFTWARE\Classes\.ZIP", "PerceivedType"
oReg.DeleteValue HKLM, _
"SOFTWARE\Classes\.ZIP\OpenWithProgids", "CompressedFolder"
DeleteRegistryKey HKLM, "SOFTWARE\Classes\.ZIP\CompressedFolder"

DeleteRegistryKey HKLM, "SOFTWARE\Classes\SystemFileAssociations\.zip"
End If
End If


Sub DeleteRegistryKey(ByVal sHive, ByVal sKey)
Dim aSubKeys, sSubKey, iRC
On Error Resume Next
iRC = oReg.EnumKey(sHive, sKey, aSubKeys)
If iRC = 0 And IsArray(aSubKeys) Then
For Each sSubKey In aSubKeys
If Err.Number <> 0 Then
Err.Clear
Exit Sub
End If
DeleteRegistryKey sHive, sKey & "\" & sSubKey
Next
End If
oReg.DeleteKey sHive, sKey
End Sub

--------------------8<----------------------

 

[Rick Corbett]

If it's any help, I found this on the Windows XP Annoyances forum...

"There's a freeware you can download to disable/enable the zip built in
functionality in XP. check this out:
http://www.webattack.com/get/xpzipcontrol.shtml"

We now use it at work.

Snip...
WE NEED A HOTFIX NOW WHICH PROVIDES ONE REGISTRY KEY TO DISABLE ALL NATIVE

SUPPORT FOR ZIP FILES AND FOLDERS.

 

[Guest]

Thank you very much for your response. We will run this
on a test box Monday. I'm sure other system
administrators will appreciate this as well.

-----Original Message-----


Hi

Not exactly what you ask for, but try the script below that I have
created now. I think it for the most part should do the trick.

--------------------8<----------------------

' Disable the the builtin zip support pretty good (but only as long
' as it is the default zip file handler). Note that it will not touch
' the registry part if a 3rd party zip manager have taken control
' over the .zip file extension.
'
' Author: Torgeir Bakken
' Date: 2004-03-06
'

' remove entry in Sendto for current user (this part of the script
' can only be run locally)
Set oShell = CreateObject("WScript.Shell")
oShell.Run "%comspec% /c del ""%USERPROFILE%\SendTo" _
& "\Compressed (zipped)

Folder.ZFSendToTarget""", 0, True

' To do the above for all users defined on a computer (in e.g.
' a GPO startup script), or remotely (using the admin share C$,
' see this post for a starting point:
' http://groups.google.com/groups?selm=403CD480.E4214512% 40hydro.com


' the following part can be run against a remote computer
' as well as locally, using WMI only.

Const HKLM = &H80000002

sComputer = "." ' use "." for local computer

Set oReg = GetObject("winmgmts:

{impersonationLevel=impersonate}!\\" _

& sComputer & "\root\default:StdRegProv")

' get default value
oReg.GetStringValue HKLM, "SOFTWARE\Classes\.ZIP", "", sValue

If Not IsNull(sValue) Then
If LCase(sValue) = "compressedfolder" Then

' prepare for launching regsvr32.exe /s when zip file is launched
' this will do nothing and will be silent.
oReg.CreateKey

HKLM, "SOFTWARE\Classes\dummyfile\shell\open\command"

oReg.SetStringValue HKLM, _
"SOFTWARE\Classes\dummyfile\shell\open\command", "", "regsvr32.exe /s"

' change the .zip handling and do some cleanup
oReg.SetStringValue

HKLM, "SOFTWARE\Classes\.ZIP", "", "dummyfile"

oReg.DeleteValue

HKLM, "SOFTWARE\Classes\.ZIP", "Content Type"

oReg.DeleteValue

HKLM, "SOFTWARE\Classes\.ZIP", "PerceivedType"

oReg.DeleteValue HKLM, _
"SOFTWARE\Classes\.ZIP\OpenWithProgids", "Compres sedFolder"
DeleteRegistryKey

HKLM, "SOFTWARE\Classes\.ZIP\CompressedFolder"

DeleteRegistryKey

HKLM, "SOFTWARE\Classes\SystemFileAssociations\.zip"

 

[Guest]

I've already tried that one. This doesn't prevent you
from opening a zip file. Disable zip support with with
this program then double click on a zip file and see what
happens. You will see that zip all functionality is
restored including zip folder views.