Is CIS 8 adding Alternate Data Streams to files ?
Can U reproduce the problem & if so how reliably?:
Everytime i download a file, extract from a downloaded archive, or compile it myself (using Delphi 7, XE2 or XE5) an ADS is added.
ADS-Scanner (ADS (Alternate Data Streams) Scanner) finds an ADS named “$CmdTcID”, reporting the size as 64 bytes. They start with “b” and here are three examples of what they look like.
b…^åDJ
b—YåDÔýVWӷлv¢AVZ5EÜSŸU¥ýêòŠŸVZ5EI•¦,ë³^TI–YåDú\3ÿ®Úüên
b3_åDTh¢ñ_
If U can, exact steps to reproduce. If not, exactly what U did & what happened:
1:Download an exe-file from Internet
2:Run ADS-Scanner
3:It reports the ADS
One or two sentences explaining what actually happened:
It was when I tried to copy a file I had downloaded, from my computer to a USB-drive, that Windows 8.1 warned me the file has properties that can not be copied to the new location. Probably because the USB uses FAT instead of NTFS as filesystem. That’s when I started inspecting my files for any hidden ADS.
One or two sentences explaining what you expected to happen:
No ADS added please. I don’t want to ship applications to my customers with any ADS attached to them, and I don’t want to have to confirm file-copying to my USB.
If a software compatibility problem have you tried the advice to make programs work with CIS?:
I Uninstalled CIS 8 and installed CIS 7. The ADS stopped appearing.
Any software except CIS/OS involved? If so - name, & exact version:
None that I can think of. The only software change made is updating from CIS 7 to CIS 8.
Any other information, eg your guess at the cause, how U tried to fix it etc:
I have asked at your forum if anyone else has noticed this problem. You can read the original thread here (some of it is repeated in this bugreport):
https://forums.comodo.com/install-setup-configuration-help-cis/alternate-data-stream-cmdtciddata-t108076.0.html
B. YOUR SETUP
Exact CIS version & configuration:
8.0.0.4337
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
HIPS - Safe mode
Auto Sandbox - Disabled
Firewall - Custom ruleset
Antivirus - Stateful
Have U made any other changes to the default config? (egs here.):
The ADS appear with default config too
During installation I choose to install only Firewall and Antivirus. I already have a portable version of Dragon and didn’t need it. I consider myself a geek and don’t want a buddy. I also uncheck the total of four checkboxes on the two pages of the installation wizard before clicking “Agree and install”.
I right click the Comodo tray icon
Hide the Widget
Select Advanced View
Have U updated (without uninstall) from CIS 5 or CIS6?:
No
[b]if so, have U tried a clean reinstall - if not please do?[/b]:
Yes on a clean freshly installed Win 7 x32 Virtual Machine, where I even get two ADS:
1. A readable "$CmdZnID" (26 bytes) with content:
[ZoneTransfer]
ZoneId=3
2. The strange "$CmdTcID" (64 bytes)
"$CmdZnID" can be deleted with ADS-Scanner, but not "$CmdTcID"
There is a registry setting to prevent zone-information from being created.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
SaveZoneInformation=dword:00000001
If I add that to Win 7 registry, then only the ADS "$CmdTcID" is created.
On my computer (Windows 8.1 x64) I have this registry setting, which may be why I only get one ADS (still that's one too many).
3. Yes, there is actually a third ADS, but this is windows default "Zone.Identifier", which looks very similar to "$CmdZnID" and only visible in ADS-Scanner when unchecking "Ignore safe ADS content".
The "Zone.Identifier" can be deleted and isn't created when above registry setting is present.
Have U imported a config from a previous version of CIS:
I exported my config from CIS 7 before uninstalling it, and then imported it into CIS 8.
[b]if so, have U tried a standard config - if not please do[/b]:
Yes, tried that too, still get the ADS
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 8.1 x64 is my primary physical machine.
I’ve experimented with 32bit Win XP and 32bit Win 7 Virtual Machines. ADS appears there too.
On XP the ADS is named “$CmdZnID”, only 26 bytes and readable:
[ZoneTransfer]
ZoneId=3
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=I’ve used Comodo since first public version and never looked at any other security software
b=I have disabled Windows Firewall and Windows Defender.
C. ATTACH REQUIRED FILES
The files I’ve attached are from a fresh install of Windows 7, 32bit. Only CIS 8.0.0.4337 installed.
[attachment deleted by admin]