It looks like the rootkit detector is going nuts over alternative data streams that Windows is creating by default. See: https://superuser.com/questions/1199464/alternate-data-stream-win32app-1-attached-to-a-large-number-of-folders
Apparently in Windows 10 the "Storage Service" is creating these streams. Is it possible to modify the rootkit detector to ignore alternative data streams named "Win32App_1" that have no data? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.