Alternate data streams

Discussion in 'other software & services' started by jibby, Oct 1, 2006.

Thread Status:
Not open for further replies.
  1. jibby

    jibby Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    9
    Hi, I have recently been reading up on iStreams in Kaspersky AV v5, and it looks like KAV writes its own alternate data streams (ADS) as part of optimising real-time scanning performance if I understand correctly. Unfortunately I'm still trying to understand exactly how ADS works, but what I'm a bit concerned with at the moment is this... files that I've backed up on CDs/DVDs, are the ADSs associated with these files backed up too (which is probably something I don't want)? Or are the ADSs and the file they're associated with actually separate files altogether?
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    The ADS that Kav sets are used as a checksum to see if anything has changed since the last scan. If it has ever been scanned by Kav it has ADS associated with it. Kav 5 can be installed with out useing the ADS you have the option at instalation whether or not to use them. And when you uninstall kAV 5 it has the option to remove the ADS it has set.
     
  3. jibby

    jibby Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    9
    Thanks bigc! It's good to know that when I uninstall Kav 5 (my understanding is that kav 6 no longer sets ADS, and I'll be changing over to Kav 6 sooner or later), the ADS that kav 5 sets can be reversed.

    However, what about the files that I've backed up previously on CDs/DVDs and are no longer on my computer now? Will those files have need to be put back on my computer when I uninstall Kav 5 to get rid of the ADS it set, or will the ADS not on the CDs/DVDs? I'm still trying to understand if the ADS is "stored" in the file it's associated to, or whether it is a separate "file" altogether and it is the OS or a certain program (e.g. Kav) that recognises which file each ADS is associated to?
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I am afraid that those are there to stay:doubt: you might give it a try and see if will remove the ads from the reinstalled files
     
  5. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
  6. jibby

    jibby Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    9
    Ah, that's a bummer. That means I'll have to copy everything back on to my computer, uninstall KAV 5, then back everything up again. On the bright side, it gives me a chance to do some properly tidying up. :)

    Does this work well too (as I may not be able to put all the files in one go on my computer when I uninstall kav):
    http://www.kaspersky.com/faq?qid=170884737&qtype=3594740

    Also, what tool etc (if one exists) would you recommend I use to check whether all the files have been cleared of the ADS kav 5 set?
     
  7. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    This works pretty well
     
  8. jibby

    jibby Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    9
    Thanks for all your help, bigc73542 and iceni60! I guess I should get cracking then on sorting out the files I've backed up and changing over to Kav 6. Are there any foresee-able problems with KAV-set ADS that may not be removed and not detected by ADS spy?
     
  9. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I have used kav5 with and without ADS and never has any issues either way. Just remember that windows sets ADS also.
     
  10. jibby

    jibby Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    9
    Hmm... I just ran ADS Spy 1.11 on one of my computers that has Kav5 installed on it, and it came up with only 9 ADS. Any explanation for this, seems pretty low. I ran ADS Spy while in a restricted user account if that makes any difference, I'll switch over to a full admin account and re-run it just in case.
     
  11. jibby

    jibby Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    9
    Forgot to mention that none of the detected ADS were Kav-related except for the Kav product key which is found to be "encrypted."
     
  12. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    make sure that the box is not checked here
     
  13. jibby

    jibby Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    9
    The version (v1.11) that I've downloaded has the following three options of which only one can be selected:

    - Quick scan (Windows base folder only)
    - Full scan (all NTFS drives)
    - Scan only this folder:

    I selected Full scan.

    There are also two boxes that can be checked/unchecked (I had them both unchecked):

    - Ignore safe system info data streams ('encrytable', 'SummaryInformation', etc)
    - Calculate MD5 checksums of streams' contents
     
  14. Kenjin

    Kenjin Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    63
    ADS is a feature of the NTFS filesystem. When copying a file from a NTFS formatted volume to any non-NTFS volume, data in additional data streams is automatically dropped. Since CD/DVDs use filesystems like ISO9660, Joliet or UDF your files are clean and you don't have to do anything.
     
  15. jibby

    jibby Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    9
    Hmm... if I understand bigc73542 correctly, I thought he implied that files that I've backed-up on CDs/DVDs retain the ADS. I dug around on the net a bit and found the following excerpts:

    From http://www.wikistc.org/wiki/Alternate_data_streams :

    ISO 9660, FAT, ext2, all will not support alternate data streams so moving a file or directory to any of these and back will strip all but the unnamed default stream.

    From http://ben.staging.popart.com/PermaLink,guid,43a16479-c9af-4840-9e59-56eb00310eb2.aspx :

    You lose the streams if you email it or transport the file off to file systems formats that do not supports streams (like ISO 9660, etc).

    ...

    I haven't seen any CD formats that support this but I really haven't look long and hard for one. Perhaps, someone reading this can chime in.


    Any comments on this, bigc73542, Kenjin or any others?
     
  16. Kenjin

    Kenjin Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    63
    In principle UDF versions >= 2.00 support 'Named Streams' which are the equivalent of NTFS' ADS. However the CD/DVD burning program would need a special feature to handle this. I have not seen any such program so far, but situation may change. Bottom line is yes in theory and technically it is feasible but pretty unlikely that you unwittingly created such a disc with a standard burning application.
     
  17. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    What I was infering was that if the ads remover didn't remove they were probably there to stay. I was trying to do several things at once and just didn't make myself clear. I need to quit multitasking all the time and concentrate on the issue at hand. My bad. Even if you left the ADS the chance that they would ever cause any trouble is pretty slim to none.
     
  18. jibby

    jibby Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    9
    Ah, thanks Kenjin, so the files I've backed up on CDs/DVDs are unlikely to have retained the ADS then. I use Nero and can't find any option or reference to "Named Streams" or ADS.

    No worries, bigc73542. :) You've helped heaps already - thanks!

    Any ideas on why ADS Spy isn't finding any KAV-set ADS?
     
Loading...
Thread Status:
Not open for further replies.