Alternate Data Streams Follow-up?

Discussion in 'NOD32 version 2 Forum' started by minerat, Oct 21, 2005.

Thread Status:
Not open for further replies.
  1. minerat

    minerat Registered Member

    Joined:
    Oct 21, 2005
    Posts:
    14
    Hi,

    I'm evaluating NOD32 and I have a question about ADS scanning. According to this thread - https://www.wilderssecurity.com/showthread.php?t=51307 - ADS Support in the On Demand scanner was planned. I noticed that in the 2.5 Release notes that ADS check was added. I interpreted this as adding the check to the on demand scanner because AMON has picked up on ADS at least since that thread was created in 2004.

    I ran the test posted in that thread
    echo X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*> eicar2.exe:stream

    With AMON running it immediately reports a threat. I deleted the file and turned off AMON. After recreating it I ran the on-demand scanner (via context menu); it did not detect any threat. Am I doing something wrong? I searched but couldn't find any more recent information about this aside from the ADS check announcement. I'm running 2.50.25
     
  2. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    I'm running 2.50.25 as well, and it seemed to work fine for me. Attached is the screenshot after running the on-demand scanner. Actually, what happened for me is when I tried to place EICAR in a normal, "non-stream" file; it was detected by AMON. However, when I tried to place EICAR in a named stream of the file as in the test string; it was not detected by AMON. I don't think AMON catches the ADS stuff really. However, when I did the on-demand scan... it was caught as noted above.
     

    Attached Files:

  3. minerat

    minerat Registered Member

    Joined:
    Oct 21, 2005
    Posts:
    14
    Last edited: Oct 23, 2005
  4. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    There could be several things going on here.

    First, in regards to AMON and why your setup detects it and mine does not: I don't use Blackspear's setup and rather I leave AMON at it's file extension defaults (plus a few). Perhaps you have selected the "scan all files" check box on the AMON configuration page? If so, AMON probably goes ahead and scans the ADS's as well... however, in my configuration, I only scan certain well-known executable and scripting extensions and I guess AMON won't go ahead and scan the ADS for those also (since I am trying to attach the stream to a file with an ".exe" extension).

    Second, in regards to why you are not detecting anything with the on-demand scanner: Are you sure that your "context menu" profile, or whatever profile you are using, has the "Alternative NTFS streams" option checked on the "Setup" tab? If so, then are you sure that you are recreating the stream after you disable AMON? AMON may be attempting to "clean" the file by deleting just the stream portion but leaving the name in the file directory, so a subsequent virus scan wouldn't find anything even though you might think the file is still there (that is what the on-demand scanner did when I ran it and it found the EICAR test string in the stream portion). Make sure that there is still a signature in the stream by typing "more < eicar2.exe:stream".
     
  5. hi52525525

    hi52525525 Guest

    Show us screen shot of on-demand scanner selected to Profile and Setup
     
Thread Status:
Not open for further replies.