Description of how the Attachment Manager works in Windows XP Service Pack 2 (883260)

MORE INFORMATION

The Attachment Manager in Windows XP SP2 can help protect your computer from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet.

If the Attachment Manager identifies an attachment that might be unsafe, the Attachment Manager prevents you from opening the file, or it warns you before you open the file. The following determine whether you are prevented from opening the file or whether you are warned before you open the file:

• The type of program that you are using.
• The file type that you are downloading or trying to open.
• The security settings of the Web content zone that you are downloading the file from.
  
  Note You can configure the Web content zones in Microsoft Internet Explorer on the Security tab. To view the Web content zones, click Tools, click Internet Options, and then click the Security tab. The following are the four Web content zones:
  • Internet
  • Local intranet
  • Trusted sites
  • Restricted sites

The Attachment Manager uses the IAttachmentExecute application programming interface (API) to find the file type, to find the file association, and to determine the most appropriate action.

Microsoft Outlook Express, Microsoft Windows Messenger, Microsoft MSN Messenger, and Microsoft Internet Explorer use the Attachment Manager to handle e-mail attachments and Internet downloads.

The Attachment Manager classifies files that you receive or that you download based on the file type and the file name extension. Attachment Manager classifies files types as high risk, medium risk, and low risk. When you save files to your hard disk from a program that uses the Attachment Manager, the Web content zone information for the file is also saved with the file. For example, if you save a compressed file (.zip) that is attached to an e-mail message to your hard disk, the Web content zone information is also saved when you save the compressed file. When you try to extract the contents from the compressed file, or if you try to run a file, you cannot. The Web content zone information is saved together with the files only if the hard disk uses the NTFS file system.

You can open a blocked file from a known source if you want to. To open a blocked file, follow these steps:

1. Right-click the blocked file, and then click Properties.
2. In the General tab, click Unblock.

High-risk file types

When you try to download or open a file from a Web site that is in the restricted Web content zone, you may receive a message that indicates that the file is blocked.

When you try to open high-risk file types from sites that belong to the Internet Web content zone, you may receive a warning message, but you may be able to open these types of files.

The file types that the Attachment Manager labels as high-risk include the following:

• .ade
• .adp
• .app
• .asp
• .bas
• .bat
• .cer
• .chm
• .cmd
• .com
• .cpl
• .crt
• .csh
• .exe
• .fxp
• .hlp
• .hta
• .inf
• .ins
• .isp
• .its
• .js
• .jse
• .ksh
• .lnk
• .mad
• .maf
• .mag
• .mam
• .maq
• .mar
• .mas
• .mat
• .mau
• .mav
• .maw
• .mda
• .mdb
• .mde
• .mdt
• .mdw
• .mdz
• .msc
• .msi
• .msp
• .mst
• .ops
• .pcd
• .pif
• .prf
• .prg
• .pst
• .reg
• .scf
• .scr
• .sct
• .shb
• .shs
• .tmp
• .url
• .vb
• .vbe
• .vbs
• .vsmacros
• .vss
• .vst
• .vsw
• .ws
• .wsc
• .wsf
• .wsh

Medium-risk file types

File types that the Attachment Manager does not label as high risk or low risk are automatically labeled as medium risk.

When you open a medium-risk file from the Internet Web content zone or from the restricted sites Web content zone, you may receive a warning message, but you may be able to open these types of files.

Low-risk file types

The Attachment Manager labels the following file types as low risk only when you open them by using Notepad. If you associate another program with this file type, the file type is no longer considered low risk.

• .log
• .text
• .txt

The Attachment Manager labels the following file types as low risk only when you open the file by using the Microsoft Windows Picture and Fax Viewer:

• .bmp
• .dib
• .emf
• .gif
• .ico
• .jfif
• .jpg
• .jpe
• .jpeg
• .png
• .tif
• .tiff
• .wmf

Note Associating a file type with Notepad or with the Windows Picture and Fax Viewer does not add that file type to the list of low-risk file types.

Configuring the Attachment Manager

There are several features of the Attachment Manager that can be configured by using Group Policy or the local registry.

Default risk level for file attachments

This policy setting lets you manage the default risk level for file types. To fully customize the risk level for file attachments, you may also have to configure the trust logic for file attachments:

• High Risk
  If the attachment is in the list of high risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file.
• Moderate Risk
  If the attachment is in the list of moderate risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file.
• Low Risk
  If the attachment is in the list of low risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information.

If you enable this policy setting, you can specify the default risk level for file types. If you disable this policy setting, Windows sets the default risk level to moderate. If you do not configure this policy setting, Windows sets the default risk level to moderate.

Group Policy	Registry Subkey	Registry Entry	Entry Value
User Configuration\Administrative Templates\Windows Components\Attachment Manager	HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Policies\Associations	DefaultFileTypeRisk	High (6150) or Moderate (6151) or Low (6152)

Note The default value of the DefaultFileTypeRisk registry entry is Moderate (6151).

Do not preserve zone information in file attachments

This policy setting lets you manage whether Windows marks file attachments that have information about their zone of origin. These zones or origin are Internet, intranet, and local. This policy setting requires the NTFS file system to function correctly and will fail without notice on systems that use FAT32. By not preserving the zone information, Windows cannot make appropriate risks assessments. If you enable this policy setting, Windows does not mark file attachments by using their zone information. If you disable this policy setting, Windows marks file attachments by using their zone information. If you do not configure this policy setting, Windows marks file attachments by using their zone information.

Group Policy	Registry Subkey	Registry Entry	Entry Value
User Configuration\Administrative Templates\Windows Components\Attachment Manager	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments	SaveZoneInformation	On (1) or Off (2)

Note The default value of the DefaultFileTypeRisk registry entry is Off (2).

Hide mechanisms to remove zone information

This policy setting lets you manage whether users can manually remove the zone information from saved file attachments by clicking Unblock on the file's Properties tab or by clicking to select a check box in the Security Warning dialog box. Removing the zone information lets users open potentially dangerous file attachments that Windows has blocked users from opening. If you enable this policy setting, Windows hides the check box and the Unblock button. If you disable this policy setting, Windows shows the check box and the Unblock button. If you do not configure this policy setting, Windows shows the check box and the Unblock button.

Group Policy	Registry Subkey	Registry Entry	Entry Value
User Configuration\Administrative Templates\Windows Components\Attachment Manager	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments	HideZoneInfoOnProperties	Off (0) or On (1)

Note The default value of the DefaultFileTypeRisk registry entry is Off (0).

Inclusion list for low, moderate, and high risk file types

These policy settings let you configure the list of low, moderate, and high risk file types. The high list takes precedence over the Moderate and Low risk inclusion lists. Also,an extension is listed in more than one inclusion list. If you enable this policy setting you can create a custom list of low, moderate, and high risk file types. If you disable this policy setting, Windows uses its built in list of file types. If you do not configure this policy setting, Windows uses its built in list of file types.

Group Policy	Registry Subkey	Registry Entry	Entry Value
User Configuration\Administrative Templates\Windows Components\Attachment Manager	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations	HighRiskFileTypes ModRiskFileTypes LowRiskFileTypes

Trust logic for file attachments

This policy setting lets you configure the logic that Windows uses to determine the risk for file attachments. Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, it instructs Windows to trust Notepad.exe, but do not trust .txt files. Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation. This causes users to see more trust prompts than selecting the other options. If you enable this policy setting, you can select the order in which Windows processes risk assessment data. If you disable this policy, Windows uses its default trust logic which prefers the file handler over the file type.

Group Policy	Registry Subkey	Registry Entry	Entry Value
User Configuration\Administrative Templates\Windows Components\Attachment Manager	HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Policies\Attachments	UseTrustedHandlers	File Type (1) or Handler (2) or Both (3)

Note The default value of the DefaultFileTypeRisk registry entry is Handler (2).

Notify antivirus programs when you open attachments

This policy setting lets you manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's e-mail server, additional calls would be redundant. If you enable this policy, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened. If you disable this policy, Windows does not call the registered antivirus programs when file attachments are opened. If you do not configure this policy, Windows does not call the registered antivirus programs when file attachments are opened.

Group Policy	Registry Subkey	Registry Entry	Entry Value
User Configuration\Administrative Templates\Windows Components\Attachment Manager	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments	ScanWithAntiVirus	Off (1) or Optional (2) or On (3)

Note The default value of the DefaultFileTypeRisk registry entry is Off (1). When the value is set to Optional (2), all scanners are called even after one reports a detection.

For more information about the Attachment Manager, visit the following Microsoft Web site: