NTFS Alternative data stream found in a folder when it has the archiving attribute

[elvarb]

OSSEC HIDS reports this

OSSEC HIDS Notification.
2016 Mar 04 09:06:00

Received From: (elvarx1) any->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

NTFS Alternate data stream found: 'C:\Program Files/7-Zip:Win32App_1'. Possible hidden content.

In this and a few other folders.

I have confirmed that no alternative data streams are set with

gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'

The folders that OSSEC HIDS find have the same thing in common, they have the "a" attribute set to them.

PS C:\Program Files> get-item .\7-Zip\ | select mode

Mode
----
da----

This can be seen also in the properties for the folder under advanced, there "Folder is ready for archiving" is ticked.

Is this a bug in the client? and if so, is it properly tracking alternative data streams at all?

[infolookup]

Was this ever resolved or just chalk it up to a false positive? I am seeing the same thing as well.

[dougburks]

Perhaps related? https://superuser.com/questions/1199464/alternate-data-stream-win32app-1-attached-to-a-large-number-of-folders

[elvarb]

@dougburks definitely the same, very strange that this is being created constantly. So the real question should be, how can we weed out those valid streams from the scans?