Tripwire is reporting an alternate stream added to a few files on one of our 2003 Web Edition machines.
LADS, Streams, Adsscan and Crucialads show nothing.
I know these files have been touched by our people and see no other evidence of intrusion.
Tripwire says they use a proprietary algorithm to detect alternate streams, however they have no ability to determine what the alternate stream is.
Anyone have a clue on how to tease out what Tripwire is reporting on?