Jump to content
Login new information ×
Login new information
  • Security & Privacy News

    WinRAR 7.10 boosts Windows privacy by stripping MoTW data

    Karlston

    By Karlston,
    Published Date:

    • 9 comments
    • 381 views
    • 4 minutes
     Share
    • 9 comments
    • 381 views
    • 4 minutes

    WinRAR 7.10 was released yesterday with numerous features, such as larger memory pages, a dark mode, and the ability to fine-tune how Windows Mark-of-the-Web flags are propagated when extracting files.

     

    WinRAR is a popular file archiver and compression tool for Windows that allows users to create, extract, and manage compressed files, primarily in RAR, ZIP, and many other file formats. The author claims that the tool is used by 500 million people worldwide.

     

    Yesterday, win.rar GmbH released the final version of WinRAR 7.10, listing numerous new features that increase the performance and usability of the program.

     

    These new features include enabling larger memory pages for increased performance, a reworked settings interface, and a long-awaited dark mode.

     

    WinRAR dark mode
    WinRAR dark mode
    Source: BleepingComputer

    One new feature that stood out is a new setting that lets you strip information that may be considered a privacy risk from the Mark of The Web alternate data stream.

     

    "'Zone value only' option in "Settings/Security" dialog controls if archive Mark of the Web propagation includes only the security zone value or all available fields," reads the WinRAR 7.10 release notes.

     

    "While additional fields, such as a download location or IP address, might help to identify a file source, they can be a privacy concern if file is shared with other persons."

     

    For those unfamiliar with the Mark-of-the-Web (MoTW), it is an alternative data stream named "Zone.Identifier" that is added to files downloaded from the Internet, including from websites and email.

     

    This identifier tells Windows and supported applications that the file was downloaded from another computer or the Internet and, therefore, could be risky to open.

     

    When attempting to open a downloaded file, Windows will check if a MoTW exists and, if so, display additional warnings to the user, asking if they are sure they wish to run the file.

     

    Launching a downloaded executable containing a MoTW
    Launching a downloaded executable containing a MoTW
    Source: BleepingComputer

    Microsoft Office will also check for the Mark-of-the-Web, and if found, it will open documents in Protected View, with the file in read-only mode and macros disabled.

     

    To check if a downloaded file has the Mark-of-the-Web, you can right-click it in Windows Explorer and open its properties.

     

    If the file contains a MoTW, you will see a message at the bottom stating, "This file came from another computer and might be blocked to help protection this computer."

     

    Modern file archives will propagate the MoTW found in archives to extracted files, allowing those files to also be protected with the Windows security feature.

     

    MoTW is a powerful security feature that is commonly targeted by threat actors who attempt to find zero-day flaws that allow their malicious files to bypass Windows' security warnings.

     

    However, some may consider it a privacy concern, as if the file is shared with another person, the "Zone.Identifier" contains information that could reveal sensitive information about where a file was downloaded from.

     

    This is because the Zone.Identifier flag contains a lot of information about a downloaded file, including the Internet Zone (ZoneID) it was downloaded from, the URL to the file, the URL referring to the file, and in some cases, the IP address of the host it was downloaded from.

     

    Information in MoTW Zone.Identifier
    Information in MoTW Zone.Identifier
    Source: BleepingComputer

    As part of WinRAR 7.10, a new setting is enabled by default called "Zone value only" that strips all information from MoTW alternate data streams other than the ZoneId when it is propagated to extracted files.

     

    MoTW settings in WinRAR 7.10
    MoTW settings in WinRAR 7.10
    Source: BleepingComputer

    This allows the Mark-of-the-Web security feature to continue to work with extracted files, but the alternate data stream can no longer be used to learn where the file was downloaded.

     

    For those who wish to enable complete propagation of MoTW data, you will need to go into the WinRAR settings > Security and uncheck "Zone value only."

     

    While this new setting may hamper digital forensics, it is a welcome feature for those who want the strictest privacy.

     

    Source

     

    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of January): 487

    RIP Matrix | Farewell my friend  :sadbye:

     Share
    Go to news

    User Feedback

    Recommended Comments

    andy2004

    Thanks for confusing me.

    As part of WinRAR 7.10, a new setting is enabled by default called "Zone value only" that strips all information from MoTW alternate data streams other than the ZoneId when it is propagated to extracted files. <so this strips the information from the archives.

     

    and then you say..

    For those who wish to enable complete propagation of MoTW data, you will need to go into the WinRAR settings > Security and uncheck "Zone value only." UNTICK it to strip the information from the Zoneid aswell?..

     

    so it best to remove the tick then.. correct?.

    Link to comment
    Share on other sites
    Karlston
    5 hours ago, andy2004 said:

    so it best to remove the tick then.. correct?.

     

    Sorry, it does make sense,

     

    "Zone Value only" checked means only Zoneid , rest of MoTW alternate data stripped/omitted.

     

    "Zone Value only" unchecked means all MoTW alternate data included, including Zoneid.

     

    Only thing to remember is that it's checked by default, and that maximises privacy.

    • UberGeek and phen0men4
    • Like 2
    Link to comment
    Share on other sites
    UberGeek

    I had to grapple with PMoW before this article was written . . . and yeah, it was damn confusing.

     

    However, after reading their white paper . . . I decided that for 100% privacy the Never submenu would need to be opted.

     

    PMoW.png

    • Karlston, Sarah Kraft and phen0men4
    • Like 3
    Link to comment
    Share on other sites
    Sarah Kraft

    Hello Community  😃

    I did read this post and just had to register!  I was looking for a tech community long time.

    I just tried WinRAR 7.10 and it runs like a charm. I can appove it´s faster. Also the dark mode is a blessing!

    Speaking of the PMoW. I also selected "Never". But let´s say if I want to zip a office - file and I want others not to edit it, I simply change to "for exe and office files" and make the check mark on "zone value only" ... right?
    Or did I get something wrong there how it works?

    Link to comment
    Share on other sites
    UberGeek

    UberGeek 251

    Posted (edited)

    Hello there, @Sarah Kraft

     

    Welcome to our community

     

    You pose an interesting query . . . I circumnavigated this particular section in my growing pains with PMoW. :P

     

    In my own case, I do not have the entire Office Suite (2024) . . . have use for just Word, PowerPoint & Excel.

     

    If I choose the menu For Office files, I'm presented a lot of file extensions which is overkill for me . . . I need just the following 8 file extensions which can be entered manually:-- 

    *.doc *.docx *.pps *.ppsx *.ppt *.pptx *.xls *.xlsx

     

    However, after restarting WinRAR, the selected menu would change from For office files to For user defined types.

     

    User-Defined-PMo-W.png

     

    IMPO, it would be a more demanding as well as discerning user who would opt for the user defined types menu . . . more power to you. :thumbsup:

     

    As rightly observed by @Karlston . . . it's better privacy with the Zone value only checked, in any case.

     

    Trust you'll have lot more fun browsing these pages.

    Edited by UberGeek
    Link to comment
    Share on other sites
    Sarah Kraft

    Hello Ubergeek!

    Thank you for your answer. 
    Very interesting WinRar 7.10 tuns the setting into "For user defined types" after you restartet!! I did not spot that.

    Practical usage of this WinRar 7.10 features: When I look back, we did clan statutes, back then, when I was active in First Person Shooter Games. Someone needed to save it and provide it within the clan. Now it is the nature of an community to have a argument with someone and things can get out of hand quickly. Every human is different, so you never know how things can turn.
    In this case, back than, the office file would have had all PMoW -data provided. Ofc we all believe every human is good, but if there is really one person which wanna find out more about you and has the skills to do so, PMoW - data in a file, someone knows it must be from your PC, is just bad.

    More serious scenario would be a journalist, who is in danger, because the regime he is writing about wants to know where he is currently located.
    As PMoW is not the only concern here, but a smale puzzle piece.
    Not to mention PMoW is an unnecessary security downgrade basically for everybody.

    something else. What exactly means "IMPO" ?   First time I read it.

    I am very happy with this topic. If this topic was not created, i would have never known about the PMoW feature
     

    Link to comment
    Share on other sites
    UberGeek
    On 2/27/2025 at 10:01 PM, Sarah Kraft said:

    something else. What exactly means "IMPO" ?   First time I read it.

    LoL . . . it was a typing mistaking IMPO, IMHO (In My Honest Opinion.) :blush:

    Link to comment
    Share on other sites
    Sarah Kraft
    On 2/28/2025 at 5:46 PM, UberGeek said:

    LoL . . . it was a typing mistaking IMPO, IMHO (In My Honest Opinion.) :blush:

    ahh  xD  ...  I already guessed, but was not 100% sure :D

    Link to comment
    Share on other sites


    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...