Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Do files keep the header?


  • Please log in to reply
38 replies to this topic
derRaphael
  • Members
  • 872 posts
  • Last active: Mar 19 2013 04:42 PM
  • Joined: 23 Nov 2007
windows stores meta information for downloaded files as an ADS (alternate data stream) which is connected to a particular file. AFAIk (i might be wrong) this ADS part contains some data chunks which allow to trace where a file came from.

dR

All scripts, unless otherwise noted, are hereby released under CC-BY

MacroMan!
  • Members
  • 604 posts
  • Last active: Mar 20 2012 11:40 AM
  • Joined: 28 Aug 2009
I believe ADS is something that you can add to a file/folder itself, and it's not there by default. But correct me if I am wrong.
What ever happened, happened.

derRaphael
  • Members
  • 872 posts
  • Last active: Mar 19 2013 04:42 PM
  • Joined: 23 Nov 2007
files that are downloaded get an ADS by default. this is why the "this file may be insecure blah" msg pops up.

however this is not true for files which are installed or otherwise brought to the system.

All scripts, unless otherwise noted, are hereby released under CC-BY

MacroMan!
  • Members
  • 604 posts
  • Last active: Mar 20 2012 11:40 AM
  • Joined: 28 Aug 2009
Ah, in that case you may want to take a look at the following website which gives some useful information and links to tools to view/open/delete ADS:

<!-- m -->http://www.irongeek....=security/altds<!-- m -->
What ever happened, happened.

derRaphael
  • Members
  • 872 posts
  • Last active: Mar 19 2013 04:42 PM
  • Joined: 23 Nov 2007

AFAIk (i might be wrong) this ADS part contains some data chunks which allow to trace where a file came from.


just checked:

a downloaded file contains an ADS named Zone.Identifier
This contains the folowing data:

[ZoneTransfer]
ZoneId=3

here is a more detailed information of what these zones mean: <!-- m -->http://www.sanderson... ... tifier.pdf<!-- m -->

dR

All scripts, unless otherwise noted, are hereby released under CC-BY

IsNull
  • Moderators
  • 990 posts
  • Last active: May 15 2014 11:56 AM
  • Joined: 10 May 2007

are people just paranoid or do people just download any/everything they see?
why not download only from trusted sites and stay away from illegal softwares?


An expirenced user should be able to handle the "stupid download & execute" infections. No ANtivirus software needed.

But, you forget all the exploits, where you are not executing anything. Just visit a website can infect you. This leads to the problem, if a common website get hacked (this forum did also ;) ) the bad boys just place some frames to the exploit and every visitor gets infected where the exploits match browser/version.

There are several other scenarios where you can get infected without an action - for example the windows thumbnail exploit.

Keeping your OS and Software uptodate helps a lot, but new or old non public exploits will hurt you tought. And remember: A virus not necessary must "hurt" your computer in sense of making it malfunction.

--> Your computer can get a zombie.
--> Your computer can get overwatched/controled (money!)
--> Your computer can therefore be used to do illegal stuff, and your head gets hurt if the police knocks on your door and you downloaded some real bad crap.

And all that happens without you even know about.

Sure, such attacks are more common against companies, but such attacks are also mostly undetectable by siganture based scanner as the malware is explicitly written for a specific target.

If you configure your system good, runing each deamon just with the minimum required rights, running your browser in a sandbox - then you may not need any antivirus software. And if you use antivirus software - it will aid you against kiddie stuff but don't depend on it as these systems are crap against real dangerous stuff :)

jm2c

wtg
  • Members
  • 251 posts
  • Last active: Dec 19 2012 03:54 PM
  • Joined: 04 Oct 2006
There is a little bit of metadata for a file stored on NTFS file systems when a file is downloaded. An Alternative Data Stream object gets created storing the Zone Identifier. It doesn't record the source of the file, but it will show you that it's been downloaded. If you've seen the Block/Unblock button in the File Properties dialog, this is enabled based on this info.

