If you’re manually checking a PC for malware then you could browse a folder in Explorer, look at file names, sizes, maybe open anything suspect to see what it contains. But you might be missing something…
Drives formatted using NTFS store file information in attributes. The contents of a file are stored in the $DATA attribute, and that’s what you’ll see in Explorer, and view when you open the file in an application.
The problem is that a file’s $DATA attribute can have alternate data streams which aren’t visible in Explorer, or most other file management tools. That zero-byte .tmp file could actually hold a series of executable files and a huge database without you ever realising.
This isn’t necessarily a bad thing, as alternate data streams have many legitimate uses. Internet Explorer creates a Zone.Identifier for its downloads, for instance, to record the source. If you try to open something later, Windows can check the Zone.Identifier, see it’s a web download, and warn you to take extra care.
Alternate data streams can also be used by malware to conceal information, though. StreamArmor is a free tool which scans NTFS drives, lists any alternate data streams it finds, and highlights anything unusual.
Getting started is as easy as specifying a drive and clicking “Start Scan”. You will have to be patient, though– the scanning process requires checking every single file, which can take a very long time, maybe several minutes.
Streams are displayed as they’re found, along with key details like the file name, path, creation date, stream size and (if known) stream type: EXE, archive, icon and more.
Standard streams of a known type, like IE’s Zone.Identifier, are displayed in green to show they’re safe.
Unknown streams get different colour codings to indicate that they “need analysis”, are “suspicious” or “Dangerous”. None of these are necessarily harmful, just a sign that you need to investigate further.
For example, we found a couple of “dangerous” streams which contained executable code. Seems worrying, but the file name was “update”, the path pointed to a trusted application which had just auto-updated itself, and after rebooting the file had gone. It looks like the stream usage was just an ordinary part of that application’s update process.
Look for similar indicators for streams on your own system. Large streams, maybe in temporary or system folders, or containing executable files might be suspicious; if they’re just a few byes, in a trusted application folder, perhaps only containing an icon, they’re probably safe.
If you can’t decide, right-click a stream and you’re able to have it scanned by VirusTotal, or saved as a separate file for analysis elsewhere.
You can delete a stream, too, although that’s best left as a last resort. If the stream is being used legitimately then the process involved probably won’t expect it to disappear, and removing it might cause all kinds of unexpected issues.
Overall, StreamArmor offers a convenient way to scan your PC for hidden data. There are similar tools around, but its ability to highlight “unusual” streams and do something about them (save or scan them online) makes it better than most. Take a look.
StreamArmor is a free application for Windows XP and later.