Is there a Linux tool for changing DOS/Windows file attributes?

I often use a Linux LiveCD (or Puppy on a pen drive) to disinfect Windows machines that are infested with various malware. However, once the malware is gone, you still need to deal with the modifications it might have made, and sadly Linux isn't so great for that.

The recent crop of FakeAV programs try to freak the user out by making everything disappear - they set the "Don't show hidden or system files" option (and protect it with a Group Policy), and then they set the hidden/system attributes on every file in Documents and Settings\UserName.

What I'd like - but haven't found - is a Linux tool to reset those attributes. I suppose if I ran Samba, and shared the NTFS volume, and set my options correctly, I could probably do this from a DOS or Windows client... but that's a real pain, and anyway I'm not so sure about sharing an NTFS volume via Samba. Any way to do it directly?

Edit:
OK - sounds like setfattr(1) is what I need; however, it looks to me like I'd be setting a value bitmap directly, rather than applying a mask. Am I understanding that correctly - and if so, what (if anything) could I do to implement a mask?
In other words, some files might legitimately be Read-Only; some might have the Archive bit set. How do I only unset Hidden or System, without touching the others - like attrib -s -h at the Windows command line? If the only way to do it is to getfattr first, and then decide which parameters to pass to setfattr... well, I would hope not.

MT_Head

Posted 2011-08-09T21:57:18.043

Reputation: 864

So it might be my security centered frame of mind... but the words "disinfect" and "infested" make me want to immediately state "wipe and reinstall/reimage". – Goblinlord – 2015-03-18T02:36:28.210

try [softwarerecs.se] – phuclv – 2019-04-23T05:40:28.750

Answers

NTFS-3G includes the setfattr command:

setfattr -h -v 0x00000000 -n system.ntfs_attrib_be target-file

should clear all attributes (the last argument target-file should be changed, of course.) See here for a list of available attributes and how to set them.

Andrew Lambert

Posted 2011-08-09T21:57:18.043

Reputation: 7 136

The link no longer works – Vineet Menon – 2015-10-31T14:17:10.997

http://jp-andre.pagesperso-orange.fr/extend-attr.html#ntfsattributes – appas – 2016-03-19T07:48:38.410

setfattr probably works for NTFS file systems, but in case someone needs to do the same for FAT (vfat/fat16/fat32) file systems, see mtools package. That will do the job!

Wild Penguin

Posted 2011-08-09T21:57:18.043

Reputation: 51

If you’re feeling (just like me) setfattr is too low level and error-prone and want something like attrib in Windows or chmod in Linux, then fatattr seems to be the right tool.

Its usage is simple, for example:

fatattr +R FILE  # set FILE read-only
fatattr -H FILE  # set FILE not hidden

To get fatattr on Ubuntu, simply run (with Universe repository enabled):

sudo apt install fatattr

Melebius

Posted 2011-08-09T21:57:18.043

Reputation: 1 145

If you're mounting the filesystem with a suitably recent version of NTFS-3G, you can use getfattr and setfattr to access those attributes.

wfaulk

Posted 2011-08-09T21:57:18.043

Reputation: 5 692

Try my shell script, which is a (mostly) re-implementation of attrib command in Windows.

This uses system.ntfs_attrib_be attribute from NTFS-3G, so you need gatfattr and setfattr utilities from your distro (in Debian/Ubuntu: sudo apt-get install attr).

But after that, just use it without remembering the bit masks, e.g.

./ntfs_attr.sh -h -s some_file_in_ntfs_volume

~~https://gist.github.com/Explorer09/ac4bf6838c271a9968b3~~ (Migrating to GitLab; old link might cease to work.) https://gitlab.com/snippets/1720133

Notes:

/L option in attrib in Windows is implemented here, see the help in script for details.

/S and /S /D are (intentionally) not implemented. Try find(1) with this script instead.

Explorer09

Posted 2011-08-09T21:57:18.043

Reputation: 276

I'm not in a place where I can test it at the moment, but this sounds like EXACTLY what I had in mind. Upvoting now, will accept as soon as I've tested it. Thanks! ( – MT_Head – 2015-03-18T19:34:45.303

Just wanted to add something I used recently.

If you are trying to modify MSDOS attributes on a FAT16/32 filesystem (I was using Git Bash and I was trying to unhide the files on my fat32 flash drive that was hidden by a malware), you can use fatattr

The command syntax to unhide files is quite simply.

fatattr -h /path-to-your-file/file-name

Other available options can be checked here.

It can be downloaded from Sourceforge

Just put it in your git bash binaries directory and you are good to go!

Renju Jose

Posted 2011-08-09T21:57:18.043

Reputation: 61