Skip to main content
A
Anonymous
August 9, 2019
Question

Adobe ARM Scraping memory

  • August 9, 2019
  • 3 replies
  • 15731 views

Hello,

My AV is blocking Adobe ARM, which I understand to be an auto-updater for Acrobat and reader.

It is getting blocked because it is found attempting to read memory of LSASS.

I've gotten about 8 alerts in the last 24 hours from our AV that ARM_###.msi has been blocked for attempting to scrape memory, all on different devices.

Is this normal behavior for arm?

I would like to receive the auto-updates, but don't want to create an exception for arm if this isn't intentional behavior.

Thanks!

This topic has been closed for replies.

3 replies

M
Muriel22218900lddm
Participating Frequently
January 9, 2022

Hi, I have same problem. but now I am able to resolve my problem throw following instruction in comments. Thanks

D
Dennis22563038buu4
Participant
January 8, 2022

We have the same problem aswell, but for microsoft server operativesystems, with adobe reader installed. 

Amal.
Community Manager
Amal.Community Manager
Community Manager
August 19, 2019

Hi Lnye,

Apologies for the delay in response and the trouble caused, as stated above you are experiencing issues with Adobe ARM, correct?

You may try updating the application to the latest version available 19.12.20036. Go to Help > Check for Updates. To know more about the latest version available you may please refer to the link  - DC Release Notes — Release Notes for Acrobat DC Products

Let us know if that works for you

Regards,

Amal

dwillis77
dwillis77
Participating Frequently
July 6, 2020

Hello,

 

Unfortunately this does not answer the OP's question - he is asking about why Adobe ARM processes are attempting to scrape memory from lsass.exe. I got an alert indicating the same today from my A/V. I see that the MSI in the location it specified ( c:\program files (x86)\common files\adobe\arm\1.0\cache ) is (or could be) a legitimate Adobe ARM MSI file. But is the behavior of scraping memory from lsass.exe normal/expected behavior?

 

Please advise ASAP, as this is a question we urgently need an answer to in order to know if we should consider a system with this behavior to be compromised or not.

 

Thanks!

    Y
    ywfn
    Participant
    July 7, 2020

    Thanks for the additional info. When checking the details of the file as you described, it does say the digital signature is OK.

     

    It does say it was services.exe (Services Control Manager) that executed it, but doesn't specify exactly which service kicked it off - here is a snapshot of part of the A/V alert:

     

     

    If this is consistent with the behavior it should have then I can live with the false positive. The main part that made me very nervous was the fact that it read memory from the lsass process (granted that doesn't mean it was doing something malicious - but its definitely a red flag, because that could indicate it is trying to scrape usernames or passwords, etc.).


    Just got an alert from Carbon Black about this here too.  First time I've seen it.

     

    The script C:\program files (x86)\common files\adobe\arm\1.0\cache\arm_001824382551_191481257759463116812925067172099014164.msi attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". The operation was blocked and the application terminated by Cb Defense.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices