"Your current security settings do not allow this file to be downloaded"

[katz]

This is a stumper for me.

HP Pavilion h8-1010 Desktop Win 7 x64 - SP1

Came in for cleanup/malware removal. Had minor infections, normal toolbar stuff that we see, such as ask, etc. I am certain that the system is clean, ran tweaking tool after cleanup. Installed Bitdefender 2015 AV.

The issue is that the File download setting keeps getting toggled to "disabled" by something and we end up with

"Your current security settings do not allow this file to be downloaded".

I can do the following steps, and all is well for about a day or so, and then we end up with the same issue.

Internet Explorer.
Tools » Options.
Click on the Security tab.
Select the Internet Zone.
Click on the Custom Level button and then scroll down to Downloads.
Make sure to set File download to Enable.
Click OK.

I've reset the browser, disabled the AV in case Bitdefender is doing something quirky but it still occurs.

I haven't been able to spend a lot of time on it today, but I thought maybe I would create a new user profile and see if it occurs there. Customer does not want to use Firefox as a workaround, so I haven't even tried that.

Any ideas at all?

 

[AndyM]

Have you checked Group Policy?

gpedit.msc

Andy

 

[Markverhyden]

Rather than disable Bitdefender do a complete uninstall and see what happens.

 

[katz]

Thanks guys - after my post I decided to install FF and downloads work just fine with it. So, Firefox downloads work swell, it's just the I.E. 11 that seems to be a problem.

I.E. is still giving me the same error unless I go in and change the setting to allow the download.

It seems like it happens after a reboot, that is the setting gets toggled to "disabled."

@ Andy - when I try that I get "Windows cannot find gpedit.msc"

@Mark - Guess that may be my next step. Got a good deal on that AV and hate to have the licenses go to waste...

 

[Markverhyden]

@ Andy - when I try that I get "Windows cannot find gpedit.msc"
(

Then you have a Home version and that plugin is not part of it. Also a EULA violation to try to enable it.

This link gives you a map of where in the registry you find the various features in gpedit.msc

http://www.microsoft.com/en-us/download/details.aspx?id=25250

 

[Xander]

I can do the following steps, and all is well for about a day or so, and then we end up with the same issue.

I think that's the key point here. It's not that you haven't reset the right settings but I'd bet that there's something still setting them back.

 

[Slaters Kustum Machines]

Any Scheduled Tasks or anything odd in Startup?

 

[The Silent Hobo]

If I remember right,

I had that on a client's computer that had a Zero Day bug that wouldn't go away. It wouldn't let her download any files from internet explorer at all and gave her the same message.

I ran D7 on it a few times and still couldn't get rid of it. I ended up nuking it and starting over.

She was happy after that.

So, you might possibly have a zero day bug on there, but don't quote me on that.

Josh

 

[katz]

If I remember right,

I had that on a client's computer that had a Zero Day bug that wouldn't go away. It wouldn't let her download any files from internet explorer at all and gave her the same message.

I ran D7 on it a few times and still couldn't get rid of it. I ended up nuking it and starting over.

She was happy after that.

So, you might possibly have a zero day bug on there, but don't quote me on that.

Josh

At this point, is there any AV that will identify or remove Zero Day infections? I searched but I don't see any recent articles other than one back in April 2014.

 

[YeOldeStonecat]

I recall our tech ran into this a couple of times last year. A certain malware gave this symptom (he forgets which one...I just asked him).

He uninstalled the current version of Internet Exploader...(via windows updates/programs)...bounced the rig, and then downloaded 'n reinstalled the latest.

 

[jbartlett323]

Had a very similar problem awhile back, and it was Windows Defender causing it. Copied all defender files from a working machine (programdata, program files, and (x86)), and message went away. As I understand it, Defender scans all downloads from IE. So if its borked, IE is borked. Defender does this whether MSE is installed or not.

 

[cypress]

Did you scan for rootkits? If so what tools did you use?

 

[ohio_grad_06]

Take a look here and see if this helps. I had a machine, also home machine come in, would not load AV, kept saying group policy was blocking it.

I'd posted this in TEO, but still had the link up, this youtube video below, look at 1:31 on it. It's not even 3 minutes however, but for the one I worked on, I deleted the registry key they showed and it all came back up working after a reboot.

https://www.youtube.com/watch?v=0jhB91LL8hA

 

[katz]

Thanks to all for the suggestions - here is an update on this;

All rootkit/other scans come up clean. Software I've run;

Avast/rootkit scanner
Emsisoft emergency kit
NPE
TDSS killer
Mbam
Sas
ADW
Eset Online Scanner
Panda Online Scanner
RogueKiller
Hitmanpro
Emco malware destroyer

ccleaner
cleanup


Reset browser

As per YeOldeStonecat's entry, I've uninstalled IE 11, rebooted and IE 8 is now installed. When I bring up IE 8 I get a blank white page. If I type in an address & hit enter, nothing happens.

At present I am running the tweaking tool in an attempt to fix it, but it looks like the uninstall as well as something else may have borked the browser.

FF continues to work fine.

As always the customer wants it back as soon as possible.

Which is why I performed a routine cleaning when I saw that there was not much malware present initially. In the end I may be doing a nuke/pave anyway...

EDIT: - Tweaking tool did not fix the IE issue.

 

[Krynn72]

As per YeOldeStonecat's entry, I've uninstalled IE 11, rebooted and IE 8 is now installed. When I bring up IE 8 I get a blank white page. If I type in an address & hit enter, nothing happens.

I had a different issue with ie recently after a malware removal where a customers EarthLink home page would not load her personalized page, just the default one despite being logged in. Even when I rolled it back to ie 9 it was the same issue. But them I re updated it to 11 again and it worked. She hasn't been back since. So try going back to ie 11 again, see if that helps. She had a hijack, and I think it messed up something good, and only by reinstalling ie 11 again did it fix the issue.

 

[AndyM]

What about System Restore? Most of us overlook it, but it does come in quite useful some times. Is there a restore point that you could use?

Andy

 

[frederick]

Been running in to this a lot with a couple of different rootkits the last few weeks:

1) Boot system with the Bitdefender Rescue CD
2) Let it run
3) Reboot system, go at it like normal

 

[katz]

Thanks to all for the suggestions, much appreciated. Since this pc has never been gone over since new, I decided it was easiest to back up the minimal data on here and go for a fresh install.

The client has been patient and wanted it back as soon as possible, so I couldn't really afford to take any more time trying various fixes, when I knew a fresh install would cover all the bases. Bookmarked for future reference, and I may attempt a few of these fixes if I run into this again.

 

[TimM]

Probably a bit late now, but I think you'll find that a version of ZeroAccess has created NTFS junctions over the program folder and files for Windows Defender. I've seen this several times (though not for a few months) and used the NTFS Junctions section of Malwarescan in D7/d7II to destroy the junctions without deleting the underlying files.

 

[Jonathan]

One of the recent poweliks infections I removed was causing this after every reboot