RE: How to hide a file ?

[Ed Moyle <emoyle () scsnet csc com>]

On Tuesday, January 08, 2002 15:35 Pedro Quintanilha wrote:

> I´m curious... The stream associated to the file will follows the
> atributes of that file, like encription (EFS) or auto-compression?

        I can't speak for compression, but I did some investigation of this with EFS a while back, and it *looks* like 
the encrypted attribute is preserved on other streams (although more testing would be required for a thorough test.)  
The test methodology I used, though basic, seems to reflect the honoring of the encrypted attribute.  I tested as 
follows under Win2k:

-created a file under non-administrator user account A
-added alternate stream to file under account A (ensure ACL = Everyone/Full Control)
-applied encrypted attribute
-logged in under non-administrator user account B
-attempted read of parallel stream created in step 2

I was given the same error message as occurs with the primary stream.
Note a more thorough test would attempt to read the disk buffers directly to determine if the data was plaintext or 
ciphertext.  Due to time constraints on the project I was working on, I didn't do this...

> If it occurs, the ADS CONTENT cannot be analized too... in other words,
> a possible virus cannot be detected on that.

There is discussion of this, as well as a utility to determine if a particular AV product picks up a virus in an ADS in 
http://www.diamondcs.com.au/streams/streams.htm.
-E