Will using FAT32 make rookits harder to hide?

It seems many recent rootkits can hide themselves in the alternate data stream on NTFS volumes. Other than the 4 GB file size limit, for most home users using FAT32 seems a convenient (and safer) choice than using NTFS, in terms of leaving one less (and common) place for rootkits to hide themselves. Just a thought from a novice like me.

 

I have a "friend" with a laptop with no fw and no av. He downloads lot's of porn and visits on a regular basis such websites. He's dumb too, so he's the kinda guy to get in trouble really easily.

I used the obvious scanners to c what's up. To my suprisement he was not infected. He usin fat as well.

 

My idea is simple. By using FAT32, I can boot up from a Win 9x/ME/2000 CD and run any one file management utility program (which can be downloaded from many shareware sites) to save a listing of directories and files on the FAT32 partition. Then I will boot up XP in normal mode, run the same utility program and save another directory/file listing. Finally I diff the two listings to look for hidden files.

 

I use FAT32 and still get infected... But haven't really gotten a rootkit... Maybe its because trojans are popular on sites now a days...

 

Using ADS is just one way that rootkits can hide themselves. Most will use other techniques, so switching to a FAT32 file system will only confer a minimal improvement and still leave you wide open to many other forms of attack.

In my opinion, NTFS is so much more reliable, resilient and efficient than FAT32 that anyone who still uses FAT32 is really doing themselves no favours at all.

 

I was not saying not to use other security programs when using FAT32. I think using FAT32 make it harder for rookits to stay undetected. There is one less place (ADS) to hide and there are many old and new file/disk tools that can show directories/files on a FAT32 partition after booting even from a floppy disk. I am not sure if NTFS is really more reliable and resilient and efficient than FAT32. I had been running FAT32 on my C drive without any loss in speed or data integrity. Besides, I had not read about any hidden rookit that worked on FAT32 yet. It might be the fact that NTFS was the default format and the malware writers just targeted the bigger crowd.

 

It is more simple to hide rootkit on NTFS, but it is also very easy to do on FAT32. So my answer on topic title question - no.