This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."

Download it now to read this article plus other related content.

Alternate Data Streams
Windows machines using the popular NTFS file system support Alternate Data Streams (ADSes), a feature that allows a file to be attached to any other file or directory. Unfortunately, there's no way to detect the presence of or analyze the contents of an ADS on a standard Windows machine, making it a useful vector for malware.

For our tests, we took a specimen that an antispyware tool could normally detect and copied it into an ADS. We then used the Windows "start" command to run the malware from inside the ADS.

McAfee handled the ADS-borne spyware the best, with real-time blocking of both the malware copy into an ADS and execution from an ADS. McAfee also deleted ADS-based malware during an on-demand scan.

CA and SurfControl blocked execution of the malware from the ADS, but failed to prevent it from being copied initially. Neither cleaned up the malware with an on-demand scan using a default configuration.

Lavasoft has an option for ADS scanning, but it's turned off by default. It can provide solid real-time ADS protection, but it can only be activated at the client--there's no server-side configuration capability.

Trend Micro, Webroot and eSoft provided no protection against our ADS-borne spyware. Of particular surprise on this front was Webroot, which has a configuration option (off by default) to perform ADS scanning. When we activated this option, our ADS malware still flew under Web-root's radar.

    Requires Free Membership to View

In follow-up discussions, Webroot personnel showed us how they tested for ADS spyware by using a separate program to execute malware from inside an ADS. Sure enough, when using their testing tool, the ADS malware was blocked. But, their ADS execution harness is a somewhat artificial environment, as opposed to our more real-world test using the start command. We feel that Webroot's ADS option gives users a false sense of security and therefore was worse than no protection at all, hence the lowest grade in this category.

Resilience to Attack
Increasingly, antispyware tools themselves are coming under attack by aggressive spyware that attempts to disable protection. To test resilience to these attacks, we tried to shut down each antispyware tool by shutting off its service and killing its processes at the client. We then checked to see whether antispyware protection was still functional. Many antivirus tools resist such attacks by inserting their code into other running processes, making them less likely to be subverted. None of our antispyware tools showed the resilience typical of these AV products.

SurfControl was best, maintaining protection even after its service was stopped and processes killed. McAfee also takes a strong approach: While we could shut down McAfee's service and kill its process to disable defenses, protection was automatically reactivated within five minutes, a duration that is configurable.

eSoft and Lavasoft maintained protection after their processes were killed, but died when the services were stopped. Conversely, CA kept working after the service was killed, but not when the process was terminated.

Trend Micro and Webroot were the easiest to kill, by either shutting down the service or killing the process.

This was first published in May 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: