NTFS : Alternative Data Streams

[Vikorr]

Interesting article that explains this 'vulnerability'
http://www.windowsecurity.com/articl...a_Streams.html

[Rmus]

Quote:

Originally Posted by Vikorr

nice article that explains this 'vulnerability'
http://www.windowsecurity.com/articl...a_Streams.html

Like rootkits which go back to UNIX days, ADS has been around awhile, and the concept is being put to good use in raising the fear factor amongst those concerned about security.

KAV put the technique to use in a recent version and has raised the level of dialogue almost to the shouting level. A post in the DSL forum touched on this:

http://www.dslreports.com/forum/rema...194?hilite=ads

And the whole concept of ADS as a threat was argued back and forth in this thread, begining with May 21 posts, p. 3:

http://www.dslreports.com/forum/remark,13436505

Over in the TDS forum here, there is a thread:

http://www.wilderssecurity.com/showthread.php?t=32861

Like so many ideas being discussed today, including buffer overflow, one has to consider what the probability is that something could be a danger to the home user. I say home user, because some are starting to question what a home user really has to be concerned about. Kareldjag makes this point in the buffer overflow thread in this forum (post #48 )

----------------------------------------
Is a specific buffer overflow protection really necessary for a home user on a Windows system?

I don't think that's it's really necessary.

From a statistical point of view, home users are more concerned by virus, trojans (CWS) and pricipally spywares (hijackers) than by B.O attacks.
-----------------------------------------

So, while it's interesting to read articles such as this one, users should keep things in perspective and realize that without a technical background, one might not really be able to understand/evaluate everything that's being presented. In the KAV thread above, one user bemoaned, "i just barely understand this topic,..."

regards,

-rich

[Vikorr]

heh, of course such things need to be kept in perspective. I personally found it interesting, because my AT, TrojanHunter checks the streams, and I had always wondered what they were.

I also agree with your view on buffer overflows...that it probably isn't worth buying more security apps to protect specifically against them (even if they could comprehensively, which it seems they can't)... but it never hurts learning about them, and checking to see if there are ways to prevent them

Thanks for all the extra links too

[Rmus]

Quote:

Originally Posted by Vikorr

heh, of course such things need to be kept in perspective. I personally found it interesting, because my AT, TrojanHunter checks the streams, and I had always wondered what they were.

How do you use this info on streams that your programs are checking?

-rich

[MikeBCda]

Every once in a while, out of curiosity, I'll have Ad-Aware do an ADS scan on my full drive. So far, consistently "no new items".

If I take a look at the log for such a scan, then oddly enough (or maybe not so oddly, to someone more knowledgeable) the vast majority of things it turns up but doesn't feel are worth flagging are MID's in my collection.

[richrf]

Hi everyone,

A couple of weeks ago, KAV real-time (not on-demand) detected malware in some ADS (one by one) on my friends machine. I was able to scan and clear easily because there were only a handful of ADS on the machine to look at and make a determination. Had there been tens of thousands, (e.g. the KAV 5.0 scenario with iStreams), the problem would have been much more difficult. However, this begs the question of whether those ADS malware would have ever gotten on the machine if KAV was running instead of Norton. . Anyway, he is now running KAV sans ADS.

Rich

[Vikorr]

Rmus, I don't 'use the info' that my programs are checking, they check for trojans in ADS, and remove them. I don't need to know about ADS except that I was curious about what it was.

[Rmus]

Quote:

Originally Posted by Vikorr

Rmus, I don't 'use the info' that my programs are checking, they check for trojans in ADS, and remove them. I don't need to know about ADS except that I was curious about what it was.

OK, thanks - I wasn't sure what you meant and just was curious...

-rich

[Peter2150]

When I first trialed KAV I discovered it broke First Defense. Cause was the ADS from KAV. It "only" created 32000 of them. Fortunately Kaspersky does have a removal tool, that gets rid of them all in one swipe. I reinstalled KAV turning off the Istreams and all is well. I am likeing KAV 5.0

Pete

[bigc73542]

I use Kav 5.0.325 and I have always used Kavs ADS. It doesn't affect my computers operation, it speeds up my on demand scans and if another malware tries to use the ADS Kav will detect it immediatly with the next on demand scan. Who knows if it would be detected without The ADS streams in use by Kav. Besides Kav didn't invent ADS, microsoft puts them in windows Kav just uses them.

[Peter2150]

Hi Bigc

My problem was that KAV scans ADS, but that it creates them. That in and of itself isn't a problem, but if you go to the Raxco site, it state that First Defense and KAV aren't compatible, and with a default setup on KAV they are right. But if you turn off the Istreams technology on install so KAV doesn't use ADS(as opposed to scan) then KAV and First Defense play very well together. This was a good compromise for me as I wanted to use KAV, but won't give up First Defense. Only penalty, might be slightly longer on demand scan time with KAV. I can live with that.

Pete

[richrf]

Hi Peter and bigc,

There are many security vulnerabilities introduced by ADS, which have been discussed on other thread, that appear to be hardly offset by any performance improvements (especially if the default quarantine period of one year is accepted). Suffice to say, that Kaspersky' engineers have apparently reviewed the pros and cons of using ADS in their product and have ADS from version 6.

Rich