Any idea why Sygate firewall is showing this on a TDS scan? 20:22:59 [NTFS ADS] Stream found - r:\spf\smc.exe4c8cc155-6c1e-11d1-8e41-00c04fb9386d) This just started showing up this week. I'm not worried but would like to know. Loki
While we wait for a TDS expert to come along, here's one thing you can check... In Windows Explorer, select that file - right click on it and select "Properties" from the menu that pops up. On the new screen, select the Summary tab and see if any data is entered in the various fields there. Alternate Data Streams (ADS) can contain information as simple as the data shown on the summary screen noted above. ADS can also save extra data on things like image files, (thumbnails can be stored in ADS by some utilities). I've looked into ADS a little bit. It's an interesting feature which is available on only NTFS file systems. More information on ADS at the DCS site: http://www.diamondcs.com.au/streams/streams.htm
If you're not quite sure, can send a sample to Gavin for second opinion and if necessary/possible to refine his databases. submit@diamondcs.com.au
Hi Jooske, Thanks, and since more ADS streams are now also showing up I'll go ahead and send to support. My system is starting to act strange on me I've run full scans with TDS, Spyware, and Virus scanners, everything comes up clean but these ADS streams. Loki
It might be an av/at scanner too, which can have the habit to add those streams for their own "administration" to see possible changes for a next scan, but of course you should know all for certain! The TDS stream cleaner and detector does not give any alarms? and not sure if the program creating the streams can be located? As your system is behaving strange: is that after removal of such streams or did you keep them there for the moment awaiting DCS' advice?
Hi Jooske, I uploaded a zip file of the streams to TDS support using TDS ( I like the feature to send though TDS). One of the things that stop working is using TDS to open its own log file. The file is there and if I start notepad I can open the file but TDS will not start notepad to open the log anymore, I know that this worked back on Monday because I used it then. I'm unclear as to what you mean by "The TDS stream cleaner and detector does not give any alarms? and not sure if the program creating the streams can be located?" TDS shows that Sygate PF has an ADS stream but when I open the stream in notepad nothing is there. I can delete the stream with TDS but the stream comes right back: 16:21:28 [NTFS ADS] Successfully deleted all stream(s) from p:\spf\smc.exe 16:21:39 [NTFS ADS] Successfully deleted all stream(s) from p:\spf\smc.exe 16:22:18 [NTFS ADS] Stream found - p:\spf\smc.exe:SummaryInformation 16:22:18 [NTFS ADS] Stream found - p:\spf\smc.exe4c8cc155-6c1e-11d1-8e41-00c04fb9386d) Thanks for your time and replies, Loki
For the notepad: look if you see any nod and wordpad exe's size 0 anywhere, like in the TDS directory and maybe other places. There should only be a normal one in the Windows system or system32. Delete those size 0 things, which is a habit of Windows creating them somewhere in the directory from where you're calling them and windows is not able to open them for some reason. I mean in TDS > System Testing > Scan Control > to show all and include the hidden NTFS streams in the scan > and button ADS streams options. So if TDS alarms then on some stream, and the reason is unclear, i'd certainly submit the thing to TDS lab. It could be a control file like some av/at scanners are famous for, but like you i would like to know for sure. Are there still no trojans or other infections found on your system?
Hi Jooske, TDS comes up clean on full scan except for the ADS streams. I will search my system for 0 byte notepad files. Loki
Hi Loki, I had a problem a while back getting TDS to delete ADS streams also. The solution for me was this: check to see if the file the streams are attached to is active/open/running. If it is, in my case anyways, I had to kill the exe/process and/or close the file in question. Once I had done this, the deletion of the streams "took". I hope this helps..... Regards, Kent
Here's some more info on ADS for you: http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=16189 Explains how to detect them. Should be helpful.
Hi, I received a response from TDS support yesterday and the file was harmless like I thought. Thanks for the replies. Loki