Questions from new TDS-3 user

Hello,
I have finished my trial period and have now purchased a permanent license. I'm impressed with this program, but have some questions which perhaps someone here can answer.
1. During trial period I did a full system scan almost every day with all options
checked. The results were the same for almost three weeks: completely
clean. But then 11 hidden ADS showed up all at once. The help file doesn't
really explain the origin of these. Where do they come from? Why a clean
system for many weeks and then all of a sudden, many show up? EIght
small(88 bytes), but 3 were over a thousand bytes. I deleted all. and
haven't seen any ADS show up for last week.

2. After adding the key file to the TDS directory, I am seeing programs asking
to run that have never ran before. Proc Guard permission request screen
show that
grpconv.exe and runonce.exe
are asking to run. Filealyzer shows that these programs have never run
before on this machine(which is over 6 months old). Are they safe to
allow?

Thanks for your help.

 

Hello Bluekey, welcome with your best buy.
I can only partly asnwer your questions relating to TDS:
The NTFS ADS Streams as they are called are extras added to files, for instance antivirus scanners might do as a check for changed programs, in images you see them for extra info, etc, most just info, and small.
The smallers ones you can ignore and no need to delete them as programs might recreate them again.
There are the larger things like you found which can be malicious or as innocent, which only testing them extra can tell so please if you find them larger then say about 200 bytes send them in to submit@diamondcs.com.au for deeper study for you. A few thousands bytes sounds larger and could contain executable stuff.
At this page you find more explanation about them:
http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams
and tests you can perform yourself.
If new things show up all of a sudden while you might not have installed nothing new at all nor received any emails then there is certainly reason to look deeper. At least configure your scan options to all checked and highest sensitivity and make sure youhave the latest radius update and scan all there is, and you might like for the first time to look at all NTFS ADS Streams, knowing you can ignore the smaller then 200 bytes ones.
After that look deeper at your finds.
Also place several files in the CRCfiles.txt to be warned for changes, whatever file you think needs to be watched.

For the Process Guard waiting for others to jump in and for the programs mentioned.

WinTasks Process Library
grpconv - grpconv.exe - Process Information
Process File: grpconv or grpconv.exe
Process Name: Windows Program Group Converter
Description: Application that is used to convert the Windows 3.1 groups to folders while upgrading from Windows 3.1.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A

runonce - runonce.exe - Process Information
Process File: runonce or runonce.exe
Process Name: Runonce
Description: Known as the Microsoft "Run Once" wrapper. The application is a program that developers can use as part of their installation procedures to ensure, for example, that after the first reboot after the software installation, some additional configuration program runs once, and once only, to complete the installation.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A

So you see both are legal system processes which by the looks of it you can safely allow to run.

 

H Bluekey 23, The ADS streams are usually created by images, 88 bytes I have TDS set to ignore any streams smaller than 128 bytes
Here is a page with much more information: http://www.diamondcs.com.au/web/streams/streams.htm

grpconf.exe is a windows system file: "Windows program group converter" as is runonce.exe you can see by their properties whether they are genuine MS files.
Runonce is usually shown when a programme has failed to install properly.

HTH Pilli

 

Jooske and Pilli,
Thanks for the excellent help and advice!

 

You're welcome! Did it help, and is all clear and running fine now, no new NTSF ADS Streams anymore (yet)?