NTFS Alternate Data Streams?

Morning Wilders,

Since my post of yesterday regarding ugo20.exe and the most satisfactory conclusion. i was advised to install the trial version of TDS. I have updated the radius files and when i ran it yesterday, nothing came up.

Today, i fired up TDS so i could get to know the program a little better, and on the first initial scan it does on opening, i get two entries as follows: Both appear with a full scan to.

Alarm: NTFS Alternate Data Stream.
Name: ADS Hidden stream detected 88 bytes.
C:\windows\system32\ctfmon.exe

Can i delete these as two were shown, both the same size. This is from my logfile of TDS

"11:47:21 [TDS] Good morning Nick.
11:47:23 [NTFS ADS] Stream found - c:\windows\system32\ctfmon.exe:SummaryInformation
11:47:23 [NTFS ADS] Stream found - c:\windows\system32\ctfmon.exe4c8cc155-6c1e-11d1-8e41-00c04fb9386d)"

Many thanks

 

Hi Tragic001,
welcome!
googled a bit in the threads overhere about the subject, interesting reads!
http://www.wilderssecurity.com/showthread.php?t=10877
http://www.wilderssecurity.com/showthread.php?t=10612;start=msg69027#msg69027
http://www.wilderssecurity.com/showthread.php?t=7804
http://www.wilderssecurity.com/showthread.php?t=8416;start=msg54594#msg54594
http://www.wilderssecurity.com/showthread.php?t=4905;start=msg32298#msg32298

Alternate Data Streams are really very interesting things. DCS has a page that describes them here:
http://www.diamondcs.com.au/streams/streams.htm
If you didn't yet, you might like to get the free Autostartviewer too, to control all that's starting, very nice tool!
http://www.diamondcs.com.au/downloads/asviewer.zip

Generally spoken recommandations to ignore files below size 90 or 256 or 512 bytes, so that seems to depend.

From other postings here:
"Ctfmon.exe activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office Language Bar.
Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies. "

http://www.wilderssecurity.com/showthread.php?t=11193;start=msg72914#msg72914
(Pieter's answer #60)
http://www.wilderssecurity.com/showthread.php?t=10301;start=msg70343#msg70343
(Illukka's answer #40)

If somebody can drop by in the meantime, please don't hesitate to post!

 

Thanks Jooske,

I did manage to find the file from Diamondcs about these streams and from the links you have provided, i have set my stream detection to 90 and checked the non executable box.

I think ctfmon.exe is something to do with Office XP, which i have.

Many thanks..

 

Hmmm,

having set the stream size to minimum 90 and checked the non-executable box, on re-running TDS, those same two files appear They are marked as 88bytes in size.

I await your advice....thanks

 

My edit and your answer crossed
Indeed, it has to do with the input in Office, so no worries.

Are you comfortable with TDS configuration and using it?

 

Thanks Jooske, thats has reassured me . Actually i find TDS not too difficult to set up. There are some things that i have no clue about but i have configured the scan options, updated the radius files etc and starting to really like the program. I may just purchase it at the end of the trial.

If i have any questions, be sure i know where to come. Again many thanks