Author Topic: Alternate Data Stream ":$CmdTcID:$DATA"  (Read 23005 times)

Offline captainsticks

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11197
    • Comodo Help
How I can I reamove the ADS? Some files like system files do not even allow the admin to remove the ADS (via sysinternals streams and Admin-cmd)
Hi wdfghdfghdf,
See the quote below.

Thanks.
To remove stubborn ADS, take ownership of the file or folder containing the files with ADS before using an ADS cleaning tool.

I use the following.
http://www.sevenforums.com/tutorials/1911-take-ownership-shortcut.html

Offline c627627

  • Comodo Family Member
  • ***
  • Posts: 81
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #46 on: September 20, 2016, 05:19:18 PM »
Suggestions posted result in our downloaded files no longer being labeled with Alternate Data Streams but for files which already have ADS attached to them, I can only remove them if I completely uninstall Comodo 8.

Would someone please post if having Comodo 8 permanently disables our ability to remove Alternate Data Streams?
If no, then what setting should I change to be able to delete ADS?


This setting only switches off automatic labeling of our downloaded files:
Comodo Firewall > Tasks > Advanced Tasks > Opened Advanced Tasks > Security Settings > Defense+ > Sandbox > Auto-Sandbox > UNCHECK: Enable file source tracking > OK

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26177
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #47 on: September 21, 2016, 07:06:36 AM »
Once File Source Tracking is disabled CIS does not interfere when you try to remove ADS from files.

Offline c627627

  • Comodo Family Member
  • ***
  • Posts: 81
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #48 on: September 21, 2016, 10:07:18 AM »
Once File Source Tracking is disabled CIS does not interfere when you try to remove ADS from files.
Thank you for your reply.

After rebooting twice and having UNCHECKED: Enable file source tracking (as you can see in the screenshot below) the only thing that affects is future downloads.
Existing ADS cannot be deleted.
I tried several programs, including strems.exe which also gives me
Error deleting :$CmdTcID:$DATA:
Access is denied.

The moment Comodo 8 is removed from the system, all programs can successfully remove Alternate Data Streams.

What is the procedure to establish whether this is still a continuing bug in Comodo 8, even if it affects limited number of systems?
I am on Windows 8.1, I have a multi boot and can replicate the same bug on Windows 10.
Thank you for your advice.

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26177
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #49 on: September 21, 2016, 01:06:28 PM »
It may be a bug that affects a limited number of systems. I haven't seen it reported before.

Offline captainsticks

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11197
    • Comodo Help
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #50 on: September 22, 2016, 12:31:35 AM »
Hi c627627,
To remove stubborn ADS, take ownership of the file or folder containing the files with ADS before using an ADS cleaning tool.

How to Add 'Take Ownership' to Context Menu in Windows 10-Ten Forums

Kind regards.

Offline c627627

  • Comodo Family Member
  • ***
  • Posts: 81
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #51 on: September 22, 2016, 12:44:08 AM »
Yes, when I did a search, that answer did come up.
Realistically speaking, that approach seems to be more applicable to a single file or two or a folder or two.

But the problem here is Comodo 8-related because once Comodo 8 is removed, the hold on ADS files is released (!)
This pretty much proves that this is a Comodo 8 bug, does it not?

Rather than removing Comodo 8, I was hoping that there was a setting that would disable Comodo 8 from interfering with ADS removal.
I now understand that there is not and thank you for posting.


Since Comodo 7 does not prevent existing ADS removal and I did save the last version, would you tell me if Comodo 7 Firewall works under Windows 10? And other than missing the problematic Auto-Sandbox, what would you say are the main drawbacks of using Comodo 7 Firewall on Windows 8.1, if not Windows 10 as well?

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26177
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #52 on: September 22, 2016, 10:13:08 PM »
CIS 7 was never made for or tested against Windows 10. I have never tried it on Windows 10. You are on your own when using CIS 7 under Windows 10.

Offline c627627

  • Comodo Family Member
  • ***
  • Posts: 81
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #53 on: September 23, 2016, 01:45:58 AM »
I wanted to report that although Comodo 7 allows existing Alternate Data Streams to be erased, it is extremely unstable on Windows 8.1, let alone Windows 10. It is not a solution to simply switch to Comodo 7.

I have filed an official bug report regarding this issue but I am curious, on your systems, are you able to successfully remove ADS from existing files which have ADS attached to them, under the latest version of Comodo Firewall 8.4.0.5076?
I have a standalone firewall installed only, not the entire Comodo security suite.

Offline captainsticks

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11197
    • Comodo Help
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #54 on: September 23, 2016, 06:51:55 AM »
Hi c627627,
Sorry, I disabled file source tracking before any ADS were created by CIS with the latest version.

Kind regards.