[Edit]

If you've not tried it, try Microsoft Security Essentials. I works really well and puts a very, very low load on the PC. It's works well even on old PCs, unlike Nortons and McAfee. It's free, and in reviews it's one of the most effective AV programs and with the lowest overhead.

I used many AV programs over the years, and for a long time was a fan of AVG Free, but Microsoft Security Essentials converted me.

MacroMan!
  • Members
  • 604 posts
  • Last active: Mar 20 2012 11:40 AM
  • Joined: 28 Aug 2009
If performance is really an issue for your comp, you could try a cloud AV like Panda. (not an advert, just sharing knowledge)
What ever happened, happened.

tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: May 02 2019 09:16 PM
  • Joined: 21 Dec 2007

Microsoft Security Essentials.

I feel stupid for not knowing about this :cry: :oops:
Never lose.
WIN or LEARN.

derRaphael
  • Members
  • 872 posts
  • Last active: Mar 19 2013 04:42 PM
  • Joined: 23 Nov 2007
take the results from this site for an overview ...

<!-- m -->http://www.pcmag.com...,2372224,00.asp<!-- m -->

as long as MSE2 is a beta it is not fully tested yet - having a good scanning engine is only half of the deal - the update frequency with latest updates makes the other and the past showed, that MS was not the brightest candle on the cake.

above's site also links to a comparative table of AV-test.org where current AV products have been tested.

i find it a bit disturbing, that MS states in the EULA of MSE2 that test results may only be published with an exclusive permission of MS ...

dR

All scripts, unless otherwise noted, are hereby released under CC-BY

wtg
  • Members
  • 251 posts
  • Last active: Dec 19 2012 03:54 PM
  • Joined: 04 Oct 2006
Thanks for posting that derRaphael. It's especially interesting to see they tested on XP and Win7 with different results.

I can't find the review that I read originally that turned me on to it, but it was about a year or so ago. I was particularly interested in a preventative but low-overhead tool since so many of the AV programs bog your machine down so heavily. I was using AVG Free at the time but was growing disenchanted with it when 8.0 came out (or was it 9.0?)

This site's most recent comparative reviews give Security Essentials their highest rating for proactive detection/prevention and their second-highest for on-demand scanning. <!-- m -->http://www.av-compar... ... main-tests<!-- m --> Certainly some other tools get the highest rating in both measures, and it's disk scanning is comparatively slow, but as they report and I've experienced it's proactive detection is quite good and for the price it's hard to beat.

As noted here it has little impact on boot time and low memory overhead. On some of the older machines in my house the AV software impacted performance so badly I often was tempted to run without it.

I've used 4 different suites.
Nortons - Performance killer/memory hog/*slow* booting: hardly worth it
McAfee - Performance killer/poor protection/slow booting: I've had my kids machines get infected several times with this installed. Not as slow as Nortons, but still bad.
AVG Free - Pretty good, contains nagware: Decent, and hard to to fault for nagware since it's free, but later releases I used are more of a resource hog and at least one PC managed to get a bad infection.
MS Security Essentials - Low overhead and so far quite effective: kids haven't managed to get a PC infected in over a year *crosses fingers*, and it's the first AV program I've used that doesn't have any noticeable impact on performance.

Anyway, just my experience. Your mileage may vary.

guest3456
  • Guests
  • Last active:
  • Joined: --

There are several other scenarios where you can get infected without an action - for example the windows thumbnail exploit.

..

--> Your computer can get a zombie.
--> Your computer can get overwatched/controled (money!)
--> Your computer can therefore be used to do illegal stuff, and your head gets hurt if the police knocks on your door and you downloaded some real bad crap.

And all that happens without you even know about.


If you configure your system good, runing each deamon just with the minimum required rights, running your browser in a sandbox - then you may not need any antivirus software. And if you use antivirus software - it will aid you against kiddie stuff but don't depend on it as these systems are crap against real dangerous stuff :)


my bold

i'd be curious if any of those infection scenarios you mention are even possible while running as a limited user within windows. most of all of these debates about AV's, infections, malwares, become moot points once someone stop running as an administrator account.

linux is commonly thought of as a more secure OS than windows, but its simply because you dont run as root (admin) in linux. in windows, everyone blindly runs as admin cause they are too lazy to switch users when they need to install a program.

but its like EEdis said earlier, its all pros/cons. if you want to continue to engage in all these debates and worry about viruses and malware and are willing to waste time and energy on this worry, for the benefit of installing programs faster, then go for it

derRaphael
  • Members
  • 872 posts
  • Last active: Mar 19 2013 04:42 PM
  • Joined: 23 Nov 2007

i'd be curious if any of those infection scenarios you mention are even possible while running as a limited user within windows. most of all of these debates about AV's, infections, malwares, become moot points once someone stop running as an administrator account.


yes - that is possible which makes it even harder for a limited user not having admin rights to "desinfect" a compromised machine - assuming the user even recognizes it. hooking the ms_gina is harder from limited accounts but not impossible.

linux is only considered to be a more secure variant, not because users dont run stuff as root on a default base, but because only very little phreaks bother to write exploits for a linux audience - its not that hard to get root rights from a standard restricted account in linux (unless its an SE enabled kernel, but even this one is not failsafe).

alltho the numbers began shifting with the upcoming ubuntu, there are still much more w32 based targets around than linux targets. as a conclusion w32 is the target to aim at for all those spam botnet ops and creators.

its just a matter of usernumbers. writing an userland extension which doesnt even need admin rights and add it to a linux standard account startup is fairly simply and enough to zombify parts of a client for www botnet access. since most linux user have the impression, that windows is the evil os with all these worms, trojans and virii they dont even bother for installing a linux virus scanner unless they deal with a ms network - in this case to only protect the w32 based part of the net.

having a standard ubuntu and dump a process list the "just wanna use the computer" guy will see a vast list of processes started in his own context - how is that poor guy supposed to know which of these processes might be of the malicious sort? dont think that mac is better, because it hides such informations from its bsd origins better. compared to the run-of-the-mill-linux kernel the bsd kernel is better in its design, but still vulnerable.

however, thx to the big fat propaganda machinery of a well known company from redmond such a threat situation is hopefully far away.

"when a duck lays an egg, it's almost done silently. when a hen lays an egg, it comes along with loud cackles. what do we learn from these facts? all the world eats eggs from a hen!"

dR

All scripts, unless otherwise noted, are hereby released under CC-BY

MacroMan!
  • Members
  • 604 posts
  • Last active: Mar 20 2012 11:40 AM
  • Joined: 28 Aug 2009

everyone blindly runs as admin cause they are too lazy to switch users when they need to install a program.


Why does everyone have this image of having to switch users. You can simply right click on any executable (ie An install file) and select 'Runas...' then put in the admin credentials, there is no need to switch users, even in Linux, you have the keyring and you can install stuff without switching users.

So you are right, it's either down to laziness or just not knowing any better.
What ever happened, happened.

Eedis
  • Members
  • 1775 posts
  • Last active: Aug 14 2015 06:33 PM
  • Joined: 12 Jun 2009
It's not laziness, it's method. Everyone has their own method to their madness. Take me and my wife for example, we both do the same action but differently. Even though there are things she pointed out to me that are faster and more convenient than the way I do it and vice versa, we choose not to change because that's the way we've been doing it. I click File>Save, then close. She just closes and hit enter to save a file. I middle click to open in a new tab, she right clicks and opens in a new tab. We both have an easier method but I don't plan on changing my methods. Nobody wants to change nor do they like change. Other's call them dumb, stupid, ignorant, for doing things the way they do it, whereas that person is saying the same thing about you.

It's opinionated, people. No one's being lazy, no one's being ignorant of the possibility, we choose to do our method and choose not to conform to other's more convenient method as our method is more convenient to our own mind.

That is the same reason why religion and politics are the two worse subjects to discuss with someone.
AutoHotkey state, the forum, Poly, and Drainx1. The short story.
I love my wife, my life, my atomic-match; for giving me the greatest gift a man could ask for, such a perfect and beautiful little girl.
9rjbjc.png