Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

The Case Of The Corrupt Download

Posted by William Diaz on August 23, 2011


The following error was being reported while internal users were trying to install the latest Flash Player from Adobe: “Internal error… ABORT: Certificate authentication failed, please re-install to correct the problem. (/0)
8-23-2011 11-48-33 AM
I was able to reproduce on my workstation so I turned to Process Monitor to see what I could find. I did not filter for any particular process since any number of them could be involved. There were 66,000+ operations so I would need to filter the results. Interested in the less common results, I went to Tools > Count Occurrences, set the filter for Results and saw an interesting NTSTATUS code:
SNAGHTML14cb2835

Looking at the operation, I see a QueryEAFile, a query of the file extension attributes for the downloaded Flash Player installer:
image
0xC0000052 = The file or directory is corrupt and non-readable. But why was the file corrupt in every case? The little light bulb in my head went off and I recalled the Case of the Zip File That Wouldn’t Open. To confirm, I downloaded the installer again and saw the reported size of the file download in Internet Explorer:
image
However, the actual size of the download on the disk:
SNAGHTML14ed02cb
Looking at all the write operations for this file, we see the file is not being downloaded in its entirety, this should be reported at about 749,000 bytes and only 735,000 bytes gets through:
image
The cause: we use a popular cloud-based web security company to filter web traffic. When files are downloaded from the Internet, it looks for specific properties and if the downloaded content matches what ever rules are being applied, then it corrupts the download. Previously, we were only seeing this with zip files downloaded via the Internet that contained multiple binary files but not individual exe’s. In this case, it may be unintended but the web security company should be made aware. In the meantime, we can work around this by changing the IE proxy to an ISA that does not have web traffic filtered. Alternatively, we have also been able to download the complete flash 10.3 in exe or msi format from here:
http://www.adobe.com/products/flashplayer/fp_distribution3.html


Update

Adobe has acknowledged that this is an issue with various security software, including anti-virus products running on personal computers, not just corporate users sitting behind various layers of network security services. Here is a link from the Adobe site: http://kb2.adobe.com/cps/191/tn_19166.html#main_KnownIssues.

As pointed in the comment below, if you are using IE 9, upon completing the download, you may be informed of the potential harmful nature of this program:

image

This is because the digital signature is missing since the file was only partially downloaded. This is also not just limited to the Flash Player web installer download but also the Adobe Reader web installer; I would suspect that other Adobe web installers might also get flagged as malicious and succumb to the same problem.

Since encountering, I have not able to recreate the original ntstatus code I saw above, although the file properties remain the same. Instead I see an access denied result when the web installer attempts to query Winsock2, which is part of the Microsoft Firewall Client for ISA.

Advertisements

5 Responses to “The Case Of The Corrupt Download”

  1. A proxy that deliberately corrupts downloads? That’s just evil.

    http://blogs.msdn.com/b/ieinternals/archive/2011/04/02/not-commonly-downloaded-warnings-will-be-shown-when-running-corrupt-or-incomplete-files.aspx discusses another case where you’ll see errors for incomplete downloads.

    • Thanks for pointing that out: with SmartScreen enabled you will be warned of the possible harmful nature of the download since the end of the file contains the signature but is missing since the download is being interrupted.

  2. […] The Case Of The Corrupt Download & The Case of the Zip File That Wouldn’t Open […]

  3. Joe Price said

    Thank you very much for this. I get this problem all the time and have no choice about filtering, so the explanation and link to the installer downloads was very helpful.

  4. […] by William Diaz on January 14, 2012 In an earlier post, I was encountering cases where the latest Adobe Flash Player web installer was intentionally being […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: