Results 1 to 4 of 4

Thread: VS security warning for WinForms component (dll downloaded from a network location)

  1. #1

    Thread Starter
    Lively Member
    Join Date
    Oct 2014
    Posts
    94

    VS security warning for WinForms component (dll downloaded from a network location)

    Our customers have a legal copy of a WinForms component compiled for .NET Framework 4. Recently they surprised us - they can no longer add it to the Toolbox in Visual Studio 2019 and use it in VB.NET WinForms projects. The installation package of the component simply does not create the icons on the Toolbox automatically without reporting any errors, though earlier it worked without any problems.

    While investigating this issue, I tried to add the component to the Toolbox manually and faced a strange security warning while doing this. First I create a new Toolbox tab, then open the Toolbox context menu and select the Choose Items... command to open the Choose Toolbox Items dialog. If I click the Browse button in the dialog on the default .NET Framework Components tab and select the component in the File Open dialog, the following security warning appears:

    Name:  warning message box.png
Views: 235
Size:  9.1 KB

    Security warning: 'C:...\Something.DLL' may have been downloaded from a network location, and it can potentially harm your computer. Only load assemblies from publishers you trust.

    Do you want to load it anyway?
    If I allow adding of the component in this message box by clicking Sì (Yes in Italian), it appears on the Toolbox, but it still cannot be added to a WinForms form. It does not appear on the form if we double-click its icon on the Toolbox or drag-and-drop it onto the form. The only thing that appears is a reference to the component in the References node of the project in the Solution Explorer.

    It is very strange because the same component works without any problems on another pc of our customers. I tried to reinstall the component, cleaned all remnants on the disk and in the registry after previous installations of the component, checked the component digital signature, launched VS with admin rights, checked it with the alternative antivirus the customer is using (BitDefender) - nothing helped.

    The only workaround that helps to solve the problem is the following. If the component DLLs are copied to C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE, they can be successfully added to the Toolbox without any security warnings.

    What can be the reason of this problem specific only for one instance of Visual Studio? The customers were using the latest build of Visual Studio, v16.10.3, on the moment of investigating this issue.

  2. #2
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    110,302

    Re: VS security warning for WinForms component (dll downloaded from a network locatio

    This happens when you download a ZIP file from an untrusted source and then extract the data immediately. In File Explorer, you can open the file properties and unblock the file to mark it as trusted and then extract it. There should be no warning in that case. It might not be limited to ZIP files but I think that's the only time I've seen it.

  3. #3

    Thread Starter
    Lively Member
    Join Date
    Oct 2014
    Posts
    94

    Re: VS security warning for WinForms component (dll downloaded from a network locatio

    Yes, I know about this. The problem is that the component installer is an exe, which is signed with a digital certificate. As such, it does not have the Unblock checkbox in the file properties and is launched 'as is' without any security warnings in Windows. The only message displayed by the OS is the UAC prompt to elevate privileges to admin when the setup exe is launched. BTW, the UAC prompt correctly displays the publisher which is considered verified.

  4. #4

    Thread Starter
    Lively Member
    Join Date
    Oct 2014
    Posts
    94

    Re: VS security warning for WinForms component (dll downloaded from a network locatio

    I am back after my vacation and a lot of experiments on my pc and the customer's pc. I saw how different browsers (Edge, Chrome) add NTFS alternate data streams named "Zone.Identifier" with the standard contents and "SmartScreen" with the string "Anaheim" to downloaded files to mark them as potentially unsafe. I even reproduced the VS security warning on my pc by adding the "Zone.Identifier" ADS to the local component DLL manually with Notepad. However, I was extremely surprised when I saw no ADS streams on the customer's pc, but VS still reported that the DLL "can potentially harm your computer". How VS could know that the files were downloaded if no ADS streams were present??!!!!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width