NEW AdAware SE Personal Edition

  • Thread starter Thread starter Heather
  • Start date Start date
Heather said:
Lavasoft have just released the new free AdAware SE Personal edition.
For more details see http://www.lavasoft.nu/software/adaware/

Heather
Click to expand...

"Now scans and lists alternate Data-streams on NTFS volumes" (in the new
SE version).

What caught me by surprise is that Ad-Aware did not check the ADS
(alternate data stream), a "feature" of NTFS, until this new version.
This new support of an old NTFS feature also makes it suspect that
Spybot doesn't check ADS, either. I have tried to contact Symantec
regarding their Speed Disk and Anti-Virus products to check if they
interrogate the ADS of a file but never got a response (I also wanted to
find out how Speed Disk handled files under 1500 bytes in size that may
reside wholly within the MFT rather than as separate files). See
http://support.microsoft.com/?id=105763) which describes the attribute
(i.e., pointer) for the alternate data stream in the NT file system.
Most users don't even known about alternate data streams (where you can
have completely different content in each data stream) because Explorer,
the 'dir' command, and other common end-user tools never expose this
NTFS feature.

Even Microsoft's own SFC (system file checker) is deficient regarding
alternate data streams. While Windows File Protection will prevent the
replacement of protected system files, it does not prevent a user with
sufficient permissions from adding an alternate data stream to a system
file. SFC.exe will show the protected system files are okay but it
won't check the alternate data streams (which I consider a significant
security flaw). For non-protected system files, ANYONE can attach an
alternate data stream to a file. Even the Guest account can do that.
You can even add an ADS (alternate data stream) to a directory entry.

Microsoft provides nothing for tools to manage and report alternate data
streams of files. You have to go use 3rd party tools, like lads.exe by
Frank Heyne. If you copy a file that has alternate data streams to a
non-NTFS media, like a floppy, the alternate data stream simply gets
truncated or maybe you get a message saying there isn't enough room for
your 1-byte file (because there is 20MB in an alternate data stream
attributed to the file). You could, for example, download a text file
that looks inocuous because all you see in it is plain text but it has
an executable file in an ADS that is harmful. You see goodfile.txt but
a script might run "start goodfile.txt:wipedisk.exe". If the use of ADS
was really to provide additional attributes then Microsoft should have
made all content within an ADS to always be non-executable; i.e.,
something like "start goodfile.txt:wipedisk.exe" should abort with an
error like "Alternate data streams (ADSs) are not executable (file =
"goodfile.txt", ADS: "wipedisk.exe")", or just refuse to run any
executable that has a colon (":") in its filename (which may be what
happens now in Windows XP since "start test.txt:calc.exe", where the
Calculator program has been put into an ADS of test.txt, results in an
illegal syntax error message but the linked articles usually refer to
Windows 2000 although one mentioned XP, plus that doesn't stop the
content in the ADS from being programmatically extracted and executed).

I don't know if Symantec checks for ADSs even in their anti-virus
products to search through any "hidden" content. ADSs aren't new.
They've been around since NTFS showed up. However, I have yet to find a
reference in Symantec's KB about ADS. In the last 'references' link
below, the statement "Virus scanners only check the default data streams
of files" gets me very concerned that a virus could use ADS to bypass
anti-virus software (but there is no datestamp in this article to
determine its timeliness, and the W2K.Stream virus it mentions that
utilitizes ADS is dated by Symantec at http://snipurl.com/7g73 back in
September 2000). It is also noted in this article, however, that the
real-time scanner for an anti-virus product should detect the virus when
it attempts to load into memory from the ADS of the infected file. So a
manual scan won't see the infection but the real-time scanner also
monitoring the memory will detect it getting loaded.

Some references:
http://www.ntfs.com/ntfs-multiple.htm
http://support.microsoft.com/?id=105763
http://www.windowsecurity.com/articles/Alternate_Data_Streams.html

Utilities to detect ADS:
http://www.heysoft.de/nt/ntfs-ads.htm
http://www.crucialsecurity.com/downloads.html (crucialADS utility)
http://www.sysinternals.com/ntw2k/source/misc.shtml#streams
 
Heather said:
Lavasoft have just released the new free AdAware SE Personal edition.
For more details see http://www.lavasoft.nu/software/adaware/

Heather
Click to expand...

I have several of the plug-ins installed for Ad-Aware
(http://www.lavasoftusa.com/software/plugins/). Anyone know if they
remain usable with the SE version of Ad-Aware?

The SE description page (http://www.lavasoftusa.com/news/20040809.shtml)
says, "More user friendly Plug-in/Extension GUI (Plug-ins and Extensions
now shown on separate screens)". So the GUI interface has changed for
the plug-ins but that doesn't really say all current plug-ins are still
compatible.
 
Heather said:
Lavasoft have just released the new free AdAware SE Personal edition. For
more details see http://www.lavasoft.nu/software/adaware/

Heather
Click to expand...

Thanks.
It's not so easy to find, but they recommend uninstalling the old version
before installing this new one.
So I uninstalled the old version, installed the new one, and have given it a
cursory tryout. It takes a little getting used to. I'm not so sure it is
easy to use anymore.

However the "smart scan" is very fast and found 8 objects within a few
seconds. I let it remove the tracking cookies and suspected hijack attempt
URLs, which could do no harm to remove. However I am reluctant to let it
remove two registry items in HKEY_USERS which may relate to my Spybot-S&D
settings:
"Manual changing of the browser start page restricted"
"Manual changing of internet settings restricted"
It also found Alexa, as usual, which I know is not a threat - so long as it
remains simply as an option in one of the IE menus.
-E
 
_Vanguard_ said:
I have several of the plug-ins installed for Ad-Aware
(http://www.lavasoftusa.com/software/plugins/). Anyone know if they
remain usable with the SE version of Ad-Aware?
Click to expand...

Rushing out, but I did see someone on the MS ng saying his plugins were
gone....and being told simply to redownload them.

FWIW, there apparently is a spot in the Install of the new program where you
can choose to uninstall the old one.......frankly, I would just use
Add/Remove and uninstall it. I will see if I can find the forum page.....

OK.....as per Tom V.......

Read the following thread. As Ron Martell indicates in his response, the
installation includes a step to uninstall the previous version. I opted to
uninstall the plug-ins and the application manually.

http://www.lavasoftsupport.com/index.php?showtopic=40599

Cheers....Heather
 
I have several of the plug-ins installed for Ad-Aware
(http://www.lavasoftusa.com/software/plugins/). Anyone know if they
remain usable with the SE version of Ad-Aware?

The SE description page (http://www.lavasoftusa.com/news/20040809.shtml)
says, "More user friendly Plug-in/Extension GUI (Plug-ins and Extensions
now shown on separate screens)". So the GUI interface has changed for
the plug-ins but that doesn't really say all current plug-ins are still
compatible.
Click to expand...

I found that the plug-ins went away and also noticed that this updated
version installs into a different directory than 6.0 did so I would also
advise that you do a compete un-install prior to loading SE. It was not a
clean un-install and you might also find some remnents of 6.0 in your
registry as I did. .
 
Heather said:
Lavasoft have just released the new free AdAware SE Personal edition. For
more details see http://www.lavasoft.nu/software/adaware/

Heather
Click to expand...

AdAware SE 1.01 is apparently obsolete already- version 1.02 is now
available, and requires that you uninstall 1.01 prior to installing it.

http://www.majorgeeks.com/download506.html

AdAware 6.181 will still be supported for another 90 days, including ref
file updates, according to one of the AdAware forum threads. I think I'll
stick with that version untill they get their SE sorted out.
 
Ionizer said:
AdAware SE 1.01 is apparently obsolete already- version 1.02 is now
available, and requires that you uninstall 1.01 prior to installing it.

http://www.majorgeeks.com/download506.html

AdAware 6.181 will still be supported for another 90 days, including ref
Click to expand...
file updates, according to one of the AdAware forum threads. I think I'll
stick with that version untill they get their SE sorted out.Hi Ian......

I was just checking Lavasoft Forum & the MS ng's and this is the official
explanation......and note that as of 5 pm Aug 10, version 1.02 was not yet
available for download......I checked Download.com and Major Geeks and it
was version 1.01.

Explanation from "Easter".......

OK, it is been thorougly reviewed & agreed upon that a complete new Download
is a required upgrade to 1.02 for accurately addressing the webupdate issues
that have recently been reported.

This is due to an issue where the original definitions file remain after
updating to the new one.
unquote........

Like yourself, I rarely rush out to get the newest version of anything and
prefer to let others do the 'beta testing' (VBG). Usually AdAware is
OK.....but Zone Alarm is awful and I stay at least 2 or 3 version behind the
current one. I hear that the Version 5.xxx ones are causing some
problems.....I will stay with the 4.xxx one.

Cheers......Heather
 
Quoth the raven no.spam:
I've heard some conflicts between SE and Mozilla. I'm using
Mozilla now, so I probably won't switch from Adaware v6.0 Pro just
yet.
Click to expand...

Reading elsewhere in these groups, it was said that it marks mozz.dll
(two z's) as a possible. Put it in your ignore list, as it's a needed
file.
 
If anyone is interested, there are two anti-trojan products that will
scan the ADS for trojans: TrojanHunter and TDS-3.

Please reply in this forum, above email address is no longer valid.
Have a nice day AND a happy life. Acadia.
 
bc_acadia said:
If anyone is interested, there are two anti-trojan products that will
scan the ADS for trojans: TrojanHunter and TDS-3.

Please reply in this forum, above email address is no longer valid.
Have a nice day AND a happy life. Acadia.
Click to expand...

Must be a company secret regarding their support of ADS. Their product
description page (http://www.trojanhunter.com/trojanhunter/) doesn't
mention ADS. Their support web page is merely a placeholder and offers
no help. When I did a search in their forums, users mentioned
downloading TDS-3 which would infer that TrojanHunter does not inspect
ADS. There was mention of alerts regarding ADS but that the streams
could not be viewed using TrojanHunter. There's no mention of ADS for
TDS-3, either, (http://tds.diamondcs.com.au/) but posters did mention
that it could view and delete them. Of course, neither of these are
free or include a free version, just trial versions.

I've used SysInternals' STREAM, LADS, and CrucialADS to scan for
alternate data streams in files. I just ran another scan using
CrucialADS and it found several files with ADS used, one which had
Calculator (calc.exe) that I had added as an ADS to a test.txt file as a
test and that I had forgotten about. Many .tif files came up as having
an ADS but I think it is used as a tag. Unfortunately these tools
don'ts use shadow copying (as does the NT Backup program) to let it
interrogate inuse files. It even said pagefile.sys had an ADS (but
obviously couldn't open the paging file).

It's not only trojans, tags, or summary info that gets put into tags.
Several users of KAV anti-virus have noted a plethora of alternate data
streams getting added to files with stream names like kavichs, kav64xxx,
and kav 128xxx. Uninstalling KAV doesn't eradicate the streams that got
added to other files. I hear Cygwin uses ADS to translate Unix/Windows
security permissions, but I don't know what KAV wants to use ADS unless
it's like some hash value of the file to speed up subsequent scans.
Trying to remove individual streams would be a pain and TDS-3 makes you
do it one file at a time. One cure is to copy the files to a FAT32
partition (which doesn't support the ADS feature of NTFS) and then copy
them back; however, you will lose all permissions on the files (and
recreate them when copying back to the NTFS partition). SysInternals'
streams command let you do it via 'streams -s -d C:\' form the command
line (the -d parameter delete the alternate streams).

--
__________________________________________________
*** Post replies to newsgroup. Share with others.
*** Email: lh_811newsATyahooDOTcom
*** and "=NEWS=" must be appended to the Subject.
__________________________________________________
 
AdAware 6.181 will still be supported for another 90 days, including ref
file updates, according to one of the AdAware forum threads. I think I'll
stick with that version untill they get their SE sorted out.
Click to expand...

Is SE free or is it shareware?

Roland
 
There's no mention of ADS for
TDS-3, either, (http://tds.diamondcs.com.au/) but posters did mention
that it could view and delete them. Of course, neither of these are
free or include a free version, just trial versions.
Click to expand...

They don't mention many of the useful things that are possible with TDS-3.

They come as a nice surprise when you use it. TDS-3 certainly does find
ADS, and lets you examine what's going on in them too. Get's rid of them,
if you want, but consequences may be unpredictable.

Cheers,

Roy
 
Heather said:
file updates, according to one of the AdAware forum threads. I think I'll
stick with that version untill they get their SE sorted out.
Hi Ian......

I was just checking Lavasoft Forum & the MS ng's and this is the official
explanation......and note that as of 5 pm Aug 10, version 1.02 was not yet
available for download......I checked Download.com and Major Geeks and it
was version 1.01.

Explanation from "Easter".......

OK, it is been thorougly reviewed & agreed upon that a complete new
Download
is a required upgrade to 1.02 for accurately addressing the webupdate
issues
that have recently been reported.

This is due to an issue where the original definitions file remain after
updating to the new one.
unquote........

Like yourself, I rarely rush out to get the newest version of anything and
prefer to let others do the 'beta testing' (VBG). Usually AdAware is
OK.....but Zone Alarm is awful and I stay at least 2 or 3 version behind
the
current one. I hear that the Version 5.xxx ones are causing some
problems.....I will stay with the 4.xxx one.

Cheers......Heather
Click to expand...

Can't figure out what to snip here so I'll leave the post whole. Seems that
AdAware now has version 1.03 out.

http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

I experienced the Zonealarms thing, couldn't figure out why one PC wouldn't
run a chkdsk, googled it and lo and behold...

Another Ian
 
AkHibby said:
Can't figure out what to snip here so I'll leave the post whole. Seems
Click to expand...
that AdAware now has version 1.03 out.
http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

I experienced the Zonealarms thing, couldn't figure out why one PC
Click to expand...
wouldn't run a chkdsk, googled it and lo and behold...
Another Ian
Click to expand...

Wow.....Alaska is slow at getting news groups (VBG)......I forgot what this
was all about. But I have version 1.03 and it seems to be all right. Just
testing it out.

Cheers from Ontario......Heather
 
Heather said:
that AdAware now has version 1.03 out.
wouldn't run a chkdsk, googled it and lo and behold...

Wow.....Alaska is slow at getting news groups (VBG)......I forgot what
this
was all about. But I have version 1.03 and it seems to be all right.
Just
testing it out.

Cheers from Ontario......Heather
Click to expand...
Just back from the slope is all, still no snow even there (usally it's there
and sticking by now)....

I omitted looking at the date when I replied, happens sometimes ;~)

Cheers from Anchorage
Ian in shorts still <G>
 
Back
Top