Copy link to clipboard
Copied
recently when reviewing logs, i see agsservice.exe execute from the expected path (c:\program files (x86)\common files\adobe\adobegcclient\agsservice.exe
a short time later, i see the scheduled task adobegcinvoker get deleted
then a log file that states that agsservice.exe is "agsservice in onstop"
then agshelper.exe executes several times from c:\windows\temp instead of it's expected program files path
then cmd.exe is called and rand this command:
cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > nul & del /f /q "c:\windows\temp\agshelper.exe"
there's no technical information on how agsservice.exe or agshelper.exe actually work in order for me to analyze / evaluate if this is expected behavior or not
any help would be appreciated
thank you
Copy link to clipboard
Copied
Based on some readings that I've done, the agsservice.exe or agshelper.exe check for software integrity and compliance.
If it appears aggressive you may need to check that some other Adobe apps that interact with Acrobat in that computer are actually legitimate or properly licensed.
See if this link is useful for troubleshooting:
https://helpx.adobe.com/genuine/faq.html
Does the same problem occurs if your internet adapters are disabled or in Airplane mode?
In which version of MS Windows is this happening?
What is even stranger to me is, that, for a legitimate Adobe process, it is actually invoking a script to ping a specific Domain Name Service address and check for latency.
It pings itself one time, then the scripts sets itself to wait for 3,000 milliseconds for a response from the pinged device, and times out if no response occurs if the wait time per response is greater than 3,000 milliseconds during that loop.
Then it also invokes "nul and del" commands to clear and delete the AGS process log that is cached in the Windows temporary files folder.
Unless this is not related to a VPN/firewall configuration that you have at work or at home, the fact that it pings itself to a specific DNS address caught my attention.
So it may be that the AGS service can't find it's way through secured and encrypted DNS service.
However, if you open cmd.exe and execute the following command:
ipconfig /all
Can you spot the DNS address that your Gateway IP address (your PC or router) is currently communicating with?
Does it says "1.1.1.1" like the script that is associated with the Adobe Genuine Service reveals?
Or does it reveals an DNS address different than 1.1.1.1?
Copy link to clipboard
Copied
My first action would be to check the digital signature on the file in c:\windows\temp. This is the first step in seeing whether software is legitimate.