I'm encountering an issue on Windows 11 (Enterprise, 25H2) where the Mark of the Web (MOTW) feature is automatically getting stripped off executables downloaded from the internet. For instance, when I download putty.exe, it initially shows the correct zone information indicating it's from the Internet Zone (ZoneId=3). Normally, this should prevent the file from executing until I manually unblock it via properties. However, the zone identifier gets removed automatically once I attempt to run the file, allowing it to execute without any prompts. Has anyone experienced this? I'm unsure where to start troubleshooting this problem.
3 Answers
Check your group policy settings. If you have 'Do not preserve zone information in file attachments' enabled, that could be what's causing the MOTW to disappear.
Could this connect to a recent issue with SentinelOne? There was a reported problem where MOTW files were flagged and removed due to their hash getting categorized improperly. Are you receiving any alerts from your antivirus when this happens?
You might want to run Process Monitor on your system to track down what's stripping the zone information. It could give you insights into which process or action is causing the MOTW to be removed.
That’s a great suggestion! I’ll definitely try using ProcMon and see what I can find.
We actually don’t use SentinelOne; we’re a Defender P2 environment. So I’m puzzled about what’s causing it.