Kaspersky ALERT OVER KAVICHS

[DasFox]

I was considering Kaspersky for a antivirus program until read these two things.

From Cnet User Review
Of my many complaints, the primary one is that Kaspersky invades your system by writing data (under the header of KAVICHS) onto every single file on every partition you have. And if you are unhappy with Kaspersky as I was and decide to uninstall it, the information stays embedded in all of your files and is not deleted. Kaspersky quietly provides a tool that is supposed to remove this data, but it is a time-comsuming and irratating process if you have as many partitions and drives as I have. Kaspersky claims that the tags they add are informational only, however, I think the function of an antivirus program should be to prevent files being altered, not altering them itself.

From Kaspersky
I get a message about "KAVICHS" when deleting files.


Version 5.0 of Kaspersky Anti-Virus for Windows operating systems uses technologies iChecker (for FAT32 partitions) and iStreams (for NTFS partitions). Because of these technologies each file is checked for viruses only once - during the first scan. During all subsequent scans the file is not scanned for viruses provided that it has remained unchanged since the last scan. Thus, the anti-virus program performance increases drastically after the first file scanning, compared to previous versions of Kaspersky Anti-Virus.

More detailed information about technologies IChecker and IStreams you can find here: Technologies iChecker and iStreams: how they work?

Message about 'KAVICHS' on each NTFS file is informational. It means that Kaspersky Anti-Virus service information was written into file's additional data stream. After uninstallation of Kaspersky Anti-Virus this information is not deleted, because it can be used with next installations of Kaspersky Anti-Virus. If for some reason you would like to delete these ADS tags, you can use a special utility. Klstreamremover.exe utility can clean ADS tags of files located on NTFS partitions from the service information, written by Kaspersky Anti-Virus.

To clean additional data streams (ADS tags) on NTFS partitions you need to do the following:

*
download packed utility Klstreamremover.zip extract the file into root folder of the partition, where you plan to clean ADS
*
run Klstreamremover.exe with parameter -r (for example go to menu Start -> Run -> here type c:\klstreamremover.exe -r and press Enter)
*
wait until the utility finishes working

Important: if on your computer there are several NTFS partitions the described above steps you will have to do for each partition of your hard drive.
Important: you need to make sure Kaspersky Anti-Virus is uninstalled prior to running of the utility.

I truly think I'll forget using Kaspersky now and so should you for having it alter every file on your computer, this is not the job of Antivirus.

P.S. LOOK what happened to my desktop after I uninstalled Kaspersky:

http://img119.imageshack.us/my.php?image=screenshot1gi.jpg

 

[flashbacck]

hmm. That can't be right, can it? What if you have hash sensitive files, won't that alteration change the hash?

 

[TheLogLady]

I don't like this feature either, however you have the option to disable it during the installation process. When it asks "Use recommended settings", uncheck that box, then click next. On the subsequent window, uncheck the "use istreams technology" option.

 

[DasFox]

Originally posted by: TheLogLady
I don't like this feature either, however you have the option to disable it during the installation process. When it asks "Use recommended settings", uncheck that box, then click next. On the subsequent window, uncheck the "use istreams technology" option.

AH HA, well I never noticed or payed any attention to that, now that makes me wonder do I want to install Kaspersky again if we don't have to use this or do I want to use Bitdefender now, hmm

Anyhow when I uninstalled Kaspersky it asked about wanting to remove the streams and I said yes, so you think all the files are back to normal now?

THANKS

 

[TheLogLady]

Originally posted by: DasFox
Anyhow when I uninstalled Kaspersky it asked about wanting to remove the streams and I said yes, so you think all the files are back to normal now?

I'm sure they are, but if you want to be sure, you can test a few files using Sysinternals' Stream app. If you don't see a KAVICHS stream associated with these, then the KAV ADS were removed successfully.

Originally posted by: flashback
hmm. That can't be right, can it? What if you have hash sensitive files, won't that alteration change the hash?

Only if the application using the files reads the ADSs when it generates/calculates the file hash / crc's. Most apps are never going to attempt to read anything other than the main data stream, as ADS streams are dropped whenever a file is transferred outside of a LAN (or to any non-NTFS filesystem in a LAN).

FYI, the next version of KAV (KAV 2006, in beta currently) does not use NTFS alternate data streams, but rather a checksum database.

 

[DasFox]

TheLogLady have you used Streams before? I mean from what the Usage says: streams [-s] [-d] <file or directory> do I have to run it like streams -s -d Documents and Settings like you have to run it on each and every directory, or file one, by one?

Or just put it in C: and just type streams -s -d and it will scan all of the C: drive?

THANKS

 

[Anubis]

im useing KAV AV Personal Pro 5.0.376 and ive never seen this, so i either dissbaled it on install and didnt remember or for whatever reason isnt an issue here, i add and delete files all the time

 

[evilharp]

More details:

Streams? technology was first implemented in the Kaspersky Anti-Virus 5.x product range almost two years ago and improves scanning performance. In basic terms, Kaspersky Anti-Virus products use NTFS Alternate Data Streams to hold checksum data about files on the user's system: if a checksum remains unchanged from one scan to another, Kaspersky Lab's products know the file has not been tampered with and do not, therefore, require a repeat scan.

NTFS Alternate Data Streams are not visible to the naked eye; special tools are required to view them. The fact that these data streams are not automatically visible does not mean technology which utilizes these streams is potentially exploitable or malicious.

Kaspersky Lab believes that the technology used is not vulnerable to exploitation for the following reasons:

1. If a Kaspersky Anti-Virus product is active, the streams are hidden and no processes (including system processes) have access to them.
2. If the product is disabled, the streams will be visible if viewed using the appropriate tools.
3. If a stream is rewritten with some (possibly malicious) data or code (for example, after rebooting in Safe Mode), when the system is next restarted, Kaspersky Anti-Virus will read the stream and not recognize the format. Kaspersky Anti-Virus will then begin to rebuild the checksum database. This means that potentially malicious code will be deleted.

Kaspersky Lab antivirus products utilize iStreams? technology as it offers users a significant performance benefit.

Source: No ?rootkit? in Kaspersky® Anti-Virus

Our products do use a technology called iStreams?, which is what Russinovich seems to be worried about. But this isn't a rootkit.

We started using iStreams? technology a couple of years ago to improve scanning performance. Basically, this means that our products use NTFS Alternate Data Streams to hold checksum data about files on the user's system. If a checksum remains unchanged from one scan to another, KAV products know the file has not been tampered with and do not, therefore, require a repeat scan.

Source: Analyst's Diary - No rootkit in Kaspersky Anti-Virus

As a Kaspersky user, I can attest to the speed improvement when using iStreams (NTFS). In my experience, a full system (all files including e-mail, extended database) scan takes less than a 1/3 of the time that the first full scan (after install) did.

If you don't like the idea of alternate data streams, consider this:

With regards to the issue of NTFS alternate data streams, remember that Microsoft makes use of this "technology", as well.
1. XP SP 2 adds a "zoneID" ADS to files downloaded from via IE or as OutLook attachments.
2. Right-clicking on files and choosing "Properties", and then adding information to the Summary tab causes at least two ADSs to be created...as long as the file isn't an OLE structured storage file (then the information is saved in streams within the file).
3. The Indexing Service adds ADSs containing thumbnails of images.
Given that code can be run from within ADSs, it's relatively easy to rewrite the "zoneID" ADS to include malicious code. Yes, forensic analysis applications like ProDiscover and EnCase will "see" these ADS, but it's up to the analyst to know that something is wrong if the "zoneID" ADS is larger than 28 or so bytes.
NTFS ADSs are not inherently dangerous, but they can be used in a malicious manner. You're right that "special tools" are required to view ADSs, as Microsoft has yet to add ADS support to Windows Explorer.
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Source: Comment on Viruslist.com in response to Analyst's Diary quoted above

 

[flashbacck]

thanks for the info, evilharp and loglady.

 

[DasFox]

Well, what else are we saying, that besides faster scans with Streams, this also is benefical for rootkits and the likes?

THANKS

 

[Hersh]

Is there a way to remove this without getting Kaspersky uninstalled?

I have 5.x installed and haven't noticed any problems nor find the feature intrusive (since I didn't know about it and I didn't lose any productivity) - altough I was wondering how my entire computer was being scanned so quickly compared to other antivirus applications I've tried.

But thanks for the information anyway.

 

[xtknight]

There's no risk in this as far as I know.

 

[Velk]

Originally posted by: DasFox
Well, what else are we saying, that besides faster scans with Streams, this also is benefical for rootkits and the likes?

No, it's saying that if, for example, kaspersky were evil they could write viruses into those streams instead of file checksums.

Of course, if they were evil, it's unlikely they would bother, and would just infect all your files with a normal virus anyway 8)

 

[ChiBOY83]

You can EASILY turn this off in the settings. THIS was a situation that Kaspersky FIXED a long time ago 'cuz ppl were compaining about it a long time ago...... PLEASE, stop scaring everyone w/ old information that is innacurate for current versions of kaspersky

 

[imported_obsidian]

Originally posted by: Velk
No, it's saying that if, for example, kaspersky were evil they could write viruses into those streams instead of file checksums.

Of course, if they were evil, it's unlikely they would bother, and would just infect all your files with a normal virus anyway 8)

No, if kaspersky were evil they could have their automatic update install virus'. People worried about this are seriously paranoid.