Welcome, Guest. Please Login or Register.
Search
Members
Login
Register
   Mischel Internet Security Forum
   TrojanHunter
   Bugs (Moderators: Helena, Gavin_Coe, Magnus)
   [CLOSED] Not all ADS's are logged during a scan.		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: [CLOSED] Not all ADS's are logged during a scan.  (Read 686 times)
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
[CLOSED] Not all ADS's are logged during a scan.
« on: Mar 8th, 2010, 12:50am »		 Quote Quote  Modify Modify
Windows 7 x86 and x64 Professional
TH V5.3.994 Beta 2
 
First of all THANKS very much for no longer logging favicion ADS streams on URLs.   Cheesy
 
However, now TH will no longer log any file ADS either on a right click scan or a TH GUI scan or Scan>Scan File.  
 
-  In TH GUI, Options>Advanced, "Log NTFS Alternate Data Streams" and "Scan NTFS Alternate Data Streams" are checked.
 
1.  Download TrojanHunterSetup.exe.  This download contains a Zone Identifier ADS.  
 
2.  Perform a right-click scan on TrojanHunterSetup.exe
 
No ADS is logged.
 
3.  Perform a Scan>Scan File on TrojanHunterSetup.exe
 
No ADS on file is logged.
 
4.  Perform a FULL Scan with TH on the drive where TrojanHunterSetup.exe is stored.
 
No ADS on files are logged.
 
Note:  TH scanner is properly logging ADS if found on a directory.  For example, it does show the ADS on my TEMP folder.  
« Last Edit: Mar 12th, 2010, 5:48am by Magnus » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4523
Re: Not all ADS's are logged during a scan.
« Reply #1 on: Mar 11th, 2010, 4:54am »		 Quote Quote  Modify Modify
In version 5.3, TrojanHunter no longer logs the following three types of alternate data streams:
 

  • Thumbs.db:encryptable
  • Zone.Identifier
  • favicon

 
That's because these very common harmless streams are found on nearly every system and logging them does more to confuse users than help identify anything malicious.  
 
TrojanHunter still does log every other stream it encounters if the appropriate option is enabled, just not these very common ones created by Microsoft. This will be helpful because those streams which really could cause concern will not be buried in log messages about favicon streams.
IP Logged
Follow me on Twitter: http://twitter.com/mmischel
PAN_IRISH
Veteran
*****





   


Gender: male
 Posts: 715
Re: Not all ADS's are logged during a scan.
« Reply #2 on: Mar 11th, 2010, 5:02am »		 Quote Quote  Modify Modify
According to the Research I did online through the WikiPedia the ADS may show no bytes but are deceiving in that they do contain data and are a great place to hide malware.
 
http://en.wikipedia.org/wiki/Fork_%28filesystem%29
 
http://2kevin.net/datastreams.html
 
http://www.heysoft.de/en/information/ntfs-ads.php?lang=EN
 
Please make it//ALL show at least when in the Advanced mode.
 
IP Logged
Keep SECURITY the #1 issue!
Use Trojan Hunter 5.5_1002
Don't leave home without it!
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4523
Re: Not all ADS's are logged during a scan.
« Reply #3 on: Mar 11th, 2010, 5:30am »		 Quote Quote  Modify Modify
An ADS always has a size (which can be 0 bytes, but in that case it's an empty stream). A file can be 0 bytes in size, yet have ADS streams that contain data.
 
TrojanHunter should help finding malicious streams, and I don't think cluttering the log with tons of favicon streams helps with that. If you really want to view all ADS streams you could use a tool such as the excellent ADS Manager (freeware), available at http://dmitrybrant.com/adsmanager
IP Logged
Follow me on Twitter: http://twitter.com/mmischel
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Not all ADS's are logged during a scan.
« Reply #4 on: Mar 11th, 2010, 11:28pm »		 Quote Quote  Modify Modify
Quote:
In version 5.3, TrojanHunter no longer logs the following three types of alternate data streams:  
 
Thumbs.db:encryptable  
Zone.Identifier  
favicon

 
I knew that favicon ADS were no longer logged, but not the other two.  I like the additional change.  I like the new approach of "TrojanHunter should help finding malicious streams, and I don't think cluttering....".
 
As far as I am concerned, please tag this bug post as [Closed].   Smiley
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4523
Re: Not all ADS's are logged during a scan.
« Reply #5 on: Mar 12th, 2010, 5:48am »		 Quote Quote  Modify Modify
Done Smiley
IP Logged
Follow me on Twitter: http://twitter.com/mmischel
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »