Use of live cd/dvd/usb can result in altered modification time in unchanged files

Discussion in 'other security issues & news' started by MrBrian, Oct 1, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The situation: I scanned my computer with Avira AntiVir Rescue System, using the "log only" option. Later, I noticed that my file-based backup program backed up some files that had not changed during an incremental backup. Upon further investigation, I discovered that Avira AntiVir Rescue System had changed the modification timestamp of scanned files by truncating the fractional part of seconds. Since the timestamp was no longer exactly the same, the backup program backed up those files, even though the file contents had not changed.

    This issue may happen also with other live cds/dvds/usbs, but I didn't test others.

    I didn't contact Avira about this issue because I don't have an account there. I'm not sure if it's their fault anyway. I suspect Linux itself may be the culprit.

    Tools used: analyzeMFT and NTFS File Copy Utility.
     
    Last edited: Oct 1, 2011
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Interesting, can you test AVG Rescue CD and Microsoft System Sweeper?
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The next time that I use Microsoft System Sweeper, I'll report back here on the results. I don't have AVG Rescue CD at the moment.

    Does anybody know of a program that reports the exact value of NTFS timestamps, including fractional parts? I'd like to use something quicker than the tools mentioned in the first post.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I found another free tool that gives the date modified timestamp with fractional seconds - NTFS Metadata Extractor Utility. I recommend using this program over the others that I mentioned.
     
    Last edited: Oct 2, 2011
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    None of the following live cd's changed the modification time during a scan:
    G Data 2011
    Microsoft Standalone System Sweeper
    Knoppix
    Ubuntu

    On the last two, I opened a text file and didn't alter it.
     
  6. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    @MrBrian
    thank you for info, changing time that way for me means that maybe a changed applied to file during scannig it which means it modifying some files could you found out what the link between files whose time had been changed? are they executed files or something else?
    the problem is analyzing scanning behavior under linux environment :(
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome SUPERIOR :).

    I tested the Avira live cd with the 'log only' option, so none of the file contents should have changed. All of the modification times were changed by at most less than one second, due to truncation of the fractional part of the seconds value. For example, a modified timestamp of Oct. 4 2011 5:34:23.6934 is changed to Oct. 4 2011 5:34:23.0000. All of the different types of files that I tested, which included .exe, .txt, .pdf, .zip, and a few others, were affected.

    Does somebody already have an account at Avira and wish to report this?
     
Loading...
Thread Status:
Not open for further replies.