Adobe ARM Scraping memory

New Here ,
Aug 09, 2019 Aug 09, 2019

Copy link to clipboard

Copied

Hello,

My AV is blocking Adobe ARM, which I understand to be an auto-updater for Acrobat and reader.

It is getting blocked because it is found attempting to read memory of LSASS.

I've gotten about 8 alerts in the last 24 hours from our AV that ARM_###.msi has been blocked for attempting to scrape memory, all on different devices.

Is this normal behavior for arm?

I would like to receive the auto-updates, but don't want to create an exception for arm if this isn't intentional behavior.

Thanks!

Views

8.1K

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 19, 2019 Aug 19, 2019

Copy link to clipboard

Copied

Hi Lnye,

Apologies for the delay in response and the trouble caused, as stated above you are experiencing issues with Adobe ARM, correct?

You may try updating the application to the latest version available 19.12.20036. Go to Help > Check for Updates. To know more about the latest version available you may please refer to the link  - DC Release Notes — Release Notes for Acrobat DC Products

Let us know if that works for you

Regards,

Amal

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 06, 2020 Jul 06, 2020

Copy link to clipboard

Copied

Hello,

 

Unfortunately this does not answer the OP's question - he is asking about why Adobe ARM processes are attempting to scrape memory from lsass.exe. I got an alert indicating the same today from my A/V. I see that the MSI in the location it specified ( c:\program files (x86)\common files\adobe\arm\1.0\cache ) is (or could be) a legitimate Adobe ARM MSI file. But is the behavior of scraping memory from lsass.exe normal/expected behavior?

 

Please advise ASAP, as this is a question we urgently need an answer to in order to know if we should consider a system with this behavior to be compromised or not.

 

Thanks!

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jul 06, 2020 Jul 06, 2020

Copy link to clipboard

Copied

MSI file in the location you mentioned (c:\program files (x86)\common files\adobe\arm\1.0\cache) is self-update installer for Updater. If it has valid digital signature, there should be nothing to worry about.

All files located in c:\program files (x86)\common files\adobe\arm\1.0 folder should also have valid digital signature.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 06, 2020 Jul 06, 2020

Copy link to clipboard

Copied

Thanks for the reply. Unfortunately, our A/V (Carbon Black) reports the signature as unverified - is there somewhere I can find known valid signatures of the files so I can verify this? The exact filename was "arm_001824382551_2766932067164231831757056870327763284.msi".

 

Also - any information on why the lsass.exe memory scraping is necessary?

 

Thank you!

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jul 06, 2020 Jul 06, 2020

Copy link to clipboard

Copied

Right click on the file, select Properties\Digital Signatures tab, click on the signature from the list and select Details button. You should see something like this-

New Bitmap Image.jpg

 

This file is executed by Windows Installer Service. There is nothing in this installer that is directly connected to lsass.exe.

Sometimes antiviruses give false-positives; can you check with A/V mfr on this?

 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 06, 2020 Jul 06, 2020

Copy link to clipboard

Copied

Thanks for the additional info. When checking the details of the file as you described, it does say the digital signature is OK.

 

It does say it was services.exe (Services Control Manager) that executed it, but doesn't specify exactly which service kicked it off - here is a snapshot of part of the A/V alert:

 

AdobeARMAlert.JPG

 

If this is consistent with the behavior it should have then I can live with the false positive. The main part that made me very nervous was the fact that it read memory from the lsass process (granted that doesn't mean it was doing something malicious - but its definitely a red flag, because that could indicate it is trying to scrape usernames or passwords, etc.).

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 06, 2020 Jul 06, 2020

Copy link to clipboard

Copied

Just got an alert from Carbon Black about this here too.  First time I've seen it.

 

The script C:\program files (x86)\common files\adobe\arm\1.0\cache\arm_001824382551_191481257759463116812925067172099014164.msi attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". The operation was blocked and the application terminated by Cb Defense.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jul 07, 2020 Jul 07, 2020

Copy link to clipboard

Copied

Can you please upload this .msi file for me somewhere?

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 07, 2020 Jul 07, 2020

Copy link to clipboard

Copied

I am also seeing these alerts from Carbon Black and the installer (49c546e131fd81b814f0f2232588fd9fb9d783e1bc5a47a783d52540be49783a).