Offline c627627

  • Comodo Family Member
  • ***
  • Posts: 81
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #55 on: September 23, 2016, 01:04:27 PM »
captainsticks, it is easy to test this.
On latest standalone Comodo Firewall 8.4.0.5076, every single file you download is labeled with Alternate Data Streams by default or you can get Comodo Firewall 8 to attach ADS streams if you do this [which is btw default]:

Right click on the Comodo icon in the task bar > Open... > Tasks [upper right] > Advanced Tasks [lower left] > Open Advanced Settings [lower right] > Security Settings > Defense+ > Sandbox > Auto-Sandbox > CHECK: Enable file source tracking > OK

Now simply download something like WinRAR .exe setup file for example:
http://www.rarlab.com/download.htm

Now that downloaded .exe file will have an ADS attached.

At this point, for as long as Comodo Firewall 8 is installed [and I tested the first version of Comodo 8 ever released and it also has this problem] so as I was saying, for as long as Comodo Firewall 8 is installed on your system, you will not be able to remove ADS from that downloaded file.

As you know several programs can remove ADS, but whoever wants to quickly test - just copy your downloaded ADS "infested" file into a new folder and scan that folder using something like this:
http://www.nirsoft.net/utils/alternate_data_streams.html
...here's a direct download link to that AlternateStreamView freeware by Nirsoft:
http://www.nirsoft.net/utils/alternatestreamview-x64.zip


Won't you kindly test this and post if you can or cannot remove ADS on a machine where Comodo Firewall 8 is installed?
 
« Last Edit: September 23, 2016, 01:05:59 PM by c627627 »

Offline captainsticks

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11197
    • Comodo Help
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #56 on: September 23, 2016, 06:10:32 PM »
....Won't you kindly test this and post if you can or cannot remove ADS on a machine where Comodo Firewall 8 is installed?
Hi c627627,
I understand how to test this issue, I will probably not have time until after the weekend though.

I will test this early in the week if time permits.

Thanks.

Edit:
I just quickly tested this while CIS (Not just Firewall) is installed and I was able to remove the ADS in Windows safe mode.
I probably won't have the time this morning to test if safe mode is required or not if CIS is uninstalled.
« Last Edit: September 23, 2016, 06:52:49 PM by captainsticks »

Offline c627627

  • Comodo Family Member
  • ***
  • Posts: 81
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #57 on: September 24, 2016, 02:17:08 AM »
Wait, you had to reboot into Windows Safe Mode just to remove ADS?
If that is what you meant, people also have multi boots and can reboot into an OS where Comodo is not installed, they can try taking ownership of files, they can uninstall Comodo 8, remove Alternate Data Streams attached to their files, then reinstall Comodo 8 after they clean they files. All these are workarounds... Some people would find them unacceptable, some won't...

But if you are talking about having to reboot into Windows Safe Mode, then you are answering my question, that this is not something new or unique to my system.

I am hoping you can clarify, the entire point of course is that, just like under Comodo 7 or earlier, we'd like to be able to remove ADS. And if we can't ten that's fine -- it would just help if this were a clear issue and people stopped thinking that it's some kind of a bug.

Maybe then we can talk about _why_ we can't remove ADS with Comodo 8 installed?

But either way, some kind of official acknowledgement that preventing ADS removal is a side-effect of having Comodo software installed would really be helpful...

Offline qmarius

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3843
  • making simple things complicated
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #58 on: September 24, 2016, 04:48:55 AM »
Just wondering if you tested it with version 10 beta? Streams data is no longer added with upcoming version.

Offline c627627

  • Comodo Family Member
  • ***
  • Posts: 81
Re: Alternate Data Stream ":$CmdTcID:$DATA"
« Reply #59 on: September 24, 2016, 05:10:55 PM »
To make sure we don't get off topic, the question is about trying to get acknowledgement that Comodo 8 does not allow removal of existing Alternate Data Streams. Is this considered a major bug in Comodo 8 or not? If it is not a bug, then what is the reason for this?

To address what you said, Streams are no longer added if you change a setting I mentioned earlier in Comodo 8 either.
Adding Streams is not the question, removing existing Streams is the question.


Yes, I tested the version 10 Beta download. It also cannot remove existing streams.
And by the way, I stay away from full suites and only install the Comodo Firewall but since there was no standalone Firewall download that I know of, I had to get the version 10 Beta full suite.


Upon first launch of version 10 suite there is an ***EXPLOSION** of activity, just crazy scanning everywhere.
This scanning appears to permanently affect html links. So that after you remove Comodo 10, the html links inside the Windows Favorites folder are by default somehow labeled and changed to display a big WARNING if launched by double clicking on them. The weirdest way to get rid of this warning is to copy/paste the link files away from the original System Windows Favorites location to a couple of other places and then back.

Some of these features should not be ON by default.
People who know what these Comodo features are are perfectly capable of turning these features ON.

People who don't know what these features are SCARED of malware-like nature of Comodo by default willy-nilly, changing people's files, adding Alternate Data Streams and after you figure out how to stop Comodo from doing this in the future, Comodo then prevents you from removing already existing Streams which Comodo added in the past.

So my starting point is to see if this is unique to me or can anyone remove *existing* Streams under Comodo 8?
If they cannot, then the question is: is this a bug?

But for now the important thing is to just get acknowledgement of the existence of this problem.

« Last Edit: September 24, 2016, 05:12:57 PM by c627627 »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek