Locked

Installflashplayer.exe (potentially scraping memory)

New Here ,
Jul 10, 2019 Jul 10, 2019

Copy link to clipboard

Copied

Greetings,

I've been receiving these notices through cb Defense service that flash player is trying to run/install but the end users aren't trying to install anything.  Here is the sequence of events leading up to the 'Potential scraping memory'.

Is this something I need to worry about?

Event OrderEvent
1The file C:\windows\syswow64\macromed\temp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe was first detected on a local disk. The device was on the corporate network using the public address ###.###.###.### (located in {Corporate Office Location}, United States). The file is signed and is part of Adobe Flash Player Installer/Uninstaller by Adobe. The file was created by the application C:\windows\syswow64\flashplayerinstaller.exe .
2The application C:\windows\syswow64\flashplayerinstaller.exe invoked the application C:\windows\syswow64\macromed\temp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe.
3The application C:\windows\syswow64\flashplayerinstaller.exe attempted to invoke the application "C:\Windows\SysWOW64\Macromed\Temp\{5717F047-4307-4149-B4E1-99F8DC5D800B}\InstallFlashPlayer.exe", by calling the function "CreateProcessW". The operation was successful.
4The application C:\windows\syswow64\macromed\temp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe attempted to enable executable memory, by calling the function "NtProtectVirtualMemory". The operation was successful.
5The application C:\windows\syswow64\macromed\temp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe attempted to list all processes, by calling the function "NtQuerySystemInformation". The operation failed.
6The application C:\windows\syswow64\macromed\temp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe attempted to open the process "System", by calling the function "OpenProcess". The operation was blocked by the operating system.
7The application C:\windows\syswow64\macromed\temp\{5717f047-4307-4149-b4e1-99f8dc5d800b}\installflashplayer.exe attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". The operation was blocked and the application terminated by Cb Defense.

Thank You for your time.

Views

827

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 14, 2019 Aug 14, 2019

Copy link to clipboard

Copied

Carbon Black has definitely been throwing some false positives related to Flash Player installation in our corporate environment (although most recently that was on Mac).  We've been working with them to whitelist Flash binaries to prevent erroneous notifications.

Assuming that you're confident that you got the installers from Adobe and they're legitimate, then you might talk to Carbon Black about what, if anything, needs to be done to address the false positives or tune the notifications to filter these out.

If your users are installing Flash Player ad-hoc, there *are* ways to prevent that, and to manage Flash Player updates in the enterprise.

Details are in the Flash Player system administrator's guide, here:

Adobe Flash Player Administration Guide for Flash Player | Adobe Developer Connection

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines