Can Clamwin scan in NTFS Alternate Data Streams?

If not, will you consider adding this feature?



Also, how is the resident protection implementation coming along?


Thanks,

SSVegito888

Welcome to the ClamWin forum! I asked the same question regarding ADS scanning about a year ago. I was told the ClamWin team had considered it but had decided against it. They basically use the ClamAV scanning engine, so ADS will probably not be considered unless Clam decides to include it in their feature set.

I have since learned that some legitimate software, including some antivirus programs, use ADS to store information, so there could be a problem distinguishing between a "good" use of ADS and a "bad" use. If a virus uses ADS, there is a good chance that it will perform some other behavior/action prior to that, which can be detected.

Regarding real-time scanning implementation, I can't help there--we'll have to let one of the ClamWin developers address that.

Regards,

any sample of virus inside an ADS? I've found nothing so far, but it may worth to look
but if no signatures are done for stuff in ads, scanning them is pointless

I really still don't known if an executable can be launched from an ADS

In my short experience, I've not encountered any ADS viruses, but there are some. One technique is to hide most of the virus code in an ADS file and have only a small amount of visible code that calls the ADS code--making it harder to spot most of the virus code. An ADS file can also be linked to a normal file and run when that file is called, the virus performs its actions, and then transfers back to the normal file. This results in only a short delay when the file is called--which might not be noticed.

I once wrote an ADS signature for practice, but I had to delete it because it kept flagging some regular programs.

Regards,