encryption Trojan - ES_session_store

Report · Nov 11, 2020

Our virus scanner partially recognizes some Adobe file as an encryption Trojan.

Filenames:

ES_session_store

ES_session_storei

Can someone tell me what the files are for? The files are under the following path:

C:\Users\Daniel\AppData\Roaming\Adobe\Acrobat\DC\Security\

Report · Aug 26, 2021

Sorry for necroing an older thread, but I would like to know that as well..... in our case the file server on which the roaming profiles are stored notifies us about an encryption event.

Since it is a heuristic hit and it is classified as a "generic cryptor" I suspect Adobe encrypts some sensitive data in those files. When the roaming profile is written to the file server on client shutdown, it triggers the encryption event warning.

So I THINK it is a false positive, but I would like to know for sure.

If anybody has some insight into those files and could shed some light on this it would be highly appreciated.

Report · Oct 19, 2021

Hi - did you manage to get to the bottom of this? I think it's a false positive like you say but I can't get a decent answer out of our antivirus support!

Report · Oct 19, 2021

Hey there...

No, nothing new came to light.

We had a handful of similar events that triggered the encryption warning, but it always checked out with the current theory:
Some program had to store sensitive data of some sorts and it did so with an encrypted file somewhere under APPDATA/ROAMING.
Then, at logout, the roaming profile was copied to the server which triggered the encryption warning.

But so far, no new information about ES_session_store

Adobe Community

encryption Trojan - ES_session_store