Installation files that are copied from a remote location are not allowed to execute.

Article:TECH104972  |  Created: 2008-01-21  |  Updated: 2012-08-20  |  Article URL http://www.symantec.com/docs/TECH104972
Article Type
Technical Solution


Issue



Not able to install Symantec Endpoint Protection (SEP).

Installing from files that are copied from a remote location. For example: group-policy, Systems Management Server (SMS), Altiris, Web-hosted download, shared drive or folder.

Symptoms
Attempts to execute a file that has been copied from a remote location result in the errors:

"Windows cannot access the specified device, path, or file. Logged on user may not have the appropriate permissions to access the item".
"Internet Explorer - Security Warning, Unknown Publisher."
"This file does not have a valid digital signature."
"The Publisher could not be verified."

 


Cause



Windows XP SP2 and Windows Vista come with Microsoft's Attachment Manager. The Attachment manager helps to protect the computer by identifying files that have been copied from a remote zone then blocking those files if configured to do so.


Solution



There are several methods for resolving this issue.

Method 1 - Manual removal of the stream data 

  1. Right-click the file that is blocked and select Properties.
  2. On the General tab there will be a section at the bottom labeled "This file came from another computer and might be blocked to help protect this computer." Click Unblock.
  3. Repeat this process for all blocked files.

Method 2 - Modify Group Policy

This policy will prevent alternate data streams, such as those used by Attachment Manager, from being written.
This will not remove alternate streams from Existing files.
This may have side-effects for other software, please test before implementing across a production environment.

  1. Click Start > Run
  2. Type gpedit.msc
  3. Click OK
  4. Go to User Configuration > Administrative Templates > Windows Components > Attachment Manager
  5. Double-click Do not preserve zone information in file attachments
  6. Click the Enabled to keep Windows from preserving zone information

Method 3 - Use the Streams command-line utility

Streams is a command-line utility available from Microsoft/Sysinternals that can read, report, and remove stream data for files and folders.
Streams is available from Microsoft at: http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

An example command line to remove all stream data from a client package would be:
streams -s -d c:\SEP_Client_Folder

Usage: streams [-s][-d] <file or directory>
-s = Recurse subdirectories
-d = delete streams


References
For a screenshot of the setting window (method 1) http://www.mssqltips.com/tip.asp?tip=1262

Streams: http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
Information about Vista: http://blogs.msdn.com/gblock/archive/2006/12/19/tips-steams-zones-vista-and-blocked-files-in-ie.aspx
Description of how the Attachment Manager works in Windows XP Service Pack 2: http://support.microsoft.com/kb/883260

 



Legacy ID



2008052112594548


Article URL http://www.symantec.com/docs/TECH104972


Terms of use for this information are found in Legal Notices