Adobe ARM Scraping memory

Hello,

Unfortunately this does not answer the OP's question - he is asking about why Adobe ARM processes are attempting to scrape memory from lsass.exe. I got an alert indicating the same today from my A/V. I see that the MSI in the location it specified ( c:\program files (x86)\common files\adobe\arm\1.0\cache ) is (or could be) a legitimate Adobe ARM MSI file. But is the behavior of scraping memory from lsass.exe normal/expected behavior?

Please advise ASAP, as this is a question we urgently need an answer to in order to know if we should consider a system with this behavior to be compromised or not.

Thanks!

MSI file in the location you mentioned (c:\program files (x86)\common files\adobe\arm\1.0\cache) is self-update installer for Updater. If it has valid digital signature, there should be nothing to worry about.

All files located in c:\program files (x86)\common files\adobe\arm\1.0 folder should also have valid digital signature.

Thanks for the reply. Unfortunately, our A/V (Carbon Black) reports the signature as unverified - is there somewhere I can find known valid signatures of the files so I can verify this? The exact filename was "arm_001824382551_2766932067164231831757056870327763284.msi".

Also - any information on why the lsass.exe memory scraping is necessary?

Thank you!

Right click on the file, select Properties\Digital Signatures tab, click on the signature from the list and select Details button. You should see something like this-

This file is executed by Windows Installer Service. There is nothing in this installer that is directly connected to lsass.exe.

Sometimes antiviruses give false-positives; can you check with A/V mfr on this?

Thanks for the additional info. When checking the details of the file as you described, it does say the digital signature is OK.

It does say it was services.exe (Services Control Manager) that executed it, but doesn't specify exactly which service kicked it off - here is a snapshot of part of the A/V alert:

If this is consistent with the behavior it should have then I can live with the false positive. The main part that made me very nervous was the fact that it read memory from the lsass process (granted that doesn't mean it was doing something malicious - but its definitely a red flag, because that could indicate it is trying to scrape usernames or passwords, etc.).

Just got an alert from Carbon Black about this here too.  First time I've seen it.

The script C:\program files (x86)\common files\adobe\arm\1.0\cache\arm_001824382551_191481257759463116812925067172099014164.msi attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". The operation was blocked and the application terminated by Cb Defense.

Can you please upload this .msi file for me somewhere?

I am also seeing these alerts from Carbon Black and the installer (49c546e131fd81b814f0f2232588fd9fb9d783e1bc5a47a783d52540be49783a).

MSI file is uploaded here: https://paste.c-net.org/TendingSpoiling

(Paste that URL into a new browser window, if the link doesn't work)

Has nothing to do with a bad digital signature.  In fact, the Carbon Black logs say that it is signed.

Thank you ywfn,

I checked the uploaded file - it is valid. You can launch file manually to install latest Updater.

If you still have concerns, please enable Updater verbose logging (search this forum for iLogLevel registry value) and provide all files that have "AdobeARM". in the name from the current User\Temp folder and Windows\Temp folder at the time you see allert from CB.

I have CB on my system with latest Updater version 1.824.38.2551 installed from the same .msi file, and it never triggered allerts from CB.

Don't know about the other posters, but for me this Carbon Black alert only happens on Windows 7, not Windows 10.  So you might need to test it on Windows 7 to see the problem.

Good point ywfn - I have as well only seen the alert on Windows 7 now that you mention it. In fact I was wondering why we hadn't seen it more with other users that have Adobe and I realized probably because the machine that triggered the alert is one of the only ones left running on Windows 7.

Leo.x - I PMd you about an email address I could share the uploaded MSI file with but did not yet receive a response - please let me know who I may share this with.

Thanks!

Also seeing this in Carbon Black, but with a Windows 10 machine.  

The script C:\program files (x86)\common files\adobe\arm\1.0\cache\arm_001824382551_1140957762124605217515991583971586149702.msi attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". 

SHA: 49c546e131fd81b814f0f2232588fd9fb9d783e1bc5a47a783d52540be49783a

I don't see any explanation in previous posts for why Adobe ARM needs to read lsass.exe and would like to know. 

Valid .msi file referenced here does not call NtReadVertualMemory.

This file is not a script; it is Microsoft Installer database processed by Windws Installer Service.

Can you please provide more information after following a few steps below?

1. Try to execute this file manually? Do you get CB allert? (Always check digital signature in advance)

2. Please enable Updater verbose logging (search this forum for iLogLevel registry value for instructions) and provide (upload to Dropbox?) all .log files that have "AdobeARM.." in the name from the current User\Temp folder and Windows\Temp folder at the time you see allert from CB.

3. Contact CB and ask if they can confirm this is valid or false-positive.

Has there been any update on this? My inbox has been flooded all week with these same exact alerts. Windows 10 for me though. 

Would you pease download and install latest Updater version from this link below?

https://armmf.adobe.com/arm-updates/win/ARM/1.8.x/AdobeARM_1824399311.msi

Let us know if  you still have complains from CB

HI Adobe team,

Im getting alot of alerts with 

The application arm_001824448449_1241882961188294104317255206101868181371.msi was detected running. 

is this a normal behavious or false positive

If digital signature of this file is valid, the alert is false-positive.

the digital signature is a signature for the application while it is at rest, or in process?  If it just protects the application while it is at rest it could still be compromised.  Can you please advise?

seem to be having this issue as well, any updates on this? it seems like a false positive but i dont want to assume.

thanks.