why wouldn't I allow users to upload CHM files to SharePoint? RRS feed

  • Question

  • A user wants to upload a CHM file to our SharePoint site but it blocked by default. I know I can unblock it and I know how to do it. Before I unblock I would like to know why it was on the blocked list to begin with. Is there a risk or security vulnerability to having them in SharePoint? In other words why wouldn't I allow users to upload CHM files to SharePoint?

    Thursday, December 20, 2012 3:30 PM


  • To answer this, we need to look at what a CHM file is and why it's a possible risk.

    CHM files are Microsoft's Compiled HTML Help files, created back in the day for Windows 98. They were a way to allow help file authors create a richer help file (colours, links, pictures) than what was available with the old .hlp files. To do this, an author would create HTML pages and run a tool that would package these into a binary file -- the .CHM file itself (I'm summarizing out the details).

    With that, we see the clue as to why the file is blocked by default in SharePoint (and Outlook and other applications as well). A CHM file is a binary file that can be executed on your machine. 

    It was a different time when the CHM file format was created back in the mid 1990s. Back then Windows had the concept of users, but every user on the computer was an administrator and could run anything on the computer (technically the concept of Administrators didn't really exist since every user could run every executable). This made CHM files a popular delivery mechanism for distributing viruses, trojans, and other malware.

    Since then there has been great progress and developments in security and end-user education. In most cases the use of CMH files for documentation has been abandoned for other formats (PDF, HTML, text, Word documents) or mediums (web sites, wikis, knowledge bases, etc). I don't even personally recall the last time I downloaded a CHM file from a software vendor.

    In your case, opening SharePoint to allow CHM files will let this user upload the file. Most users have virus protection on their computers so there is probably little risk in doing this. You could add further protection with a SharePoint-based antivirus solution which will scan files as they are uploaded, downloaded, and periodically on a schedule.

    Jason Warren
    Infrastructure Architect

    Thursday, December 20, 2012 6:12 PM