[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7473
  • Last Modified:

Open Security File Warning - Publisher not verifiied

This problem is complex and hard because I have a service that spawns a thread that listens to queue. when a job shows up on the queue it is processed. Some of these jobs require the spawning of process. At this point the thread then activates a process thread and waits until done. The program spawned by the service in question has path  \\myHost\utils.exe
The service runs on a windows 2003 server under the SYSTEM user with interactive checkbox checked off.

Can anyone help me to surpress the security settings causing the prompts
Open Security File

The Publisher could not be verified. Are you sure you want to run this software?

Name: myprogram.exe

Publisher: Unknown

Type: Application

From:  \\MyHost\Vol\myprogram.exe

The file does not have a valid signature that verifies its publisher. You should only run software from publishers you trust.
How can I decide which software to run?


This popup window prompt appears as soon as an attempt to run  \\MyHost\Vol\myprogram.exe

as SYSTEM in interactive  mode from a service thread.

I expect this to be a hard one to resolve Here is what worked under an Admin user:: MyDomain\Ruler and its logged in user: Ruler

Note for such a user I did the following successfully, however, this being a system account:

System, I  do not know how to configure the settings to not prompt in the above case under system. Under any domain user though I was successful in applying the following changes
for a domain user. Thus far I have not figured how to do this for the system user
I even tried running a scheduled cmd/k  command in the Task scheduler as an at job
and running Internet Explorer as SYSTEM user and making the same settings as worked for a domain user usning the steps below;

In Internet Explorer itself  
click on Tools
click on Internet Options
click on the security tab (2nd from the top left)
click on the Local Intranet zone
click on Advanced  
Add the *.MyDomain.com  
by entering the actual domain to be part of the intranet(should be your own domain or a highly trusted domain) and click on the add button imediately to the right of the text box for the domain entry.
click OK
** Note remove the the any duplicate trusted site (You can not add your domain unless it is not in the trusted sites)

Solution #2 is add the *.Mydomain to the trusted sites as follows:
Click on custom level  
Scroll down until you come to the option:
Launching applications and unsafe files
Click on enable there and that is only for the list of trusted zones indicated since the custom level is for under the umbrella of trusted sites.

Any help would be appreciated in fixing this security prompting situation.
0
Robert Silver
Asked:
Robert Silver
  • 5
  • 4
  • 3
  • +3
1 Solution
 
Phil_AgcaoiliCommented:
I would load the program locally and then create a batch file to start the application and use the batchfile as the startup program and let it start myprogram.exe.

The batch file line would read:
Start X:\path\to\myprogram.exe

The alert window will not appear using this method.
0
 
Robert SilverAuthor Commented:
Not the answer I was looking for I would like to run the application on the network share where it is updated. I had considered localizing the executable but that is like saying
Okay tell me how to map a network share and then telling me to use a local drive well sort of.

I already checked out the Group Policy Object and found that had no software policy so if so
where is this prompt comming from. One of the Policy editors in my firm tells me he knows of no setting he put there that would cause the prompts.

There must be a real solution to this problem. One of those secrets Microsoft keeps to themselves no doubt!.

Thanks for the reply though!
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Unfortunately, while I think I understand the issue, I do not have an answer.  I believe the solution is in finding a way to turn off the digital signature security - which I THOUGHT I saw once but have been unable to locate any reference to it.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Jay_Jay70Commented:
i have a suggestion but i cant remember if it actually applies to this exact issue - i know it applies to driver signing but am not positive if it applies to the sw signature so try not to bite my head off if i am wrong....

in your group polic or local policy depending if your in a domain,

under computer config \ windows settings \ Security Settings \ Local Policies \ Security Options \ Unsigned Driver Installation behaviour

try setting this to silently succeed

as i said i am not positive that this is the solution but i know we resolved it recently as we were having trouble with pervasive software but i am not sure if this was the way - i will keep researching as well
0
 
Keith AlabasterCommented:
Thanks Jay_Jay

Regards
Keith
0
 
Robert SilverAuthor Commented:
No that Unsigned Driver behavior item was a no go. It was already set to silently succeed.
0
 
Jay_Jay70Commented:
ah ok, it was a long shot as mentioned, i am certain there is a way around it as we beat the pervasive issue...... ill keep looking
0
 
Jay_Jay70Commented:
are you not getting the option to tick always perform this action?
0
 
Robert SilverAuthor Commented:
I got the answer myselft as it turns out. I have no time to post it now but it will be complete
It has to do with the Group Policy Object
under the user configuration and  Security under Internet Explorer Maintenance under  and
ultimately:  Security zones and content ratings
right click properties
import securitiy settings raido button
click continue
click modify settings
select intranet
click on sites
click on advanced
add the share host e.g \\MYSHAREHOST
More exact detailed answer to follow
0
 
Jay_Jay70Commented:
ha i read that yesterday whilst i was looking but didnt think it applied to your scenario at all - i thought it was web based, guess it pays to not overlook even slight possibilities
0
 
Robert SilverAuthor Commented:
It also shows you how over complex and non-intuitive Microsoft security is these days.

login as Administrator

click on Start
Clicked on run
type:  mmc       into the textbox and click OK
click on File
select add/remove snap-in
click add
select group policy object editor
click add
click finish
click close
click ok
click the plus  to the left of Local Computer Policy
click  the plus to the left of User Configuration
click the plus to the left of the Windows Settings
click the plus to the left of Internet Explorer Maintenance
click  Security under Internet Explorer Maintenance (has lock on folder Icon to the lerft)
Now to the right is Security Zones and Content ratings . Now right click on that
You will see a drop down menu . Select properties
Chose Import the current security zones and privacy settings radio button
Click on Continue
click on Modify Settings
Select Local Intranet
click on Sites button
click on Advanced
type in name of share host e.g  for \\MYSHAREHOST\VOLUME      type in  \\MYSHAREHOST
click Add
Click close

Then system should interact with desktop and launce programs from any share on that host
that do not posses valid publisher signatures like the one in my question.
0
 
Keith AlabasterCommented:
Nice work Sherlock!!

http://www.experts-exchange.com/help.jsp#hs5

Regards
keith

0
 
Keith AlabasterCommented:
No complaints here. He did a great job
0
 
Jay_Jay70Commented:
none at all
0
 
GranModCommented:
Closed, 500 points refunded.
GranMod
The Experts Exchange
Community Support Moderator of all Ages
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 5
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now