Alternate Data Stream

Hello :slight_smile:

I created a rule to block alternate data streams and it worked fine but I’m just curious really,

when I make the rule for alternate data streams in my protected files/folders and I get the alert when I try to make a file with an alternate data stream why is there a description already preset about an invisible file like the protection is supposed to be default but it’s not,

here’s some screen shots,

is this supposed to be dfault protection in defense+?

[attachment deleted by admin]

Hallo Gizzy. :slight_smile:

Yep.

Provided that different D+ modes can slightly modify the default behaviour since CIS supports ADS it will warn about ADS that involve protected file extensions (eg executable group) or protected files/folders (eg %windir%\system32)

File Group:	[Executables] is defined as
---------------------------------------------------------------------------------------
[0] *.exe
[1] *.dll
[2] *.sys
[3] *.ocx
[4] *.bat
[5] *.pif
[6] *.scr
[7] *.cpl

Hello gibran :slight_smile:

Thanks for explaining,

I see why it didn’t work without the rule I added it’s because I was hiding a txt file which isn’t part of the protected file extensions, but when I tried to do the same thing without my rule and with a .bat instead of a .txt it alerted me,

Thanks again. :■■■■

You’re welcome :slight_smile: