Highlighted

7za is locking files! [edited by moderator]

New Here ,
Feb 16, 2017

Copy link to clipboard

Copied

I'm on an iMac using macOS 10.12.3, and adobe acrobat professional 8.1.0.  It worked fine up to about 2 months ago when every once in a while I get the following message:

Screen Shot 2017-02-16 at 2.27.43 PM.jpg  What does this mean, and how can I get rid of it?  I "terminate" and the program still seems to work, but when it pops up it is annoying.

Thanks.

RansomWhere.app displays the locking files message.  It's official name is RANSOMEWHERE?.  7za is a file compression program AES 256 bit encryption and password protection options.  If you don't like the warning either uninstall RANSOMEWHERE? or allow Adobe to run 7za.

  • $ sudo /Library/RansomWhere/RansomWhere -uninstall

When RANSOMEWHERE? detects an untrusted app encrypting files it displays a message with Allow and Terminate buttons.  Select Allow to let the app, 7za, run and to add it to RANSOMEWHERE?'s trusted list.  Select Terminate to immediately kill the app.  Terminating the app does not add it to a malware list.  Each time the untrusted app runs RANSOMEWHERE? will report it. 

Today RANSOMEWHERE? reported Adobe was quickly encrypt files with 7za.  I clicked the Terminate button to give myself time to investigate.  I found a matching log entry by searching for 7za in all log files using the Console app: /Applications/Utilities/Console

  • 4/11/17 12:47:24.719 PM RansomWhere[100]: OBJECTIVE-SEE RANSOMWHERE?: /private/tmp/PKInstallSandbox.k1DOWF/Scripts/com.adobe.acrobat.AcrobatDCUpd1700920044.Xn23Ob/Tools/7za is quickly creating encrypted files

I didn't find information on what Adobe is compressing and encrypting 7za.  I suspect that Adobe is actually running 7za for legitimate reasons.  If you find out, please update the post.

Note:

Reset RansomWhere if you change your mind about a app you Allow to run.

$ sudo /Library/RansomWhere/RansomWhere -reset

RANSOMWHERE: reset

   a) removed list of installed/approved binaries

   b) stopped, then (re)started the launch daemon

TOPICS
Macintosh, PDF forms

Views

667

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

7za is locking files! [edited by moderator]

New Here ,
Feb 16, 2017

Copy link to clipboard

Copied

I'm on an iMac using macOS 10.12.3, and adobe acrobat professional 8.1.0.  It worked fine up to about 2 months ago when every once in a while I get the following message:

Screen Shot 2017-02-16 at 2.27.43 PM.jpg  What does this mean, and how can I get rid of it?  I "terminate" and the program still seems to work, but when it pops up it is annoying.

Thanks.

RansomWhere.app displays the locking files message.  It's official name is RANSOMEWHERE?.  7za is a file compression program AES 256 bit encryption and password protection options.  If you don't like the warning either uninstall RANSOMEWHERE? or allow Adobe to run 7za.

  • $ sudo /Library/RansomWhere/RansomWhere -uninstall

When RANSOMEWHERE? detects an untrusted app encrypting files it displays a message with Allow and Terminate buttons.  Select Allow to let the app, 7za, run and to add it to RANSOMEWHERE?'s trusted list.  Select Terminate to immediately kill the app.  Terminating the app does not add it to a malware list.  Each time the untrusted app runs RANSOMEWHERE? will report it. 

Today RANSOMEWHERE? reported Adobe was quickly encrypt files with 7za.  I clicked the Terminate button to give myself time to investigate.  I found a matching log entry by searching for 7za in all log files using the Console app: /Applications/Utilities/Console

  • 4/11/17 12:47:24.719 PM RansomWhere[100]: OBJECTIVE-SEE RANSOMWHERE?: /private/tmp/PKInstallSandbox.k1DOWF/Scripts/com.adobe.acrobat.AcrobatDCUpd1700920044.Xn23Ob/Tools/7za is quickly creating encrypted files

I didn't find information on what Adobe is compressing and encrypting 7za.  I suspect that Adobe is actually running 7za for legitimate reasons.  If you find out, please update the post.

Note:

Reset RansomWhere if you change your mind about a app you Allow to run.

$ sudo /Library/RansomWhere/RansomWhere -reset

RANSOMWHERE: reset

   a) removed list of installed/approved binaries

   b) stopped, then (re)started the launch daemon

TOPICS
Macintosh, PDF forms

Views

668

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Feb 16, 2017 0
New Here ,
Apr 11, 2017

Copy link to clipboard

Copied

RansomWhere.app displays the locking files message.  It's official name is RANSOMEWHERE?.  7za is a file compression program AES 256 bit encryption and password protection options.  If you don't like the warning either uninstall RANSOMEWHERE? or allow Adobe to run 7za.

  • $ sudo /Library/RansomWhere/RansomWhere -uninstall

When RANSOMEWHERE? detects an untrusted app encrypting files it displays a message with Allow and Terminate buttons.  Select Allow to let the app, 7za, run and to add it to RANSOMEWHERE?'s trusted list.  Select Terminate to immediately kill the app.  Terminating the app does not add it to a malware list.  Each time the untrusted app runs RANSOMEWHERE? will report it. 

Today RANSOMEWHERE? reported Adobe was quickly encrypt files with 7za.  I clicked the Terminate button to give myself time to investigate.  I found a matching log entry by searching for 7za in all log files using the Console app: /Applications/Utilities/Console

  • 4/11/17 12:47:24.719 PM RansomWhere[100]: OBJECTIVE-SEE RANSOMWHERE?: /private/tmp/PKInstallSandbox.k1DOWF/Scripts/com.adobe.acrobat.AcrobatDCUpd1700920044.Xn23Ob/Tools/7za is quickly creating encrypted files

I didn't find information on what Adobe is compressing and encrypting 7za.  I suspect that Adobe is actually running 7za for legitimate reasons.  If you find out, please update the post.

Note:

Reset RansomWhere if you change your mind about a app you Allow to run.

$ sudo /Library/RansomWhere/RansomWhere -reset

RANSOMWHERE: reset

   a) removed list of installed/approved binaries

   b) stopped, then (re)started the launch daemon

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 11, 2017 0
New Here ,
Apr 21, 2017

Copy link to clipboard

Copied

Many thanks. 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 21, 2017 0
New Here ,
Aug 25, 2020

Copy link to clipboard

Copied

I am experiencing a similar issue. I am also using the RansomWhere threat detection app and I am receiving the message below. Is this a false positive?

 

John5E8C_0-1598373303973.png

Text:

 

proc: (12558) /bin/bash
sign: validly signed by Apple

files:
› /private/tmp/com.adobe.acrobat.updater/rollbackstore/Applications/Adobe Acrobat Reader DC.app/Contents/Plugins/AcroForm.acroplugin/Contents/Resources/da.lproj/Navigators/FormsDataCollection.nav
› /private/tmp/com.adobe.acrobat.updater/rollbackstore/Applications/Adobe Acrobat Reader DC.app/Contents/Plugins/AcroForm.acroplugin/Contents/Resources/de.lproj/Navigators/FormsDataCollection.nav

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 25, 2020 0
John5E8C LATEST
New Here ,
Aug 25, 2020

Copy link to clipboard

Copied

I am experiencing a similar issue. I am also using the RansomWhere threat detection app and I am receiving the message below. Is this a false positive?

 

proc: (12558) /bin/bash
sign: validly signed by Apple

files:
› /private/tmp/com.adobe.acrobat.updater/rollbackstore/Applications/Adobe Acrobat Reader DC.app/Contents/Plugins/AcroForm.acroplugin/Contents/Resources/da.lproj/Navigators/FormsDataCollection.nav
› /private/tmp/com.adobe.acrobat.updater/rollbackstore/Applications/Adobe Acrobat Reader DC.app/Contents/Plugins/AcroForm.acroplugin/Contents/Resources/de.lproj/Navigators/FormsDataCollection.nav

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 25, 2020 0