Viruses in NTFS Alternate Data Stream

[suntoucher]

Hi, there!

German online security news service heise.de has published an article on virus threats in NTFS ADS data today (<http://tinyurl.com/63e92/>).  

Since avast!4 (unfortunately once again!) is not amongst the tested AV products, I wonder since when (say, which version) it does check the ADS. I'm quite sure it does, because W32.Dumaru for instance is listed in the positive list. But NTFS ADS checking doesn't seem to be a matter of course at all...

Regards,
suntoucher

[RejZoR]

avast! does scan ADS,but i'm not 100% for Home Edition.

[suntoucher]

Well, the alwil software virus description page for W32.Dumaru <http://www.avast.com/eng/viruses/windows_viruses/win32dumaru.html> says: "avast! with VPS file dated on or after 19th August 2003 is able to detect this worm."

I presume, this statement applies to all avast! variants -- Home, Pro, Server  -- as well.

I will tell heise.de and suggest to take avast! into consideration for future testing of AV products. At last!

Regards,
suntoucher

[Eddy]

Since Avast Home and Pro are using the same scan engine, I think both can handle ADS.

[igor]

NTFS streams are handled as a "packer" - so when you start a scan that includes the content of "archives", the streams will be scanned as well.

Btw, the ADS support will be slightly improved in avast! 4.5

[suntoucher]

(...)
Btw, the ADS support will be slightly improved in avast! 4.5

Hej! Nice to read! When do you expect v4.5 to be released? (If I may ask... ;-)

I'm asking because I've just sent an e-mail to one of the editors of the german magazine c't, suggesting to take avast! into consideration for future testing of AV software.

Perhaps a new, improved version is another reason to test (and praise!) avast!, which I use to call the best scanner *ever*...

Regards,
suntoucher

[whocares]

Hi igor,

NTFS streams are handled as a "packer" - so when you start a scan that includes the content of "archives", the streams will be scanned as well.

Meaning that the avast Shield won't scan ADS normally , unless you set/tweak it to scan archives on default.. ?
or does "packer" mean EXE-packer rather than "archive" here.. ?

 

Hi suntoucher,
one could test avast's behaviour with different settings by putting eicar.com into a stream (how-to in your link)

   

[suntoucher]

one could test avast's behaviour with different settings by putting eicar.com into a stream (how-to in your link)

Thanx for your tip, whocares!

Starting this thread, I was already sure that avast! does ADS scanning nowadays (though I didn't check it myself, to tell the truth).  

Actually, I was more interested in historical details: when did avast! get the capability to be aware of ADS threats. As I mentioned earlier in this thread, this capability doesn't seem to be a common feature in contemporary competitor's AV scanners.

Regards,
suntoucher

[pk]

Actually, I was more interested in historic details: when did avast! get the capability to be aware of ADS threats. As I mentioned earlier in this thread, this capability doesn't seem to be a common feature in contemporary competitor's AV scanners.

Scanning routine for ADS was written in: 3/23/2001
so first avast4 version knew how to "extract" NTFS streams

does "packer" mean EXE-packer rather than "archive" here.. ?

packer means archiver

[RejZoR]

Yes,but we define packers as ASPack,UPX,NeoLite etc. while archives are ZIP,RAR,7-zip and so on... In the end they do the same (compress data),but there is still difference.

[whocares]

Uhuuuh..


iiuc you confirm that the Resident Shield does NOT scan for ADS per default ?

why not ?
Maybe because e.g. with DUMARU, the ADS-"Infector" has to enter the system somehow as a normal file and should then be blocked by the shield ??