Alternate Data Stream ":$CmdTcID:$DATA"

[Sixtyfour]

Hello!

After installing CIS 8, I have noticed that all files I download, or extract from archives gets an Alternate Data Stream (ADS) attached to them with the name ":$CmdTcID:$DATA". Even programs I compile myself.
The "Cmd" part of the name makes me believe it has something to do with Comodo. If this is the case, does the stream have any purpose ? Is there a way to disable this feature ? Or am I victim of some kind of malware ? I don't want to ship programs to my customers with an unknown ADS, actually not even known ones.

It was when I tried to copy a file I had downloaded, from my computer to a USB-drive, that Windows 8.1 warned me the file has properties that can not be copied to the new location. Probably because the USB uses FAT instead of NTFS as a filesystem. I then used NirSoft's AlternateStreamView (http://www.nirsoft.net/utils/alternate_data_streams.html) and Sysinternals's Streams (http://technet.microsoft.com/en-us/sysinternals/bb897440) to look for any ADS.

Has anyone else seen this behaviour ?
Any help appreciated. Thanks in advance.

[sAyer]

Hello 64.

Give this a try. It does have the option of hiding "safe/known" ADS. If it is Comodo then it's not leaving the stream on any of my files. Anything other than a zone identifer makes me nervous and I don't like those. Where I'm not and expert I have seen alot of ADS types and never one with the string you posted. My first thought was that Cmd might be referring to the Command Prompt ?

Tip : If you choose to try this disable your real time AV. The scan will be 800% quicker due to the aggressive nature of the scanning.

Good Luck.

http://www.pointstone.com/products/ADS-Scanner/

[Sixtyfour]

Thanks sAyer, for pointing me to ADS-Scanner.

The stream is reported having a size of 64 bytes, but content varies. The only thing in common is that they start with "b" as if that should be some kind of signature ?
Here are a few examples:

b…^åDJ
b—YåDÔýVWӷлv¢AVZ5EÜSŸU¥ýêòŠŸVZ5EI•¦,ë³^TI–YåDú\3ÿ®Úüên
b3_åDTh¢ñ_

The ADS can not be removed with the provided button in ADS-Scanner.

Most exe and dll files in my Windows folder are "infected". This is probably due to the big Windows 8.1 November update I downloaded on the 19th. I updated from CIS 7 to CIS 8 on the 18th.

I made a test with a virtual Windows XP machine with CIS 7, following this procedure.
1. Downloaded a exe-file from Internet
2. Ran ADS-Scanner.
  No ADS found.
3. Disabled the network.
4. Uninstalled CIS 7.
5. Installed CIS 8.
6. Activated the network.
7. Let CIS 8 update definitions.
8. Downloaded the same exe-file as before
9. Ran ADS-Scanner.
  Found an ADS named $CmdZnID, 26 bytes with following content:
  [ZoneTransfer]
  ZoneId=3

This ADS can be removed.


My Win XP is 32 bit, and my Win 8.1 is 64 bit.
If the ADS on 64 bit is supposed to be something like the one on 32 bit, it may be corrupted ?
This thought made me remember that a few months ago I disabled a setting in Windows 8.1, so zone information should not be saved. Cause I got irritated about Windows warning me about "this program may be unsafe" everytime I had downloaded something.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
SaveZoneInformation=dword:00000001

Maybe that change in registry is causing the corruption ?


I'm thinking of uninstalling CIS 8 and reinstall CIS 7. If that doesn't help I'll restore my C-drive from a backup made on the 17th. But before I do that I'd very much like more input from you, or anyone else.

The biggest issue is that programs I compile myself on my computer also gets the ADS named $CmdTcID.

[qmarius]

Hi Sixtyfour,

Interesting issue there. You should create a bug report with the required format.
Obviously, the mentioned behavior might seem too invasive.

[MorphOS REBOL]

Hello!

After installing CIS 8, I have noticed that all files I download, or extract from archives gets an Alternate Data Stream (ADS) attached to them with the name ":$CmdTcID:$DATA". Even programs I compile myself.

Thanks for reporting this, Sixtyfour. Doesn't sound that promising to me atm. So this means "upgrading" to v 8 is nothing to be recommended until this very one has been fixed, I guess.
Hopefully it's only a bug.

Kind regards, REBOL.

[Sixtyfour]

Hi qmarius,
I'll start filling in a bug report, but I may not have time to finnish and post it until Monday.

I can add that uninstalling CIS 8 and installing CIS 7 stopped the ADS from being created.
I also experimented with a 32bit Win 7 virtual machine. First installing CIS 8 and then Steam. Exe-files and dll-files downloaded by the Steam-installer got the strange b-ADS added to them.

I'm a bit surprised I'm the only one who "sees" the invisible streams.


You're welcome REBOL. I hope Comodo will fix it quickly.

[qmarius]

Hi qmarius,
I'll start filling in a bug report, but I may not have time to finnish and post it until Monday.

Thanks.

I'm a bit surprised I'm the only one who "sees" the invisible streams.

I'm usually very interested in this kind of issues. Sadly, I'm very busy lately.

It's just bad practice from my point. It might be a partial fix to keep track of files with no streams.
Have you observed this behavior on files with streams data? I'm curious if data is overwritten somehow.
Also, a procmon monitoring might elucidate some things. I'm guessing.


Thanks again.

[mouse1]

Hi qmarius,
I'll start filling in a bug report, but I may not have time to finnish and post it until Monday.

I can add that uninstalling CIS 8 and installing CIS 7 stopped the ADS from being created.
I also experimented with a 32bit Win 7 virtual machine. First installing CIS 8 and then Steam. Exe-files and dll-files downloaded by the Steam-installer got the strange b-ADS added to them.

I'm a bit surprised I'm the only one who "sees" the invisible streams.


You're welcome REBOL. I hope Comodo will fix it quickly.

No I have seen them as well. I did not attribute them to CIS, though you may be right.

I seemed to find them if I had manually manipulated the ZoneID incorrectly from the command line, but that is only a guess. I thought maybe an OS logging tool saying this ZoineId has been corrupted....

You can see them easily in the NTFS right click explorer ADS extension.

Best wishes

Mouse

[Sixtyfour]

Thanks for confirming the ADS existence, mouse1.

qmarius, I'm not sure what you mean by "Have you observed this behavior on files with streams data?". Aren't all files streams... ?
I never thought of using procmon, I'll try that and see if it can give us a clue.


If you haven't already seen it, I did post a bugreport:
https://forums.comodo.com/bug-reports-cis/cis-8-adding-alternate-data-streams-to-files-t108102.0.html
Do you think there is more I need to add to it ?

[qmarius]

qmarius, I'm not sure what you mean by "Have you observed this behavior on files with streams data?". Aren't all files streams... ?
I never thought of using procmon, I'll try that and see if it can give us a clue.

As for example, you can remove streams with this tool if you want to experiment scenarios (such as the mentioned one).
>> streams -d application.exe 

You should also check for a (possible) different behavior on different configurations (eg proactive). Maybe these configurations handle things in a different way.

 

[mouse1]

Hi guys

This is a very important discussion

Where relevant to the bug could you continue discussions in the bug report please which has now been processed. Else the devs may miss something important.

And we would not want that ..........   

Best wishes

[Sixtyfour]

qmarius, you can find the answers to your Procmon and Streams questions in the debug report, as per mouse1's request.

[sunwukong]

Perhaps this is too simple but where can I get a good copy of version 7 of the firewall?
I called Tech Support and the guy was not helpfull.  He said there was a way with "Geek Buddy" but that was not something I was willing to do.

[Sixtyfour]

CIS 7 can be downloaded here.

Merry Christmas and happy no ADS!

[johnrambobt]

I have notices that i have a lot of ADS in my system. When I copy files to my USB, i get a warning message about lose the properties.

It´s a comodo issue? Does comodo antivirus protect against virus inside ADS?

Thanks.