Copy link to clipboard
Copied
Hello,
The recent flash update appeared with a weird process chain in our antivirus, it shows the initial signed installer calling an unsigned install which then scrapes LSASS memory. Is this normally the process that Flash should be installing with?
The antivirus shows the execution chain as:
CMD: FlashPlayerInstaller.exe -install -iv 9 VirusTotal
CMD: "C:\WINDOWS\system32\Macromed\Temp\{ED9F96DB-0F7C-4FE6-8D3E-DC481E02E23A}\InstallFlashPla yer.exe" -install -skipARPEntry -iv 9 -au 4294967295
VirusTotal (unsigned)
Reads LSASS memory VirusTotal
Thanks!
Copy link to clipboard
Copied
Thanks for reporting.
Is this a 32-bit or 64-bit system?
Copy link to clipboard
Copied
64-bit, I don't believe -skipARPEntry occurs when running the 32-bit version.
Copy link to clipboard
Copied
Thanks for confirming. We're investigating.
Copy link to clipboard
Copied
Hi Maria !
Is there any answer for this issue, I am also facing the same issue.
Copy link to clipboard
Copied
Hi,
I have sent you a private message. Please check your email and/or log onto the forums to view your messages.
--
Maria
Copy link to clipboard
Copied
Hello, can we please get an answer as to why flashplayer is scraping lsass?
Copy link to clipboard
Copied
Hello Staff,
Would you guys be able to reply in public so we know the answer to this question?
I am also experiencing the same issue. One of my security tools has flagged this behavior from Adobe suspicious. I doubt this indicates a malicious behavior, but we need to be sure. So the bottom question is: Is this behavior intentional? Doesn't matter the reason why it is done.
Thanks
Copy link to clipboard
Copied
I apologize for the late reply on this.
There were no private conversations on this issue beyond a message to the OP that they never replied to.
After further investigation we determined this is happening to the installers released in China region. We discovered the 64-bit payload is not signed, thus causing the error. A bug has been filed and this will be fixed in a future release. Measures are being implemented to detect this type of issue and prevent this from happening in the future.
If you're experiencing this outside of China, please provide the file name of the installer you are using and the geo-location you are located in.
Thank you, and we apologize for the inconvenience.
Copy link to clipboard
Copied
Thanks for getting back to us.
I hadn't noticed that OP reported InstallFlashPlayer.exe was unsigned. In my case both applications that launched are signed. So my question was simply about "InstallFlashPlayer reading LSASS memory". Should the installer be reading LSASS memory?
Sample of the log:
The application C:\Windows\SysWOW64\Macromed\Temp\{1CD4716A-617B-45B1-96E7-3D820B2111F0}\InstallFlashPlayer.exe attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory".
Copy link to clipboard
Copied
Thank you for the additional information. What geo-location are you in?
Please upload the installer file you are using and the entire log file to Document Cloud (How to share a file using Adobe Document Cloud) or some other file sharing service of your choice that doesn't require account log in.
Private message me the link to the uploaded files. To send a private message, click on my user_name link and then on the Message button link. For reference, include a link to this discussion topic (important so I don't have to go searching for context) in your private message.
I'll then forward the info to the installer engineer and we'll investigate further.
Thank you.
Copy link to clipboard
Copied
I see that happening on a machine I monitor in China. Is it normal for Flashplayer to attempt to access lsass?
Copy link to clipboard
Copied
Is there seriously no public answer to this question?
I am getting so tired of community forums where common questions are answered "out of band".
Copy link to clipboard
Copied
If you're installing in China, I imagine you need to go out of band.
Copy link to clipboard
Copied
Изминить настройки региона попробу, а так же конфидециальность.
Походу запладка как на win xp msblast.
Уровень защиты измени
Copy link to clipboard
Copied
I would like some actually responsible person from Adobe answer this question:
Are ALL official updates from Adobe Flashplayer supposed to be SIGNED ? By some CERT Organization?
Or is this an utterly useless thing that every hacker knows how to fake?
Either way, I see some unsigned updates on my computer, and I wonder whether they ought to be deleted.
Likewise, I also wonder why either Malwarebytes or Avast Internet Security does not issue warnings about
unsigned updates from Adobe Flash.
The whole website of Adobe.com does not show a single article about this. So, I ask again: Is there a single
responsible person working at Adobe.com?
Copy link to clipboard
Copied
Here's a fun thread on an earlier version where the advice is that VirusTotal has all the answer and this **must** be a False Positive, rather than an unecessary read of protected memory.