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 08, 2020 Jul 08, 2020

Copy link to clipboard

Copied

MSI file is uploaded here: https://paste.c-net.org/TendingSpoiling

(Paste that URL into a new browser window, if the link doesn't work)

 

Has nothing to do with a bad digital signature.  In fact, the Carbon Black logs say that it is signed.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jul 08, 2020 Jul 08, 2020

Copy link to clipboard

Copied

Thank you ywfn,

I checked the uploaded file - it is valid. You can launch file manually to install latest Updater.

If you still have concerns, please enable Updater verbose logging (search this forum for iLogLevel registry value) and provide all files that have "AdobeARM". in the name from the current User\Temp folder and Windows\Temp folder at the time you see allert from CB.

I have CB on my system with latest Updater version 1.824.38.2551 installed from the same .msi file, and it never triggered allerts from CB.

 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 09, 2020 Jul 09, 2020

Copy link to clipboard

Copied

Don't know about the other posters, but for me this Carbon Black alert only happens on Windows 7, not Windows 10.  So you might need to test it on Windows 7 to see the problem.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 09, 2020 Jul 09, 2020

Copy link to clipboard

Copied

Good point ywfn - I have as well only seen the alert on Windows 7 now that you mention it. In fact I was wondering why we hadn't seen it more with other users that have Adobe and I realized probably because the machine that triggered the alert is one of the only ones left running on Windows 7.

 

Leo.x - I PMd you about an email address I could share the uploaded MSI file with but did not yet receive a response - please let me know who I may share this with.

 

Thanks!

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 09, 2020 Jul 09, 2020

Copy link to clipboard

Copied

Also seeing this in Carbon Black, but with a Windows 10 machine.  

The script C:\program files (x86)\common files\adobe\arm\1.0\cache\arm_001824382551_1140957762124605217515991583971586149702.msi attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". 

SHA: 49c546e131fd81b814f0f2232588fd9fb9d783e1bc5a47a783d52540be49783a

 

 

I don't see any explanation in previous posts for why Adobe ARM needs to read lsass.exe and would like to know. 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jul 09, 2020 Jul 09, 2020

Copy link to clipboard

Copied

Valid .msi file referenced here does not call NtReadVertualMemory.

This file is not a script; it is Microsoft Installer database processed by Windws Installer Service.

Can you please provide more information after following a few steps below?

1. Try to execute this file manually? Do you get CB allert? (Always check digital signature in advance)

2. Please enable Updater verbose logging (search this forum for iLogLevel registry value for instructions) and provide (upload to Dropbox?) all .log files that have "AdobeARM.." in the name from the current User\Temp folder and Windows\Temp folder at the time you see allert from CB.

3. Contact CB and ask if they can confirm this is valid or false-positive.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Sep 24, 2020 Sep 24, 2020

Copy link to clipboard

Copied

Has there been any update on this? My inbox has been flooded all week with these same exact alerts. Windows 10 for me though. 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Sep 24, 2020 Sep 24, 2020

Copy link to clipboard

Copied

Would you pease download and install latest Updater version from this link below?

https://armmf.adobe.com/arm-updates/win/ARM/1.8.x/AdobeARM_1824399311.msi

Let us know if  you still have complains from CB

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Sep 12, 2021 Sep 12, 2021

Copy link to clipboard

Copied

HI Adobe team,

 

Im getting alot of alerts with 

The application arm_001824448449_1241882961188294104317255206101868181371.msi was detected running. 

 

is this a normal behavious or false positive

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Sep 13, 2021 Sep 13, 2021

Copy link to clipboard

Copied

If digital signature of this file is valid, the alert is false-positive.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 08, 2021 Dec 08, 2021

Copy link to clipboard

Copied

the digital signature is a signature for the application while it is at rest, or in process?  If it just protects the application while it is at rest it could still be compromised.  Can you please advise?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 07, 2022 Jan 07, 2022

Copy link to clipboard

Copied

seem to be having this issue as well, any updates on this? it seems like a false positive but i dont want to assume.

 

thanks.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 08, 2022 Jan 08, 2022

Copy link to clipboard

Copied

We have the same problem aswell, but for microsoft server operativesystems, with adobe reader installed. 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 09, 2022 Jan 09, 2022

Copy link to clipboard

Copied

LATEST

Hi, I have same problem. but now I am able to resolve my problem throw following instruction in comments. Thanks

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines