Comparison of MOTW (Mark of the Web) propagation support of archiver software for Windows

English | Japanese

Background

On 3 March 2022, Microsoft announced that the default behavior of Office applications on Windows will be changed to block macros in files from the internet (such as email attachment).

An excerpt from the announcement:

VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, we’re changing the default behavior of Office applications to block macros in files from the internet.

...

This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word.

The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Current Channel and Monthly Enterprise Channel.

This is a great improvement of defense against malicious Office document files.

According to the announcement, whether blocking macro or not is determined based on MOTW (Mark of the Web) attribute of the file. Applications such as web browsers and email clients put MOTW on downloaded files and email attachments that come from the internet. MOTW is stored in Zone.Identifier NTFS alternate data stream.

To block macro of malicious Office document files that are extracted from archive files, an archiver software has to propagate MOTW to extracted files when an archive file has MOTW. If archiver software does not propagate MOTW, malicious Office documents in archive files can circumvent blocking.

A question came up: "What archiver software can propagate MOTW to extracted files?" So I tested some archiver software and summarized the result.

Comparison table of MOTW propagation support (as of 11 February 2024)

Name	Tested version	License	MOTW propagation	Enabled by default	Note
"Extract all" built-in function of Windows Explorer	Windows 11 22H2 Windows 10 22H2	proprietary	Yes ✔️	Yes ✔️	MOTW bypass vulnerabilities (fixed) *1
7-Zip	23.01	GNU LGPL	Yes ✔️	No ❌ *2
Bandizip	Standard Edition 7.32	freeware	Yes ✔️	Yes ✔️	MOTW bypass vulnerability (fixed) *3 Only for specific file extensions *4
CubeICE	3.2.0	freeware / proprietary	Yes ✔️	Yes ✔️	MOTW bypass vulnerability (fixed) *5
Explzh	9.31	proprietary for commercial use	Yes ✔️	Yes ✔️
NanaZip	2.0.450.0	MIT	Yes ✔️	No ❌ *6
PeaZip	9.7.0	GNU LGPL	Yes ✔️	Yes ✔️
TC4Shell	21.3.0 (trial)	proprietary	Yes ✔️	Yes ✔️
Total Commander	11.02 (trial)	proprietary	Yes ✔️	Yes ✔️
WinRAR	6.24 (trial)	proprietary	Yes ✔️	Yes ✔️	Only for specific file extensions *7
WinZip	28.0 (trial)	proprietary	Yes ✔️	Yes ✔️	MOTW is propagated only if ZoneId value of the MOTW is 4 (Untrusted sites) *8
Ashampoo ZIP Free	1.0.7	freeware (registration required)	No ❌
CAM UnZip	5.22.6.0	proprietary for commercial use	No ❌
Expand-Archive cmdlet of PowerShell	7.4.1	MIT	No ❌
Express Zip	11.00	proprietary for commercial use	No ❌
File Compact	7.02	proprietary	No ❌
IZArc	4.5	freeware	No ❌
LhaForge	1.6.7	MIT	No ❌
Lhaplus	1.74	freeware	No ❌
PowerArchiver	22.00.09 (trial)	proprietary	No ❌
StuffIt Expander	15.0.8	freeware	No ❌
tar.exe (bsdtar) of Windows 11	3.6.2	BSD 2-clause	No ❌
Universal Extractor 2	2.0.0 RC 3	GNU GPLv2	No ❌
ZipGenious	6.3.2.3116	freeware	No ❌
Zipware	1.6	freeware	No ❌

*1: There were two MOTW bypass vulnerabilities of Windows and they were fixed by the security updates released on 8 November 2022.

• CVE-2022-41049 (Twitter thread by Will Dormann (@wdormann) and detailed writeup by Kuba Gretzky (@mrgretzky))
• CVE-2022-41091 (Twitter thread by Will Dormann (@wdormann))

*2: Though 7-Zip has supported MOTW propagation since version 22.00, it is disabled by default. You can enable it for 7-Zip GUI with the "Propagate Zone Id stream:" option in "Tools" -> "Options" -> "7-Zip" of 7-Zip File Manager.

