Jump to content

MSI installer


Recommended Posts

I have some question about windows 10 . and not sure where should to post this topic . so my question is why windows 10 keeps warning me on a security message even when I want to install a software from Microsoft and from other developers ?

this is a 10 windows laptop is already protected with Malwarebytes premium version 3 and Zemana anti-malware and Microsoft windows defender and my Firefox web-browser is heavily protected too . 

other question : does Malwarebyte version 3 is already detect a Malicious program that using a MSI installer ?

https://blogs.technet.microsoft.com/jasonlewis/2007/08/06/what-are-those-per-user-msi-warning-messages-about/

"ex software"is an executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch “ex software”?

 

Link to post
Share on other sites

Greetings,

To the first part of your question, that is because Windows by default adds what is known as an Alternate Data Stream or ADS for short to any file that is downloaded from the web.  This is what creates that warning.  It also creates the entry in a file's properties showing the message about it possibly being blocked with the button to unblock it as illustrated below:

blocked.png.26740c214fa6425be4f4d101f4bff96b.png

If I were to click the Unblock button and click Apply it would remove that Alternate Data Stream from the file and Windows would treat it like any other file on my system if I tried to open/run it.  It adds this ADS to every file that comes from the web however it only shows the warning when trying to open certain types of files, namely executable files that can make changes to the system (.EXE, .MSI, .REG, .SCR, .BAT, .VBS and any other type of executable binary file or scripting file).

You can learn more about how this works in this blog entry.

As for your second question, yes, Malwarebytes 3 does scan .MSI files and many other archive formats to determine if they are malicious.

Edited by exile360
Link to post
Share on other sites

@exile360 thanks for clear thing up by provided more information here . but I want to ask something which is why windows 10 keeps blocking most of MSI installer even though some of them are safe to install and to use . a problem here while right click on an MSI installer will not bring up this option "run as administrator " nor the UAC warning window and will not be to prompt on the screen and thus when I almost went to double click on the MSI installer but no UAC is pop-up expect the other virus warning  .. screenshot of the message is attached . and here is an another example for an MSI installer which is "unchecky_setup.msi" safe to use right (here a virus total scan link) ? if so , why windows 10 is blocking almost of them even if they safe!

CpWz_397.png

Edited by Gt-truth
Link to post
Share on other sites

It depends on what you mean by blocking them.  If you mean the prompt/warning message you posted an image of, then that's just because it is standard practice for them to display a warning about any file type that is an executable, and since MSI installers can potentially bypass User Account Control, Microsoft likely inserts that warning as a standard practice so that users have the opportunity to block/prevent MSI installers from running which can be very helpful if the file does turn out to be malicious, and since Windows has no way of knowing whether or not a file is truly safe, it will display those warnings for any file that you download from the internet (again, because of the Alternate Data Stream that Windows/your web browser adds to all files downloaded from the web that I mentioned earlier; I suspect that if you unblock it as I mentioned above through the right-click>Properties menu, it probably won't be blocked with that dialog any more).  As for why no UAC prompt is shown, that is because MSI's use a built in service, the Windows Installer service (msiserver, i.e. the msiexec.exe process you see running in memory whenever executing an MSI installer/uninstaller) and since services in Windows run with admin or even SYSTEM (higher than admin) privileges, they are able to bypass User Account Control (though not all do, as often times a developer will deliberately write their MSI to request admin permissions through UAC).  This is also the reason that by default there is no option to run MSI installers as admin, because they are not treated like .EXE and other executable file formats due to their native support in Windows through the Windows Installer service, however you can run an MSI with administrative privileges by launching it through an administrative command prompt or batch file.  You'll find instructions on how to force MSI's to install in administrator mode in this article.

Basically, Microsoft doesn't want any kind of installer, script or any other sort of executable file to be able to run silently/automatically without the user's consent since there is always the possibility that it could be malicious, so Microsoft has Windows/your web browser automatically append that ADS data I mentioned to every file downloaded from the web and uses technologies like User Account Control to limit what executable files and installers can do.  This is why you have to click 'OK' to allow the file to run as shown in the picture you posted since Windows has no way of truly verifying that the file is safe.  You know it is safe, and I know it is safe; it comes from a reputable software vendor and scans clean on VirusTotal, however Windows has no way of knowing that or verifying it so Windows treats all of those files the same way, assuming that they could be malicious and prompting the user to authorize them before allowing them to run, otherwise the bad guys could package up their malware inside MSI installers and encrypt them so that they scan clean by virus scanners and get them installed on users' systems without them knowing since there would be no prompt or notification about it.  This is actually possible through the use of exploits, which is one of the reasons that having some kind of exploit protection is very important, however under normal circumstances you do get notified/prompted when a file from the web tries to run that Windows doesn't know and trust so that you can make the decision about whether or not the file should run on your system.

I hope that helps to clarify things a bit.  Basically it comes down to trust.  Windows assumes that all files are potentially malicious, and so measures are put in place to protect users from files running whenever they want to so that users have the opportunity to prevent them from running/installing.  It's essentially a last line of defense after your virus protection and malware protection in case they fail/miss the file (or of course if you have no virus protection/malware protection installed).  It's just one more thing that Microsoft does in order to try and keep their users' systems safe.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.