RdrServicesUpdater2_x86.exe identified as malware by Cylance Protect AV

Report · Nov 13, 2023

Good day,

I am hoping that someone may help identify if this file is a legitamate file from Adobe. The file is: RdrServicesUpdater2_x86.exe

SHA256: 947b2d0490101a8bf8fb7aaca36289f11d15bed605efd46bfd45298cccfb375b

MD5: 24F8D57B669F33FCB30D8FB045B27F8D

thank you.

Report · Nov 17, 2023

I have the same question. Cylance gives it score 23 and puts it in quaratine.
Virus total:
https://www.virustotal.com/gui/file/947b2d0490101a8bf8fb7aaca36289f11d15bed605efd46bfd45298cccfb375b...

Report · Nov 18, 2023

I do not see Adobe replying to you, did they? I want to know about it too.

Report · Nov 20, 2023

Our EDR is also alerting on it, marking it as inconclusive and blocking it's execution. Would be nice if Adobe would let us know if it is legitimate or not.

Report · Nov 21, 2023

We see similar in our EDR as well.

Report · Jan 10, 2024

Same here. Our EDR did block the activity. Marked as suspicious.

Report · Jan 24, 2024

Has Adobe provided an update regarding this issue?

Report · Feb 02, 2024

We are seeing this blocked in Cylance today 2/2/2024.

Any update Adobe?

Report · Feb 02, 2024

It alerted as well with my Cylance, are there any updates on this package?

Report · Dec 23, 2024

https://helpx.adobe.com/acrobat/kb/acrobat-exe-acrord32-exe-doesnt.html?x-product=Helpx%2F1.0.0&x-pr...

Report · Jul 07, 2025

My EDR is pinging me. is it safe to install rdrservicesupdater2_x86.exe? thank you.

Report · Jul 08, 2025

Hi @myrta_8356,

Hope you are doing well. Sorry for the trouble with using Acrobat Reader.

Would you mind helping us with a fresh set of logs for us to share it with the development team for investigation and a better response?

Look forward to hearing from you.

Regards,
Souvik.

Report · Jul 14, 2025

Hello mryta,

I am also having the same issue with Sentinel One. The file has no publisher Name, Signer Identity and the Signature Verification is NotSigned. Please help. Thanks.

Threat Info:
Name: RdrServicesUpdater2_x86.exe

Path: \Device\HarddiskVolume3\Users\(removed)\AppData\Local\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_x86.exe
Process User: (removed)
Signature Verification: NotSigned
Originating Process: AdobeARM.exe
SHA1: b32663dbd680b520723f64655a2fd1c1de740e94
SHA256: 3686fd3c0e95da9e66cf508743aba605d2ba0ab3f85fc66ef8b24bde507d4924
Initiated By: Agent Policy
Engine: On-Write Static AI - Suspicious
Detection type: Static
Classification: Malware
File Size: 844.92 KB
Storyline: 12E07C6C958ACE03
Threat Id: 2255392265702697509

Threat indicators:
Abnormalities

This binary contains abnormal section names which could be an indication that it was created with non-standard development tools
General

This binary imports functions used to raise kernel exceptions
This binary imports debugger functions
File can delete registry values
MITRE : Defense Evasion [MODIFY REGISTRY]
File can print debug messages
Persistence

File can persist through the Winlogon Helper DLL registry key
MITRE : Persistence [WINLOGON HELPER DLL]
File can persist through Run registry key
MITRE : Persistence [REGISTRY RUN KEYS / STARTUP FOLDER]
File can set registry values
File can copy files
File can create or open registry keys
File can create or open files
File can set thread local storage values
File can allocate thread local storage
File can create a mutex
File can write to files on Windows
Discovery

File can retrieve the image file name of a process
File can list process modules
MITRE : Discovery [PROCESS DISCOVERY]
File can retrieve disk size
MITRE : Discovery [SYSTEM INFORMATION DISCOVERY]
File can retrieve the size of files
MITRE : Discovery [FILE AND DIRECTORY DISCOVERY]
File can retrieve file attributes
File can list files on Windows
MITRE : Discovery [FILE AND DIRECTORY DISCOVERY]
File can retrieve common file paths
MITRE : Discovery [FILE AND DIRECTORY DISCOVERY]
File can check for the existence of a mutex
File can retrieve thread local storage values
File can query or list registry values
MITRE : Discovery [QUERY REGISTRY]
File can list running processes
MITRE : Discovery [PROCESS DISCOVERY]
MITRE : Discovery [SOFTWARE DISCOVERY]
File can retrieve system information on Windows
MITRE : Discovery [SYSTEM INFORMATION DISCOVERY]
File can query environment variables
MITRE : Discovery [SYSTEM INFORMATION DISCOVERY]
File can retrieve geographical location
MITRE : Discovery [SYSTEM LOCATION DISCOVERY]
Evasion

File can delay its execution
Execution

File can create threads
File can encrypt data using Salsa20 or ChaCha
MITRE : Defense Evasion [OBFUSCATED FILES OR INFORMATION]
File can dynamically link functions at runtime
MITRE : Execution [SHARED MODULES]
File has capability to open another process
File can allocate memory
File can terminate processes
File can create processes on Windows
File can modify environment variables
File can accept command line arguments
MITRE : Execution [COMMAND AND SCRIPTING INTERPRETER]
File can extract resources with kernel32 functions
Impact

File can delete files
File can encrypt data using OpenSSL RSA
Command and Control

File can receive data
File can download from a URL
Credential Access

File can compare security identifiers
Collection

File can read files on Windows
File contains SQL statements
MITRE : Collection [DATA FROM INFORMATION REPOSITORIES]
Defense Evasion

File can check for OutputDebugString error

Report · Jul 14, 2025

Alex, this location should have valid file downloaded by Updater (ARM) from the URL below-

https://ardownload3.adobe.com/pub/adobe/ServicesUpdater/win/DC/2500120532_1/RdrServicesUpdater2_x86....

Normally Updater woud delete this file after validation. It is possible that your antyvirus interfere with Updater.

You can download yourself and compare 2 files. I just downloaded from the above URL, and the file has valid Adobe digital signature.

If you check your existing file by going to Properties, Digital Signature, does it show as valid?