NTFS Streams Eraser revived!

Discussion in 'other anti-virus software' started by RejZoR, Apr 12, 2015.

  1. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I'm posting this here for better visibility since it's directly related to certain antiviruses and is not exactly a "general" software.

    You might remember my tool called NTFS Streams Eraser from several years ago designed to cleanup NTFS Alternate Data Streams left behind by Kaspersky Antivirus. Well, I've decided to revive it, because there are still programs that use NTFS ADS to track files status. As far as I know Kaspersky is not using them anymore, but Comodo Internet Security does and because of that, NTFS Streams Eraser is back! :)

    It can be used to cleanup NTFS ADS left behind by ANY program and is not specifically designed for Comodo Internet Security. I'm guessing it will be useful for some people :)

    Link to my blog news:
    https://rejzor.wordpress.com/2015/04/12/ntfs-streams-eraser-revived/
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,050
    Thanks for reminding me about ADS. I remember when Kaspersky used them in their products. Users criticised them as their AV product didn't remove them after uninstall.
    I decided to download Streams from Sysinternals (https://technet.microsoft.com/en-us/sysinternals/bb897440.aspx) as I prefer to check ADS before deleting them. Streams didn't show me any ADS on my system partition but it found a lot of them on my data partitions. It looks like all downloaded files get zone.identifier stream (https://msdn.microsoft.com/en-us/library/dn392609.aspx). I deleted all of them.
    I also disabled adding this information to downloaded files through Gpedit: User configuration - Administrative Templates - Windows Components - Attachment Manager - Do not preserve zone information in attachments [Enable].

    Thanks again for this useful tool.
     
    Last edited: Apr 12, 2015
  3. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    My tool is based on the Sysinternals Streams. It's just that I've combined it to do the erasing only.
     
  4. Tarantula

    Tarantula Registered Member

    Joined:
    Jul 23, 2010
    Posts:
    357
    Thank you, sir!
     
  5. hamlet

    hamlet Registered Member

    Joined:
    May 10, 2005
    Posts:
    200
    Oh yes, I remember the Kaspersky ADS problem. What I don't remember is why this is a problem. Can you remind me of why I would want to erase my NTFS alternate data streams? Thanks in advance!
     
  6. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    NTFS ADS aren't bad as such and it's a well documented feature of the NTFS filesystem. It's just that some people don't like having hidden data attached to their files. For whatever reason.
     
  7. Tarantula

    Tarantula Registered Member

    Joined:
    Jul 23, 2010
    Posts:
    357
    Because we, the people, are control freaks.
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    ReiZor

    I sure remember your tool and think I was using KAV at the time. I can't remember if all were upset with KAV because someone found ADS were a security risk or not but then again remember the storm over Norton using a rootkit to hide the recycle bin or something like that? Back in the Sony CD rootkit days?

    I thought it was worth bringing up again in this other thread. :)

    https://www.wilderssecurity.com/threads/kaspersky-anti-virus-plus-wsa.374893/#post-2477489
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    HUH?
     

    Attached Files:

  10. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
  11. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    My code is just fine... You just have to click YES on that popup. I know my English isn't perfect, but that popup is understandable enough. It even asks you to download the missing component...

    The reason why I don't bundle 3rd party files with my tool is because of licensing/rights issues. But if the files are downloaded separately and user is notified about it through a popup and the official Streams webpage that opens up after you click YES, then it's ok. Plus, you always get the latest version of 3rd party files when you first execute my tool.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,050
    When I scan my C: drive with Streams I get a lot of warnings similar to this:
    It looks like the program has problem with long paths or with symbolic links that are used by system.
     
  13. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    Min I get same results. are we both using win 8.1 64 bit?
     
  14. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Just a brief question, do you people bother to read text on webpages and in programs? Just wondering, because it's clearly explained that program CANNOT access system locked files and files to which program has no access rights.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,050
    Yes, I'm using Windows 8.1 x64.
    Problem might be with permissions as RejZoR said. Running it with option As Administrator will show you more problematic files. A lot of files will have Application data mentioned 12 times in their full path (as shown above). That folder is symlink to c:\ProgramData so there might be a problem with symbolic links. If I run the tool without Run as Administrator option, those links are followed without errors.
     
  16. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    ran this and every single thing listed said error opening file. i scrolled up the list and not one thing was otherwise?
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,050
    Try to run tool with and without Run as Administrator option and save output to file. You will probably get some results, but most will probably be errors (at least that was my case).
     
  18. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    tried that every single thing was a error.
     
  19. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    in safe mode??
     
  20. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    I have not used comodo on this computer so I don't care. and I ran his program sandboxed too to all changes were erased on reboot.
     
  21. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    yup even in safe mode