When you set the option to Yes, 7-Zip propagate MOTW to all extracted files. When you set it to "For Office files", 7-Zip propagate MOTW to files with the following file extensions:

• .doc .docb .docm .docx .dot .dotm .dotx .wbk .wll .wwl
• .pot .potm .potx .ppa .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .sldm .sldx
• .xla .xlam .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx

You can also enable MOTW propagation by setting the registry HKEY_CURRENT_USER\SOFTWARE\7-Zip\Options\WriteZoneIdExtract DWORD to 1.

For 7-Zip CLI, -snz switch is required to propagate MOTW regardless of the option above.

*3: There was a MOTW bypass vulnerability of Bandizip and it was fixed in Bandizip 7.29 released on 21 November 2022 (release note). The vulnerability is almost the same as CVE-2022-41049 of Windows (*1) and it can be exploited by just setting read-only file attribute to ZIP file contents. I found the vulnerability and reported it to Bandisoft, the developer of Bandizip. Bandisoft fixed it very quickly.

*4: Accoring to the document of Bandizip, Bandizip propagates MOTW to files with the following file extensions:

• .exe .com .msi .scr .bat .cmd .pif .bat .lnk
• .zip .zipx .rar .7z .alz .egg .cab .bh
• .iso .img .isz .udf .wim .bin .i00
• .js .jse .vbs .vbe .wsf
• .url .reg
• .docx .doc .xls .xlsx .ppt .pptx .wiz

I previously tested Bandizip with a ZIP archive file that contained only text files, and I misunderstood that Bandizip does not propagate MOTW.

*5: CubeICE has supported MOTW propagation since version 3.0.0, but this version had a MOTW bypass vulnerability. The vulnerability was fixed in version 3.0.1 released on 5 April 2023 (release note). The vulnerability is almost the same as CVE-2022-41049 of Windows (*1) and it can be exploited by just setting read-only file attribute to ZIP file contents. I found the vulnerability and reported it to CubeSoft, the developer of CubeICE. CubeICE fixed it very quickly.

*6: Though NanaZip has supported MOTW propagation since version 2.0 Preview 1, it is disabled by default. You can enable it with the "Propagate Zone Id stream:" option in "Tools" -> "Options" -> "Integration" of NanaZip GUI.

When you set the option to Yes, NanaZip propagate MOTW to all extracted files. When you set it to "For Office files", NanaZip propagate MOTW to files with the following file extensions:

• .doc .docb .docm .docx .dot .dotm .dotx .wbk .wll .wwl
• .pot .potm .potx .ppa .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .sldm .sldx
• .xla .xlam .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx

*7: Jernej Simončič (@jernej__s) kindly contacted the developer of WinRAR and got the answer that WinRAR propagates MOTW only to Microsoft Office document files. It seems that the supported file types are not documented. I did additional tests with WinRAR 6.11 and confirmed that it propagates MOTW to document files of Word, Excel, and PowerPoint (files of Access and Publisher are not supported).

I previously tested WinRAR with a ZIP archive file that contained only text files, and I misunderstood that WinRAR does not propagate MOTW.

*8: WinZip removes MOTW from archive files on extraction if the ZoneId value of the MOTW is 3 (Internet). This behavior was introduced in version 28.0.

Comparison table of MOTW propagation behavior (as of 11 February 2024)

Name	Tested version	MOTW propagation behavior
"Extract all" built-in function of Windows Explorer	Windows 11 22H2 Windows 10 22H2	MOTW is propagated only if ZoneId value of the MOTW is 3 (Internet) or 4 (Untrusted sites) ZoneId field of the archive file is inherited The absolute path of the archive file is set for the ReferrerUrl field All other fields are ignored
7-Zip	23.01	MOTW of the archive file is propagated without modification Only for specific file extensions if the "Propagate Zone Id stream:" option is set to "For Office files" *2
Bandizip	Standard Edition 7.32	MOTW of the archive file is propagated without modification Only for specific file extensions *4
CubeICE	3.2.0	MOTW is propagated only if ZoneId value of the MOTW is 3 (Internet) or 4 (Untrusted sites) Only ZoneId field of the archive file is inherited and all other fields are ignored
Explzh	9.31	MOTW is propagated only if ZoneId value of the MOTW is 3 (Internet) Only ZoneId field of the archive file is inherited and all other fields are ignored
NanaZip	2.0.450.0	MOTW of the archive file is propagated without modification Only for specific file extensions if the "Propagate Zone Id stream:" option is set to "For Office files" *6
PeaZip	9.7.0	MOTW of the archive file is propagated without modification
TC4Shell	21.3.0 (trial)	Only ZoneId field of the archive file is inherited and all other fields are ignored
Total Commander	11.02 (trial)	MOTW of the archive file is propagated except for the ReferrerUrl field
WinRAR	6.24 (trial)	Only ZoneId field of the archive file is inherited and all other fields are ignored Only for specific file extensions *7
WinZip	28.0 (trial)	MOTW is propagated only if ZoneId value of the MOTW is 4 (Untrusted sites) ZoneId field of the archive file is inherited The absolute path of the archive file is set for the ReferrerUrl field All other fields are ignored MOTW is removed from archives files on extraction if the ZoneId value of the MOTW is 3 (Internet)*8

