Hips and ADS

Hi guys!
Can you suggest me an hips with ADS detection? This is not a simple feature to find in a hips.
I know that only MalwareDefender and D+ are able to intercept this kind of behaviour.
None else?


Thanks

 

This is just the terms matter. Some vendors claim they do "this and that", but then it apperas they do the same other vendors do without the claims.

But could you clarify what do you mean ?

ADS makes (wiki):

Active Directory Service or Active Directory
Advantage Database Server
Airforce Delta Storm
Alternate Data Streams
Applied Digital Solutions
Ardrossan Harbour
Astrophysics Data System
Attention Deficit Syndrome
Automated decision support

 

sorry if I wasn't clear
I mean Alterante Data Streams..

regards

 

mmm...i saw the eqs ruletopic (alcyon's ruleset) that he has made a custom rule for eqs so that it can handle ADS..you could take a look there.

 

Aha

I think there is no need for special ADS treatment. To create ADS you need to call the same NtCreateFile and to run a program from ADS you need to call the same NtCreateProcess(Ex) or NtCreateUserProcess. The files from ADS do not differ from the "normal" files, the only difference is standard shell (explorer.exe) and other "comanders" do not show them. Though, it may have difference (IMHO) when doing scan. I'm afraid not every scanner scans ADS.

 

You'll find Alternate Data Streams rules in my latest ruleset (v1.49.0213). Four rules for file protection and two for applications (in low and high priority sections).

 

Hello all, hello Kronos,

I have:

# HiJackThis/Open the Misc Tools section/OpenADS Spy ...

# GMER/on GUI: ADS box ...

# Usec RADIX/File System/Check for Alternate Data Streams

#KX-Ray/Data Streams

# Hazard Shield/Tools/ADS Scanner


That's enough?

Yours PROROOTECT Submit Reply

 

This my my test with ADS and OA. That is to say OA never claimed it supports ADS, but here we see OA HIPS treats ADS like any other file (and I think other HIPS do the same)

 

Thanks Alcyon!
However I find unconfortable to use EQS under LUA (I tried Surun, but I don't like that setting)

I will try your last ruleset in my VM..maybe against some hidden threats

ahah
Regards!

 

Hi PROROOTECT!

Thanks for the suggests, but i was looking for an hips software that was able to monitor ADS too...not other complementary software

Regards!

 

Thanks
This is the same for the free version?

Not all the hips are able to intercept this behaviour..I try SSM Pro, Real Time Defender, Malware Defender, D+ with a rustock (winsyst32.exe)...
only MD and D+ find ADS..the other no (they alerted me for the registry modification...and were able to block the infection when the winsyst32.exe try to load the driver lzx32.sys, none alert for ADS)

Regards

 

GeSWall protects against ADS, no extra rules needed, protection out of the box

 

Kronos, try System Shield from Usec.at: http://www.usec.at/ushields.html You will see ...

... at the bottom of the page ...

- And then? ...

 

I didn't read this whole thread but did briefly run across some replies so i just want to echo the fact that if you happen to have EQS 3.41 and at least up to v4/ Beta 3, Alcyon fashioned a very solid and useful ruleset for ads.

It can stop any ADS from either being created or if already there, stopped from running ever again at all.

The reason i know this is i made an alternate data stream that i added to both notepad & calc then made a vb script & batch file to easily run them. I used my ads to run a simple .SWF file and a .exe, both safe programs to see exactly how easily executables can be run in this manner. I even added them to my startup folder to confirm how malware could duplicate for more malicious purposes.

Alcyon's Rules that he generously made which are easily imported if adding separatedly block them perfectly, no way around it.

EASTER

 

Can't say for sure, but theoretically it should be the same. Free version doesn't support antikeyloggers, but is the same secure in the rest as the full version. I'm not sure about Rustok, but as far as I know Rustok uses DDA to infect a system. Would you be kind to share winsyst32.exe ? Then I could say more

 

Best ADS detection is by CFP and TF.

See the example below. They specifically alert you about ADS creation.

 

The problem is this doesn't actually mean bad behavior. Some legit apps, for example KIS, use ADS for their own purposes.

But I agree, the fact something tries to create a file in a stream could be highlighted. Request is sent to Mike

 

Well...If you are installing something like KIS , you should expect a such popup(probably neither in that case since one would probably want to do that in learning mode) , since not any other every day apps that i know of use ADS..and KL had their share of complaints for using it.

 

Since when were HIPS designed to block bad behavior?

They can't tell whether an action is good or bad. They block everything; period. It's strange that you should think that them doing their core task is a problem.

 

He is referring to the screenshot post that aigle made mate D+ gives a short description in the end (this is not a typical app behaviour , style ccomment)

 

NTFS alternate streams are documented, so their usage is quite legal and not malicious. Thus happened that malware uses it to hide itself from explorer, but this doesn't mean ADS usage is illegal.

 

Most certainly it is.Never stated the opposite..Just uncommon.and the KL comment was because IIRC they used ADS to store the iswift technology scan "implants" to make scanning times shorter..couldbe wrong though,been a few years that i read about it.

 

This article on ADS written in 2006 may be of interest. The way I see it, the creation of the ADS file (eg: a malicious executable hidden behind a harmless text file) should be of less concern than the actual launching of the malicious file, in which case it seems as though the "Start" command is required.

Since all HIPS can monitor cmd.exe, there should be no cause for alarm. Maybe I'm missing something, oversimplifying things, but I don't see a problem.

I see examples in posts #8 & #16 where programs are detecting the creation of ADS files, but how is this the harmful action? Wouldn't the launching of the hidden executable be the real concern?

 

maybe a bit off topic but i think SAS has an option to scan for ADS.

 

NEW v. of Awesome Tool from Nirsoft: AlternateStreamView v1.05: http://www.nirsoft.net/utils/alternate_data_streams.html

View/Copy/Delete Alternate Data Streams !