Comments for What are alternate data streams, and are they a security risk?

Comment from David Spector on 2009-11-30

2009-11-30T13:56:27Z

Alternate data streams are used by some antivirus software (Kaspersky Labs) to store a unique "hash" value that works as a short signature that represents the file contents. The allows the antivirus program to detect any simple change in contents that does not also update the signature stream. The cost of this otherwise excellent feature is the expansion in disk size of every file.

By the way, the excellent freeware program FileAlyzer 2 has a tab for showing the Alternate data streams in any file, including special (inaccessible) streams such as Security and Object identifier. The default stream type is Alternate.

Alternate data strings can be nested. Internally, an alternate string named foo is represented as :foo:$DATA, so some alternate stream programs may use this syntax.

In Windows, Microsoft Word uses an alternate data stream to store extra information about a file, such as the Author name. Also, downloaded files are marked by the presence of an Alternate-type stream named :Zone.Identifier, which contains the text "INI file"

[ZoneTransfer]
ZoneId=3

to indicate which "Zone" was used for the download (3 means "Internet"). On the Properties context dialog box for the file, you can click Unblock to delete this stream.

]]>

A comment on: What are alternate data streams, and are they a security risk?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Michael Dalton on 2007-12-11

2007-12-11T16:12:05Z

Hello Leo,

The erasure software programme 'Cyberscrub' provides an option to erase Alternate Data Stream files. CyberScrub warns that it will try to save the ADS Main File(s) when it is deleting the others, but it does not guarantee that it will be able to do so. Are these Main Files essential to the healthy operation of the platform (XP) - can I risk their erasure? Can anyone know? If CyberScrub fails to preserve one, some, or all of the Main Files, will these be regenerated, if necessary/essential, at the next boot, or could erasure result in a catastrophe?

It seems a wee bit anomalous that a programme which is designed to execute comprehensive erasure processes cannot in fact do this safely, because of the existence of these files which move in mysterious ways.

Cyberscrub searches for, and identifies, the ADS files on your system. The ADSs it finds on mine are as follows:-

C:\Documents and Settings\All Users\...1: :encryptable $DATA (1 entry)

C:\Documents and Settings\My Name\...1 :Zone Identifer:$DATA (3 identical entries)

C:\Documents and Settings\My Name\...1 :Favicon:$DATA (1 entry)

C:\RECYCLER\S-1-5-21-124738149-13...1 :Zone Identifier:$DATA (3 identical entries)

C:\System Volume Information\_restor... :Zone Identifier:$DATA (4 identical entries)

and then dozens of these:-

C:\SystemVolume Information\_restor :a:$DATA

Perhaps it is all imponderable.

Best wishes,

]]>

A comment on: What are alternate data streams, and are they a security risk?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from George Birbilis on 2007-06-17

2007-06-17T09:23:00Z

actually there are malware exploiting ADS, else Ad-Aware and other s/w wouldn't be scanning them

]]>

A comment on: What are alternate data streams, and are they a security risk?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Ken Crook on 2007-06-16

2007-06-17T04:32:16Z

Just downloaded and installed LavaSoft Ad-Aware2007. On the Settings page there is a button for "Scan Alternate Data Streams". When I saw this I had no idea what it was about. It is a nice coincidence your newsletter has an article on Alternate Data Streams. So there is now at least one way to scan for Alternate Data Streams.

Thank you Leo.

]]>

A comment on: What are alternate data streams, and are they a security risk?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Leo A. Notenboom on 2007-06-15

2007-06-15T16:21:47Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To be honest, I'm not sure. I've heard tell that they were an attempt to
provide the same functionality as "forks" I think it is on Macintosh systems at
the time. If so, I think it was doomed for backwards-compatibility reasons.

But I'm not totally sure.

And again, once in, it's incredibly difficult to remove a "feature" -- for
backwards compatibility reasons. :-(

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGcryiCMEe9B/8oqERAnLpAKCKLGKUw9xcIAVVyESHm0PiQENK1QCcCsAS
CEZ/ke2Y8mIxskqIC/RV8gY=
=Csa/
-----END PGP SIGNATURE-----

]]>

A comment on: What are alternate data streams, and are they a security risk?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Dan Ullman on 2007-06-15

2007-06-15T15:51:46Z

Is there a reason that alternate data streams exist?

]]>

A comment on: What are alternate data streams, and are they a security risk?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.