Hi there, I posted this over on Landmark, because it is likely monitored more than here, but will post here too since maybe someone has an answer: Hi there, I just wanted to ask a quick question about ADS files associated with SOE products. I just ran a scan on my system for rootkits and it came back with literally hundreds of files saying "ADS unkown" and flagged under rootkit query. Now when I search on "unkown ADS" I get this: http://www.windowsecurity.com/articles-tutorials/windows_os_security/Alternate_Data_Streams.html .. which makes it pretty close to a rootkit: http://en.wikipedia.org/wiki/Rootkit Here's just a partial screenshot of the results I got back from my scan: I also have read enough to know that some ADS files are harmless, but I'm concerned since they do provide a doorway .. and the literally 600 or so files that came back from the scan were from SOE products -- Landmark, DC Universe, EQ2, etc ... not a single file from any other software or gaming product. Please help? It's stressing me out. Thanks!
I'm not sure why those are being flagged as ADS files so hopefully someone with more info can chime in on that part. The .dds files are graphics files, primarily particle effects type stuff, used by pretty much any DirectX game. See This Article over on File Info for details. The .xml files are even more baffling since .xml is a well known standard and any of those files could be looked at with a standard text editor. My only guess is that those .xml files are what is actually loading the .dds files which is causing your program to flag them as well. Just curious, what program did you run to scan your system and where did you download it from?
Search and Destroy. Reliable program. Just got a 2.0 version update and it included rootkit scan, so I did it .. Yes xml files shouldn't be flagged, unless they were altered, according to that link I posted in the OP. And if they were altered remotely -- why? Thanks for the post. Feel a tiny bit better, but still would like clarification if at all possible
Since you're saying that all of the files were from SoE products I have to ask are you using the streaming clients or the full download. I'm not sure about DCUO but I know that EQ2 defaults to the streaming client if you just go to the download link from the main site. I'm pretty sure that Landmark is also using the streaming version of the client and I'm honestly not sure if you can get a full download version of that since the game zones change even as you're playing. If it's the streaming client that may be what's causing the issues since the program could see these files getting modified on the fly and figure that something malicious is causing it.
That would be my guess as well, that its getting flagged due to the streaming clients. However, SOE products are not unique in this regard either.
I wouldn't really worry too much about them being flagged. If you want to be triple sure your not infected with malicious code, run a few other programs like ASC7, Malware Bytes, and scan with another virus scan (free or 30 day premium trial version) and see if they're brought up or flagged. If all programs flag your files, than you might want to do a fresh install of the game. If you can, run SnD in safe mode with command prompt (just type explorer.exe in the command window) launch SnD, scan, and if those files are flagged again, try using another virus scan software set to aggressive/high sensitivity. If you're using advanced heuristic "sniffing" on SnD, that could explain the outburst of rootkit detection. I've used Norton 360 (full version), no root kits or viruses. I've used AVG 2014 (free trial version), no root kits or viruses. I've also used Avast and Kaspersky, false positive on Malware Bytes and ASC7, but not the games. I wouldn't fret too much. It could just be SnD's "sniffer" reading too much into the games rootkits. Also, i downloaded full version of EQ2 and Landmark, nothing appears. Just triple check to be on the safe side.
Alternate Data Streams are just an infrequently-used feature of NTFS, the file system used by Windows. They allow, as the name suggests, additional data to be attached to files that isn't visible without using special tools. Malware may use it to try to hide infected code, but there are plenty of legitimate uses as well. If I remember right EQ2 uses alternate data streams to store file checksums; the patcher compares these checksums with what the patch server says the file checksums should be, and then (re-)downloads any files where the checksums don't match. (Edit: The report shows that the alternate data stream's name in each case is "crc". "CRC" stands for Cyclic Redundancy Check, which is a type of checksum.) More information on Alternate Data Streams: http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-streams-in-ntfs.aspx
Defiantly did your research Seems that with today's patch, a lot of people are having their AV flagged, and a few other "safeguards" put into play.
