Firewalls and Alternate Data Streams (ADS)

Discussion in 'other firewalls' started by KeyPer4Life, Oct 9, 2014.

  1. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Alternate Data Streams (ADS) are not visable in Windows Explorer. They are pieces of info
    hidden as metadata on files. My question is:

    Is it normal for firewall/hips type programs to create ADSs in Temp folder or any other
    location on computer and should I be concerned?

    Both ADS Spy and Spyshelter find same ADS. Apparently from what I've read some ADSs are
    legitimate, but some can be malicious. ADS Spy supposedly can remove them, but they come right back
    on reboot. All scanners I've used show nothing detected.
     
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    ADS are set from windows to mark files from another security zone - your desktop is trusted but internet not, check internet settings. if you move files you move ads.

    BufferZone (sandboxing software) is known to write ADS for each accessed folder.

    in minor cases malware can create such files to prevent found thru scanners or user.

    search for ads
    http://www.softpedia.com/get/System/File-Management/ADS-Viewer.shtml
    (no adware, no install)
     
  3. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    ADS-Viewer doesn't scan in " hidden files and folders " whereas ADS Spy apparently does. Disabling the GUI does
    remove the ADS after scanning and removing via ADS Spy, however that is not the solution I'm looking for .
    Thanks for info anyway.
     
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    Last edited: Oct 12, 2014
Loading...