TDS detects 2 ADS's on tds.exe

Discussion in 'Trojan Defence Suite' started by Defenestration, Jul 17, 2004.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,100
    When run TDS detects 2 NTFS Alternate Data Streams on the tds.exe. One is 88 bytes long and the other 0 bytes.

    Is this normal ? If this is TDS that has added them, I thought ADS were frowned upon in security circles, and so why are they being used ?

    I am using Win XP Home SP1 with Kaspersky AV Personal 5.0.142, LooknStop 2.5. I have heard scare stories that KAVP 5 adds an ADS to every single file, but from my experiences this is not true and so that's why I think it is TDS that has added them.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Defenestration, Many programs use streams, especially imaging programs, I believe thay are used for tagging the image. bb bytes ias a typical image stream. 0 bytes is nothing. Anything below 128 bytes can be safely ignored.
    Here is a screenshot showning how to set up streams.
     

    Attached Files:

  3. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,100
    Why has the TDS executable file tds.exe been tagged though ? No other file on my system has been tagged with an ADS, so it looks like TDS has tagged itself.

    Why is this ?
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Defenestration, TDS3 does not tag anything with streams, windows creates them usually for legitimate reasons.
    Why zero byte size I have no idea :) I certain circumstances KAV 5 did create streams, like you, my KAV does not.

    Here is some more information about ADStreams:
    http://www.diamondcs.com.au/web/streams/streams.htm

    HTH Pilli
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.