dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
19211
Sentinel
Premium Member
join:2001-02-07
Florida

Sentinel

Premium Member

What is $extend?

I just ran an anti-virus scan and saw this in my log...

* avast! Scan Report
* This file is generated automatically
*
* Scan name: Full system scan
* Started on: Monday, September 23, 2013 10:04:43 AM
* VPS: 130923-0, 09/23/2013
*

C:\$Extend\$RmMetadata\$TxfLog\$Tops [E] Access is denied (5)
C:\pagefile.sys [E] The process cannot access the file because it is being used by another process (32)
Infected files: 0
*

OK, so I have a few questions.

1. What is this file and is it dangerous?
2. Why can't i see the entire $extend folder? (I have settings set to show system files)
3. How come I have never seen this in my log before if it has always been there and is not dangerous?

ZZZZZZZ
Premium Member
join:2001-05-27
PARADISE

ZZZZZZZ

Premium Member

»msdn.microsoft.com/en-us ··· 85).aspx

looks like a stream file.

StuartMW
Premium Member
join:2000-08-06

1 recommendation

StuartMW to Sentinel

Premium Member

to Sentinel
said by Sentinel:

2. Why can't i see the entire $extend folder? (I have settings set to show system files)

Because it's a special (meta) file in NTFS.
Sentinel
Premium Member
join:2001-02-07
Florida

Sentinel

Premium Member

Interesting. I never heard of these before. So there are a whole bunch of files that we can't see at all even though we change the setting to show all files including system files? Nice. So we have no way of seeing what is actually on our systems.

OK, so that (kinda) answers # 1 and 2, but what about #3? Why have I never seen this before in an anti-virus scan? Were they not there before or has the AV program changed and can now see them?

dib22
join:2002-01-27
Kansas City, MO

dib22

Member

said by Sentinel:

Why have I never seen this before in an anti-virus scan?

Did you change form an admin user, to a limited user recently?

norwegian
Premium Member
join:2005-02-15
Outback

1 edit

norwegian to Sentinel

Premium Member

to Sentinel

said by Sentinel:

Were they not there before or has the AV program changed and can now see them?

Because quite often what the scanner does and what you see are 2 different things.
Considering streams in the past bypassed Avast protection, I'd say they have been scanning it for some time with no end user knowledge.

Maybe an engine and definitions update needs it to show more stream content for detection, troubleshooting or something else?

You would need to ask the makers of the why's and why not's of the program and it's functions.
Sentinel
Premium Member
join:2001-02-07
Florida

Sentinel to dib22

Premium Member

to dib22
Nope. Same settings as always.
Does everyone else see these files? For those of you that use the same AV as me, do you see these log entries too? If so then I'll feel more comfortable.

lordpuffer
Legalize It Joe!
Premium Member
join:2004-09-19
Old Town, ME
Nokia XS-110G-A
Linksys Velop MX5300

1 edit

1 recommendation

lordpuffer

Premium Member

said by Sentinel:

Does everyone else see these files? For those of you that use the same AV as me, do you see these log entries too? If so then I'll feel more comfortable.

I just ran a full system scan on my Win 7 64 bit, Home Premium PC using avast! Pro Antivirus.

There were no results in the log indicating $Extend. Basically, it found nothing.
dave
Premium Member
join:2000-05-04
not in ohio

1 recommendation

dave to Sentinel

Premium Member

to Sentinel
All file systems have files in which they store the data that the file system needs to be a file system: file-to-block maps, free space maps, dates and times, permissions, .... nothing to be alarmed about.

(If you like to tie your brain in knots, the list of files is a file that can be looked up in the list of files)

Generally speaking, NTFS does not expose the metadata files. But something seems to have happened reently; this is the second posting I've seen here about $Extend. New bug?
dave

dave to ZZZZZZZ

Premium Member

to ZZZZZZZ
said by ZZZZZZZ:

looks like a stream file

It's a file called $Tops that is in a directory called $TxfLog which is in a directory called $RmMetadata which is in a directory called $Extend. No sign of any named stream.

It's evidently (by its name) somethng to do with transactional operations, probably transactional NTFS.
Sentinel
Premium Member
join:2001-02-07
Florida

Sentinel to dave

Premium Member

to dave
lordpuffer,
Interesting to me that your AV did not show the file listed as being denied. Either means that you don't have that file, or it is not access denied on your machine. Either way that is odd to me.

dave,
Good to hear that I am not the only one. That does make me feel better. I'm not worried about it yet. Just trying to understand it better. I get uneasy when I don't change anything and something changes. Something somewhere must have changed; either the way it sees things, reports things or allows things to be seen or something, I'm guessing.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to dave

Premium Member

to dave
said by dave:

...this is the second posting I've seen here about $Extend.

If I've kept up with topics, the other was about 7-Zip's low level access?
»[WIN7] What are these folders?
psloss
Premium Member
join:2002-02-24

psloss to dave

Premium Member

to dave
said by dave:

Generally speaking, NTFS does not expose the metadata files. But something seems to have happened reently; this is the second posting I've seen here about $Extend. New bug?

Given this thread started with a security software banner, it might be another little escalation in the arms race between the good guys and the bad guys. Some of the bad guys are definitely working with NTFS metadata (ZeroAccess is notorious), although they're often now going to need the interactive user to help them out with admin rights to do anything significant.

dib22
join:2002-01-27
Kansas City, MO

dib22 to Sentinel

Member

to Sentinel
Not what you want to hear but the only machine I have avast on is running windows 8, but no I do not see $Extend in any summary or logs.
Sentinel
Premium Member
join:2001-02-07
Florida

Sentinel

Premium Member

In case anyone else is curious about this I found a workaround here:
»social.msdn.microsoft.co ··· gramming

Basically it has to do with transactional NTFS (whatever that is). And you can't get rid of it but you can shrink it by resetting it. After which it is about 1 mb on my machine.

From that link:
quote:
You can work around this problem by resetting the RM (resource manager). This will blow away all the $Rm data and re-create everything from scratch, after which $Tops will be negligable.

1 --- Before resetting the RM make sure there are no transactions in progress, and if there are its best to just wait for them to complete. To check type "fsutil resource info c:\". The output of the field 'Running Transactions' will show non-zero if there are transactions in progress.
2 --- To reset the RM type "fsutil resource setautoreset true" and then reboot.

I still don't know why I have it and others don't or how to even see it. The only time it shows itself is during anti-virus scans. Otherwise I don't even have a program that allows me to see that it is there.

Anyone know of a way to see if these files are there?

Exidor
Premium Member
join:2001-05-04

Exidor

Premium Member

Re: Anyone know of a way to see if these files are there?

7-Zip File Manager?

»Re: [WIN7] What are these folders?