Skip to main content
A
Anonymous
August 9, 2019
Question

Adobe ARM Scraping memory

  • August 9, 2019
  • 3 replies
  • 15731 views

Hello,

My AV is blocking Adobe ARM, which I understand to be an auto-updater for Acrobat and reader.

It is getting blocked because it is found attempting to read memory of LSASS.

I've gotten about 8 alerts in the last 24 hours from our AV that ARM_###.msi has been blocked for attempting to scrape memory, all on different devices.

Is this normal behavior for arm?

I would like to receive the auto-updates, but don't want to create an exception for arm if this isn't intentional behavior.

Thanks!

This topic has been closed for replies.

3 replies

M
Muriel22218900lddm
Participating Frequently
January 9, 2022

Hi, I have same problem. but now I am able to resolve my problem throw following instruction in comments. Thanks

D
Dennis22563038buu4
Participant
January 8, 2022

We have the same problem aswell, but for microsoft server operativesystems, with adobe reader installed. 

Amal.
Community Manager
Amal.Community Manager
Community Manager
August 19, 2019

Hi Lnye,

Apologies for the delay in response and the trouble caused, as stated above you are experiencing issues with Adobe ARM, correct?

You may try updating the application to the latest version available 19.12.20036. Go to Help > Check for Updates. To know more about the latest version available you may please refer to the link  - DC Release Notes — Release Notes for Acrobat DC Products

Let us know if that works for you

Regards,

Amal

dwillis77
dwillis77
Participating Frequently
July 6, 2020

Hello,

 

Unfortunately this does not answer the OP's question - he is asking about why Adobe ARM processes are attempting to scrape memory from lsass.exe. I got an alert indicating the same today from my A/V. I see that the MSI in the location it specified ( c:\program files (x86)\common files\adobe\arm\1.0\cache ) is (or could be) a legitimate Adobe ARM MSI file. But is the behavior of scraping memory from lsass.exe normal/expected behavior?

 

Please advise ASAP, as this is a question we urgently need an answer to in order to know if we should consider a system with this behavior to be compromised or not.

 

Thanks!

    E
    edwardpseudohands
    Participant
    July 9, 2020

    Good point ywfn - I have as well only seen the alert on Windows 7 now that you mention it. In fact I was wondering why we hadn't seen it more with other users that have Adobe and I realized probably because the machine that triggered the alert is one of the only ones left running on Windows 7.

     

    Leo.x - I PMd you about an email address I could share the uploaded MSI file with but did not yet receive a response - please let me know who I may share this with.

     

    Thanks!


    Also seeing this in Carbon Black, but with a Windows 10 machine.  

    The script C:\program files (x86)\common files\adobe\arm\1.0\cache\arm_001824382551_1140957762124605217515991583971586149702.msi attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory".

    SHA: 49c546e131fd81b814f0f2232588fd9fb9d783e1bc5a47a783d52540be49783a

     

     

    I don't see any explanation in previous posts for why Adobe ARM needs to read lsass.exe and would like to know. 

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices