Skip to main content
A
Anonymous
August 9, 2019
Question

Adobe ARM Scraping memory

  • August 9, 2019
  • 3 replies
  • 15731 views

Hello,

My AV is blocking Adobe ARM, which I understand to be an auto-updater for Acrobat and reader.

It is getting blocked because it is found attempting to read memory of LSASS.

I've gotten about 8 alerts in the last 24 hours from our AV that ARM_###.msi has been blocked for attempting to scrape memory, all on different devices.

Is this normal behavior for arm?

I would like to receive the auto-updates, but don't want to create an exception for arm if this isn't intentional behavior.

Thanks!

This topic has been closed for replies.

3 replies

M
Muriel22218900lddm
Participating Frequently
January 9, 2022

Hi, I have same problem. but now I am able to resolve my problem throw following instruction in comments. Thanks

D
Dennis22563038buu4
Participant
January 8, 2022

We have the same problem aswell, but for microsoft server operativesystems, with adobe reader installed. 

Amal.
Community Manager
Amal.Community Manager
Community Manager
August 19, 2019

Hi Lnye,

Apologies for the delay in response and the trouble caused, as stated above you are experiencing issues with Adobe ARM, correct?

You may try updating the application to the latest version available 19.12.20036. Go to Help > Check for Updates. To know more about the latest version available you may please refer to the link  - DC Release Notes — Release Notes for Acrobat DC Products

Let us know if that works for you

Regards,

Amal

dwillis77
dwillis77
Participating Frequently
July 6, 2020

Hello,

 

Unfortunately this does not answer the OP's question - he is asking about why Adobe ARM processes are attempting to scrape memory from lsass.exe. I got an alert indicating the same today from my A/V. I see that the MSI in the location it specified ( c:\program files (x86)\common files\adobe\arm\1.0\cache ) is (or could be) a legitimate Adobe ARM MSI file. But is the behavior of scraping memory from lsass.exe normal/expected behavior?

 

Please advise ASAP, as this is a question we urgently need an answer to in order to know if we should consider a system with this behavior to be compromised or not.

 

Thanks!

    L
    LeoUpdaterX
    Participating Frequently
    July 7, 2020

    Just got an alert from Carbon Black about this here too.  First time I've seen it.

     

    The script C:\program files (x86)\common files\adobe\arm\1.0\cache\arm_001824382551_191481257759463116812925067172099014164.msi attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". The operation was blocked and the application terminated by Cb Defense.


    Can you please upload this .msi file for me somewhere?

     

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices