Locked

FlashPlayerInstaller reading LSASS memory

New Here ,
Dec 06, 2018 Dec 06, 2018

Copy link to clipboard

Copied

Hello,

The recent flash update appeared with a weird process chain in our antivirus, it shows the initial signed installer calling an unsigned install which then scrapes LSASS memory.  Is this normally the process that Flash should be installing with?

The antivirus shows the execution chain as:

CMD: FlashPlayerInstaller.exe -install -iv 9 VirusTotal

CMD: "C:\WINDOWS\system32\Macromed\Temp\{ED9F96DB-0F7C-4FE6-8D3E-DC481E02E23A}\InstallFlashPla yer.exe" -install -skipARPEntry -iv 9 -au 4294967295

VirusTotal (unsigned)

Reads LSASS memory VirusTotal

Thanks!

TOPICS
Download install

Views

3.4K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 06, 2018 Dec 06, 2018

Copy link to clipboard

Copied

Thanks for reporting.

Is this a 32-bit or 64-bit system?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 06, 2018 Dec 06, 2018

Copy link to clipboard

Copied

64-bit, I don't believe -skipARPEntry occurs when running the 32-bit version.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 06, 2018 Dec 06, 2018

Copy link to clipboard

Copied

Thanks for confirming.  We're investigating.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 23, 2019 Mar 23, 2019

Copy link to clipboard

Copied

Hi Maria !

Is there any answer for this issue,  I am also facing the same issue.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 11, 2018 Dec 11, 2018

Copy link to clipboard

Copied

Hi,


I have sent you a private message.  Please check your email and/or log onto the forums to view your messages.

--

Maria

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 09, 2019 Apr 09, 2019

Copy link to clipboard

Copied

Hello, can we please get an answer as to why flashplayer is scraping lsass?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 09, 2019 Apr 09, 2019

Copy link to clipboard

Copied

Hello Staff,

Would you guys be able to reply in public so we know the answer to this question?

I am also experiencing the same issue. One of my security tools has flagged this behavior from Adobe suspicious. I doubt this indicates a malicious behavior, but we need to be sure. So the bottom question is: Is this behavior intentional? Doesn't matter the reason why it is done.

Thanks

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Apr 09, 2019 Apr 09, 2019

Copy link to clipboard

Copied

I apologize for the late reply on this.

There were no private conversations on this issue beyond a message to the OP that they never replied to.


After further investigation we determined this is happening to the installers released in China region. We discovered the 64-bit payload is not signed, thus causing the error.  A bug has been filed and this will be fixed in a future release.  Measures are being implemented to detect this type of issue and prevent this from happening in the future.

If you're experiencing this outside of China, please provide the file name of the installer you are using and the geo-location you are located in.

Thank you, and we apologize for the inconvenience.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 10, 2019 Apr 10, 2019

Copy link to clipboard

Copied

Thanks for getting back to us.

I hadn't noticed that OP reported InstallFlashPlayer.exe was unsigned. In my case both applications that launched are signed. So my question was simply about "InstallFlashPlayer reading LSASS memory". Should the installer be reading LSASS memory?

Sample of the log:

The application C:\Windows\SysWOW64\Macromed\Temp\{1CD4716A-617B-45B1-96E7-3D820B2111F0}\InstallFlashPlayer.exe attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory".

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Apr 10, 2019 Apr 10, 2019

Copy link to clipboard

Copied

Thank you for the additional information.  What geo-location are you in?

Please upload the installer file you are using and the entire log file to Document Cloud (How to share a file using Adobe Document Cloud) or some other file sharing service of your choice that doesn't require account log in.

Private message me the link to the uploaded files.  To send a private message, click on my user_name link and then on the Message button link.  For reference, include a link to this discussion topic (important so I don't have to go searching for context) in your private message.

I'll then forward the info to the installer engineer and we'll investigate further.

Thank you.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 13, 2019 Feb 13, 2019

Copy link to clipboard

Copied

I see that happening on a machine I monitor in China. Is it normal for Flashplayer to attempt to access lsass?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Mar 13, 2019 Mar 13, 2019

Copy link to clipboard

Copied

Is there seriously no public answer to this question?

I am getting so tired of community forums where common questions are answered "out of band".

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Most Valuable Participant ,
Mar 14, 2019 Mar 14, 2019

Copy link to clipboard

Copied

If you're installing in China, I imagine you need to go out of band.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Apr 09, 2019 Apr 09, 2019

Copy link to clipboard

Copied

Изминить настройки региона попробу, а так же конфидециальность.

Походу запладка как на win xp msblast.

Уровень защиты измени

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Sep 14, 2019 Sep 14, 2019

Copy link to clipboard

Copied

I would like some actually responsible person from Adobe answer this question:  

 

Are ALL official updates from Adobe Flashplayer supposed to be SIGNED ?   By some CERT Organization?

Or is this an utterly useless thing that every hacker knows how to fake? 

Either way, I see some unsigned updates on my computer, and I wonder whether they ought to be deleted.

 

Likewise, I also wonder why either  Malwarebytes  or  Avast Internet Security  does not issue warnings about

unsigned updates from Adobe Flash. 

 

The whole website of Adobe.com does not show a single article about this.  So, I ask again: Is there a single

responsible person working at Adobe.com? 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 24, 2020 Jan 24, 2020

Copy link to clipboard

Copied

LATEST

Here's a fun thread on an earlier version where the advice is that VirusTotal has all the answer and this **must** be a False Positive, rather than an unecessary read of protected memory.

 

https://community.adobe.com/t5/flash-player/flashplayer-27-0-0-183-exe-installer-trying-to-access-ls...

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines