Alternative NTFS streams

Somewhere in the NOD32 setup is a reference to "Alternative NTFS Streams."

Although I am not a technical person, I do know what NTFS means (the Win2k sp4 Rollup1 computer I am now using has NTFS on every partition), but I have no idea what an "NTFS stream" is.

A Google search turned up a lot of talking about NTFS streams, but I couldn't find a definition.

I'd appreciate any help. I'm a brand new NOD32 user, as of yesterday.

Roger Folsom

 

Hi there and welcome to the NOD community!

Have a look at:

http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams

for further info regarding ntfs streams and what they can and cant do. There is also a little test program that will check whether your antivirus can detect ntfs stream data or not.

R

 

Thanks for the link!

For the rest of this message, it may be useful for you to know that I am running Win2k Sp4 Rollup1 with all updates (not counting November's) installed.

I went to the DiamondCS link you provided, and I found not only excellent explanations, but also three utilities.

NTFS ADS Check simply told me that my system supported NTFS Alternate Data Streams, which I already knew because I knew that I had formatted both of my partitions as NTFS.

DataStreamDemo(DiamondCS).exe (which I renamed from strmdemo.exe) did create c:\streams.txt, but I could not find any new Task Manager process: neither STRMDEMO.EXE nor stream.txt was listed.

That's not surprising, because Webroot's SpySweeper intervened and warned me not to run the program embedded in streams.txt. I told it to let the program run anyway, but it apparently ignored that instruction. Then I closed SpySweeper, and ran DataStreamDemo again, and this time got no message, but again although c:\streams.txt got created I could find neither of the expected processes.

My guess is that either there was a residual SpySweeper prohibition against opening the streams.txt processes, or else either Sunbelt's Counterspy or NOD32 blocked them, albeit silently.

So I closed Counterspy also and again ran the Demo (with the same results as above), but I don't see any way to close NOD32. Even after using Quit, the process list still has the Nod32 kernel running (which is consistent with a complaint here in some other thread that NOD32 is either difficult or impossible to close).

The third DiamondCS utility, MakeStream, confused me. The DiamondCS site says to run "makestrm.exe c:\test.exe, but I'm not sure what "test.exe" file DiamondCS expects me to use for the test. Any executable file?

In any case, to actually test whether NOD32 or anything else actually catches a virus or trojan, apparently requires runnng makestrm.exe on a sample virus or trojan. But, fortunately, I don't have any to use.

You inspired a major education for me. Thanks.

Roger Folsom