encryption Trojan - ES_session_store

New Here ,
Nov 11, 2020 Nov 11, 2020

Copy link to clipboard

Copied

Our virus scanner partially recognizes some Adobe file as an encryption Trojan.

 

Filenames:

ES_session_store

ES_session_storei

 

Can someone tell me what the files are for? The files are under the following path:

C:\Users\Daniel\AppData\Roaming\Adobe\Acrobat\DC\Security\

TOPICS
General troubleshooting , Windows

Views

722

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 26, 2021 Aug 26, 2021

Copy link to clipboard

Copied

Sorry for necroing an older thread, but I would like to know that as well..... in our case the file server on which the roaming profiles are stored notifies us about an encryption event.

 

Since it is a heuristic hit and it is classified as a "generic cryptor" I suspect Adobe encrypts some sensitive data in those files. When the roaming profile is written to the file server on client shutdown, it triggers the encryption event warning.

So I THINK it is a false positive, but I would like to know for sure.

 

If anybody has some insight into those files and could shed some light on this it would be highly appreciated.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 19, 2021 Oct 19, 2021

Copy link to clipboard

Copied

Hi - did you manage to get to the bottom of this? I think it's a false positive like you say but I can't get a decent answer out of our antivirus support!

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 19, 2021 Oct 19, 2021

Copy link to clipboard

Copied

LATEST

Hey there...

No, nothing new came to light.

We had a handful of similar events that triggered the encryption warning, but it always checked out with the current theory:
Some program had to store sensitive data of some sorts and it did so with an encrypted file somewhere under APPDATA/ROAMING.
Then, at logout, the roaming profile was copied to the server which triggered the encryption warning.

But so far, no new information about ES_session_store

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines