Microsoft Switzerland Security Blog

Security informations brought to you by the Swiss Security Team.


Practical Guide to Alternative Data Streams in NTFS

  • Comments 3
  • Likes

Alternative Data Stream support was added to NTFS (Windows NT, Windows 2000 and Windows XP) to help support Macintosh Hierarchical File System (HFS) which uses resource forks to store icons and other information for a file. While this is the intended use (as well as a few Windows internal functions) there or other uses for Alternative Data Streams that should concern system administrators and security professionals. Using Alternative Data Streams a user can easily hide files that can go undetected unless closely inspection. This tutorial will give basic information on how to manipulate and detect Alternative Data Streams.

The bad story about this is, that most of the scan engines and removal tools will fail detecting malware "protected" in alternate streams.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment