Alternate Data Stream Problems

I’m starting a new thread about this topic because the old one (here) seems to have stalled and I also wanted to post again another ADS problem I’ve encountered.

All in all, it seems that my computer has alternate data streams for some of my files and they are causing a miscount for the number of files scanned. (I’ve looked into it briefly and found that some of the streams were put there by Internet Explorer when I downloaded files and some were put there by Kaspersky Anti-Virus). I understand the importance of scanning the ADS’s since they can be used maliciously to attach nasty things to legitimate files. However, couldn’t one argue that these ADS’s shouldn’t be added to the file count? After all, they aren’t separate files, but rather an extension of the data…

Or, maybe avast! could keep a separate count for files and ADS’s?

After looking into this a bit more, I think I have stumbled on another potential avast! fault. I’ve been scanning this one particular .pdf file I have with the modified version of ashQuick.exe that was posted in the thread I referenced above, and avast! displays this:

Scanning: <.pdf file>\UnnamedStream_1

In fact, the screenshots posted in the original thread also show a stream called “UnnamedStream_1”. However, I have analyzed that .pdf file with two separate ADS viewers (LADS and the Windows Shell Extension) and neither one shows any streams in that file. Any ideas?

Anyone have any ideas?

I don’t think the “Scan count” is such an important thing to create separate cathegories for it. I mean, it doesn’t say much about the scan progress and results - you can install one program with a comprehensive CHM help file, and the scan count may grow by tens of thousands. So, I’d consider this number to have rather low relevance.

Regarding the UnnamedStreams - well, actually avast! doesn’t scan only the “Alternate data streams”, but also other types of streams (“blocks”) associated with the file (that are ignored by the other tools). It is possible that these blocks might be safely excluded from the scanning since they couldn’t be abused for anything (the change in program code would be very simple). Unfortunatelly, there is no documentation about the (meaning or usage of the) additional blocks - so it’s rather hard to say whether to scan them or not. Personally, I’d find it safer to keep it this way.