NTFS Alternate Data Stream

Discussion in 'Trojan Defence Suite' started by SMaus, Feb 6, 2004.

Thread Status:
Not open for further replies.
  1. SMaus

    SMaus Registered Member

    Joined:
    Dec 31, 2003
    Posts:
    34
    Location:
    Hamburg, Germany
    Hi everybody,

    after de-installing Kaspersky 4.5 I get lots of messages from TDS at startup, all concerning an alarm named NTFS Alternate Data Stream. Name: ADS Hidden Stream detected. Obviously all those files used at startup. What should I do with it?

    Regards - Stefan
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi SMaus, This thread will give you some guidance: https://www.wilderssecurity.com/showthread.php?t=20665
    Furthermore you can do a Hidden streams scan by opening scan control and ticking both stream scans then selecting your Scan area such as hard drive c:\ Untick all the other scans as this will be much quicker, any hidden streams will be shown at the end of the scan. Do not save the configuration. (See screanie below)
    You can then refer to the thread above.

    Zero size byte files can be ignored as can those below 128 bytes

    Please do not hesitate to ask if you have any further questions :)

    HTH Pilli
     

    Attached Files:

  3. SMaus

    SMaus Registered Member

    Joined:
    Dec 31, 2003
    Posts:
    34
    Location:
    Hamburg, Germany
    Hi Pilli,

    thanks for your help - panic always decelerates my brain activity. I'll ignore the stuff since they are well below 128 bytes.

    Regards - Stefan
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    You can cut down the error reports by altering the ADS stream options to "Ignore steams smaller than" Mine is set at 100 bytes, as a lot of image type files appear to produce 88 byte streams.

    Enjoy your weekend! :)
     
  5. SMaus

    SMaus Registered Member

    Joined:
    Dec 31, 2003
    Posts:
    34
    Location:
    Hamburg, Germany
    Hmm... Doesn't seem to work for me. Even if I set the ADS stream options to "ignore smaller than 128 bytes" TDS shows for example nod32kui.exe, size 68bytes. I get messages for 32 files. The only chance to suppress the messages is to uncheck "Scan NTFS ADS hidden streams". But I don't know if I spoil something essential choosing this option.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    After you changed the "Ignore steams smaller than" I bet you forgot to "Save" your configuration ;)
     
  7. SMaus

    SMaus Registered Member

    Joined:
    Dec 31, 2003
    Posts:
    34
    Location:
    Hamburg, Germany
    Hehehe... You lost. No, I didn't forget. If I open ADS stream options to check if I or he forgot something, the box "ignore smaller etc." is still ticked. Perhaps TDS doesn't like my German. ;)
    Well - it doesn't really matter. Just to be sure, if I want to get rid of this messages to receive only the "critical" ones and I untick "Scan NTFS ADS hidden streams" in the advanced scan options, will I miss anything essential? I'm asking because checking those 30+ messages at every startup if something critical is hiding between them is not exactly user-friendly.
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Darn, I owe you a virtual beer :)
    Perhaps you are correct, have to wait for another German language user to respond :)
    I am also not sure that you may have to reload TDS for the new configuration to be active.
     
  9. SMaus

    SMaus Registered Member

    Joined:
    Dec 31, 2003
    Posts:
    34
    Location:
    Hamburg, Germany
    We posted the same time - So will I miss anything?
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Interesting I would not switch it off, anything over 128 bytes is a potential though unlikely threat.
    Your best bet (here we go again :) ) is to exclude theese files from the list if you know them to be trusted. Use Scan control - scan exclusions. Any zero byte files can just be deleted.

    HTH Pilli
     
  11. SMaus

    SMaus Registered Member

    Joined:
    Dec 31, 2003
    Posts:
    34
    Location:
    Hamburg, Germany
    OK - I'll have a try. If anything terrible happens I'll inform you.
     
  12. SteeLRasH

    SteeLRasH Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    7
    Location:
    Turkey
    http://www.wilderssecurity.com/showthread.php?t=20337

    TDS don't detect this kind of ADS. look at this
     
Thread Status:
Not open for further replies.