NTFS Alternate Data Stream

Hi everybody,

after de-installing Kaspersky 4.5 I get lots of messages from TDS at startup, all concerning an alarm named NTFS Alternate Data Stream. Name: ADS Hidden Stream detected. Obviously all those files used at startup. What should I do with it?

Regards - Stefan

 

Hi SMaus, This thread will give you some guidance: https://www.wilderssecurity.com/showthread.php?t=20665
Furthermore you can do a Hidden streams scan by opening scan control and ticking both stream scans then selecting your Scan area such as hard drive c:\ Untick all the other scans as this will be much quicker, any hidden streams will be shown at the end of the scan. Do not save the configuration. (See screanie below)
You can then refer to the thread above.

Zero size byte files can be ignored as can those below 128 bytes

Please do not hesitate to ask if you have any further questions

HTH Pilli

 

Hi Pilli,

thanks for your help - panic always decelerates my brain activity. I'll ignore the stuff since they are well below 128 bytes.

Regards - Stefan

 

You can cut down the error reports by altering the ADS stream options to "Ignore steams smaller than" Mine is set at 100 bytes, as a lot of image type files appear to produce 88 byte streams.

Enjoy your weekend!

 

Hmm... Doesn't seem to work for me. Even if I set the ADS stream options to "ignore smaller than 128 bytes" TDS shows for example nod32kui.exe, size 68bytes. I get messages for 32 files. The only chance to suppress the messages is to uncheck "Scan NTFS ADS hidden streams". But I don't know if I spoil something essential choosing this option.

 

After you changed the "Ignore steams smaller than" I bet you forgot to "Save" your configuration

 

Hehehe... You lost. No, I didn't forget. If I open ADS stream options to check if I or he forgot something, the box "ignore smaller etc." is still ticked. Perhaps TDS doesn't like my German.
Well - it doesn't really matter. Just to be sure, if I want to get rid of this messages to receive only the "critical" ones and I untick "Scan NTFS ADS hidden streams" in the advanced scan options, will I miss anything essential? I'm asking because checking those 30+ messages at every startup if something critical is hiding between them is not exactly user-friendly.

 

Darn, I owe you a virtual beer
Perhaps you are correct, have to wait for another German language user to respond
I am also not sure that you may have to reload TDS for the new configuration to be active.

 

We posted the same time - So will I miss anything?

 

Interesting I would not switch it off, anything over 128 bytes is a potential though unlikely threat.
Your best bet (here we go again ) is to exclude theese files from the list if you know them to be trusted. Use Scan control - scan exclusions. Any zero byte files can just be deleted.

HTH Pilli

 

OK - I'll have a try. If anything terrible happens I'll inform you.

 

http://www.wilderssecurity.com/showthread.php?t=20337

TDS don't detect this kind of ADS. look at this