Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Adrian Ścibor

From AVLab.pl
Verified
here you are, this is my test on Windows 10 x64 v1903 in VMware
Browser: Google Chrome (latest)
AV: No AV - WD was disabled using Defender Control v1.5 (sordum.org)

I downloaded OOshutup from majorgeeks. MOTW was present
I also tried to download a .msi file (0patch) from their website, MOTW was present

View attachment 230500

OK. In your case WD is/was installed anyway. Seems to another option is probably responsible for MOTW enabled, available in Group Edit / Windows Component. Disabling WD probably doesn't matter. So we have different results...
 

Adrian Ścibor

From AVLab.pl
Verified
It is probably not SmartScreen, but WD Block at First Sight feature. (y)

Accorging to this article the Block at First Sight in Windows 10 is not really crossed with SmartScreen?

The official document signed by Microsoft also is not contain any details about SmartScreen with Block at First Sight.

To activate or deactivate Block at First Sight you have to enable/disable WD and the cloud deliver protection.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
Adrian Ścibor,
Please look at the Registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments
and
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments

If there is a value SaveZoneInformation = 1 (Reg_DWORD), then the MOTW will be skipped.
If this value does not exist or SaveZoneInformation = 2, then MOTW will be added.
The behavior of skipping MOTW may be also a leftover after some uninstalled security application. In Windows default settings the SaveZoneInformation value does not exist.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
Accorging to this article the Block at First Sight in Windows 10 is not really crossed with SmartScreen?
...
To activate or deactivate Block at First Sight you have to enable/disable WD and the cloud deliver protection.
SmartScreen is independent of BAFS and vice versa. SmartScreen can work if WD is disabled and another AV is installed, except when something will disable SmartScreen.
BAFS will not work if you will disable WD real-time protection. You do not have to disable WD.
Skipping MOTW is not related to the browser. If I recall correctly Chrome uses the IAttachmentExecute interface and FireFox adds MOTW to file by writing Alternate Data Stream directly. MOTW is skipped when the appropriate Policy is applied or can be removed by AV after the file is downloaded to avoid SmartScreen integrated with Explorer.
 
Last edited:

Andy Ful

Level 63
Verified
Trusted
Content Creator
In the registry the value is set as 3 also.
This is a non-standard value, so it was written by the security application. It does not force skipping MOTW on my machine. You can try to delete this value to see what will happen.

Adrian, you just need to utilize Andy as an advisor for the next test.

That's all.

You guys are probably neighbors..
I like to post about Windows in English.:sneaky:
 

SeriousHoax

Level 30
Verified
Malware Tester
Gentlemen...let me ask a very simple and straightforward question - if I am using Norton internet security - NO browser extensions - to receive MOTW do I have to use MS EDGE or will MOTW show up with Chrome as well. Please keep the answer as simple as possible.
If it is downloaded via chrome not any other download manager then it should work. Test yourself by downloading a file then check properties and if there's an unblock option then it's working.
 
Top