Interesting link....

The other day we had a discussion on the virus and worms if a 0 byte file could hold maware? Because of possible *rootkit action, and if empty system files should be left untouched (yes because of it being necessary to place them back later, you better leave them). Then I found this very interesting link full of great info, the owner does not want us to give quotations of material, just because it can be outdated as it is given, so I just give the source link here:

http://www.heysoft.de/en/information/registry-security.php
http://www.heysoft.de/en/information/ntfs-ads.php
http://www.heysoft.de/en/information/eventlog-1.php
http://www.heysoft.de/en/information/eventlog-2.php

pol

Yes a 0 byte size can be deceptive as the alternative data stream (ads) can be huge and you would never know it. avast should however scan the alternative data stream in ntfs format.