After running TDS I was alerted to a hidden data stream, as shown below. The file that it related to was something called MZ.exe. I am at a loss as to what this file refers too and a system search for such turned up no matches. I am also unfamiliar with the recycler folder and it's usage, this being the location of the hidden stream. Any further help would be greatly appreciated. Is this safe enough to delete?


- Removed bad image link

Hello Carlnalex, Unfortunately your attachment is not showing for me.
Any Data stream less than 256 bits will be harmless. I Have TDS3 set not to show data streams with less than 90 bits - TDS Scan Control - Ads stream options - Ignore streams less than.
Many small streams are tied to graphics files.

HYH Pilli

-{ Quote: "Any Data stream less than 256 bits will be harmless" }-
Bits or bytes? :)
You could still have, for instance, a malicious .bat or .com file hiding as a stream, but yes most small streams are harmless. Usually a quick look at the header of the stream is the way to go - if it's "MZ", then you know it's an exe. If it's "GIF89", then you know its a gif image, etc etc :)

Thank you for the update. So the MZ is just TDS's way of identifying an EXE associate file, no wonder it was not traced with a system search ...lol

I had previously checked the script using notepad, but all that was shown was a single line of square characters, nothing legible to me.

The previous attachment was supposed to show the TDS warning explanation, I will try again just for reference.

I have altered TDS settings to ignore small streams as advised. Is there any way to find the actual associated file?

Thanks again
;D

;D Carlnalex, 88 bytes hence my 90 byte limit - Very common occurrence and nowt to worry about.
Wayne was pointing out that I stated "bits" & not bytes - Making it Kbytes could be dangerous ;D
-{ Quote: "Is there any way to find the actual associated file?" }-
I have a feeling that many are to do with thumbs.db - Also some AV's use data streams as a sort of checksum.

Quite often the associated file is shown when right clicking the data stream within the TDS3 readout.

Sorry I cannot give you an authoritive answer but I am sure DCS will.

It's probably harmless - you can't do too much damage with 88 bytes, but to inspect it closer just right-click on it and you can then view the file

The filename is *.TXT and it is an EXE ?
Or was that the saved text from the alert(s)?