MOTW propagation examples

In these examples, MOTW was manually set for a ZIP archive file motw-test.zip with Set-MOTW.ps1, then MOTW of an extracted file is displayed with Get-MOTW.ps1. Set-MOTW.ps1 and Get-MOTW.ps1 are available at my PS-MOTW repository.

• MOTW of a file extracted with Windows Explorer or WinZip (version 27.0 or earlier):

• MOTW of a file extracted with 7-Zip, Bandizip, NanaZip, or PeaZip:

• MOTW of a file extracted with CubeICE, Explzh, TC4Shell, or WinRAR:

• MOTW of a file extracted with Total Commander:

FAQ

• What is MOTW (Mark of the Web)?

  Please see these blog articles:

  • Details about the Mark-of-the-Web (MOTW) by Mike Wolfe (@NoLongerSet)
  • Downloads and the Mark-of-the-Web by Eric Lawrence (@ericlaw)
  • Mark-of-the-Web from a red team’s perspective by Stan Hegt (@stanhacked)

  They are very helpful to understand it.

• My favorite archiver software is not listed.

  Please provide your test result from Issues or Pull requests. Because I am Japanese, the comparison table contains some Japanese archiver software that you may not know.

• How to test my favorite archiver software?

  Please see Details about the Mark-of-the-Web (MOTW). It compares behavior of the built-in Windows unzip utility and 7-zip. You can test your favorite archiver software in a similar fashion.

  I created PS-MOTW, PowerShell scripts to manually set / show / remove MOTW. You can use it for testing archiver software.

• Information is incorrect or outdated.

  Please provide the details from Issues or the fix from Pull requests. I am happy to fix it.

• Can a malicious Office document in a disk image file (such as .iso and .vhd) circumvent blocking?

  Yes. If the file format of a disk image file does not support NTFS alternate data stream, MOTW is not set for the files in the disk image file. Please see also the following:

  • Mark-of-the-Web from a red team’s perspective by Stan Hegt (@stanhacked)
  • The Dangers of VHD and VHDX Files by Will Dormann (@wdormann)
  • Subvert Trust Controls: Mark-of-the-Web Bypass (an article in MITRE ATT&CK knowledge base).

  Update on 11 April 2022:
  According to the blog article .ISO Files With Office Maldocs & Protected View in Office 2019 and 2021 by Didier Stevens (@DidierStevens), Office 2019 and 2021 use protected view to open Office document stored inside an ISO file with MOTW. This behavior was introduced in August 2021.

  Update on 30 November 2022:
  According to the tweet by Bill Demirkapi (@BillDemirkapi), Microsoft fixed handling of MOTW for virtual disk container files such as ISO and VHD on Windows by the security updates released on 8 November 2022. When applications open files inside a virtual disk container file downloaded from the Internet, the files will inherit the MOTW of the virtual disk container file.

References

• Macros from the internet will be blocked by default in Office
  https://docs.microsoft.com/en-us/deployoffice/security/internet-macros-blocked

• Details about the Mark-of-the-Web (MOTW)
  https://nolongerset.com/mark-of-the-web-details/

• Downloads and the Mark-of-the-Web
  https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/

• Mark-of-the-Web from a red team’s perspective
  https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/

• The Dangers of VHD and VHDX Files
  https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/

• Subvert Trust Controls: Mark-of-the-Web Bypass
  https://attack.mitre.org/techniques/T1553/005/

Author

Nobutaka Mantani (@nmantani)