Installflashplayer.exe (potentially scraping memory)

Question

Greetings,I've been receiving these notices through cb Defense service that flash player is trying to run/install but the end users aren't trying to install anything.  Here is the sequence of events leading up to the 'Potential scraping memory'.Is this something I need to worry about?Event OrderEvent1The file C:\windows\syswow64\macromed	emp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe was first detected on a local disk. The device was on the corporate network using the public address ###.###.###.### (located in {Corporate Office Location}, United States). The file is signed and is part of Adobe Flash Player Installer/Uninstaller by Adobe. The file was created by the application C:\windows\syswow64\flashplayerinstaller.exe .2The application C:\windows\syswow64\flashplayerinstaller.exe invoked the application C:\windows\syswow64\macromed	emp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe.3The application C:\windows\syswow64\flashplayerinstaller.exe attempted to invoke the application "C:\Windows\SysWOW64\Macromed\Temp\{5717F047-4307-4149-B4E1-99F8DC5D800B}\InstallFlashPlayer.exe", by calling the function "CreateProcessW". The operation was successful.4The application C:\windows\syswow64\macromed	emp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe attempted to enable executable memory, by calling the function "NtProtectVirtualMemory". The operation was successful.5The application C:\windows\syswow64\macromed	emp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe attempted to list all processes, by calling the function "NtQuerySystemInformation". The operation failed.6The application C:\windows\syswow64\macromed	emp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe attempted to open the process "System", by calling the function "OpenProcess". The operation was blocked by the operating system.7The application C:\windows\syswow64\macromed	emp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". The operation was blocked and the application terminated by Cb Defense.Thank You for your time.

jeromiec83223024 · Answer

Carbon Black has definitely been throwing some false positives related to Flash Player installation in our corporate environment (although most recently that was on Mac). We've been working with them to whitelist Flash binaries to prevent erroneous notifications.

Assuming that you're confident that you got the installers from Adobe and they're legitimate, then you might talk to Carbon Black about what, if anything, needs to be done to address the false positives or tune the notifications to filter these out.

If your users are installing Flash Player ad-hoc, there *are* ways to prevent that, and to manage Flash Player updates in the enterprise.

Details are in the Flash Player system administrator's guide, here:

Adobe Flash Player Administration Guide for Flash Player | Adobe Developer Connection

Event Order	Event
1	The file C:\windows\syswow64\macromed\temp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe was first detected on a local disk. The device was on the corporate network using the public address ###.###.###.### (located in {Corporate Office Location}, United States). The file is signed and is part of Adobe Flash Player Installer/Uninstaller by Adobe. The file was created by the application C:\windows\syswow64\flashplayerinstaller.exe .
2	The application C:\windows\syswow64\flashplayerinstaller.exe invoked the application C:\windows\syswow64\macromed\temp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe.
3	The application C:\windows\syswow64\flashplayerinstaller.exe attempted to invoke the application "C:\Windows\SysWOW64\Macromed\Temp\{5717F047-4307-4149-B4E1-99F8DC5D800B}\InstallFlashPlayer.exe", by calling the function "CreateProcessW". The operation was successful.
4	The application C:\windows\syswow64\macromed\temp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe attempted to enable executable memory, by calling the function "NtProtectVirtualMemory". The operation was successful.
5	The application C:\windows\syswow64\macromed\temp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe attempted to list all processes, by calling the function "NtQuerySystemInformation". The operation failed.
6	The application C:\windows\syswow64\macromed\temp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe attempted to open the process "System", by calling the function "OpenProcess". The operation was blocked by the operating system.
7	The application C:\windows\syswow64\macromed\temp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". The operation was blocked and the application terminated by Cb Defense.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded