Jump to content

PDF/TrojanDropper.Agent.AH False Positive?


Recommended Posts

We just started noticing that in the last few hours every computer on our network with Adobe Acrobat DC is reporting that they have files that are infected with PDF/TrojanDropper.Agent.AH Trojan. A quick look on Virus Radar shows that this definition was added/updated today and it looks like it is a false positive. ESET is flagging the installer files for Adobe Acrobat DC as having this infection along with files in the local users profiles also placed there by Adobe. The log files are showing hits on:

C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template3.pdf28 - PDF/TrojanDropper.Agent.AH trojan

C:\Users\username\AppData\LocalLow\Adobe\Acrobat\2015\Acrobat\Synchronizer\resources\resource-18 - PDF/TrojanDropper.Agent.AH trojan

Anyone else seeing this and is this a false positive?

Edited by rockshox
Link to post
Share on other sites

Joined to reply to this thread.

We've got the same issue. hundreds of files have been deleted off our file server due to this update. We're currently trying to get by somehow, possibly adding pdf's as an exception temporarily.

We've copied a few of the pdf's that were flagged onto a computer with eset real time disabled and the pdf's open fine. Scanning with other utilities show the pdfs are clean.

Link to post
Share on other sites

This just started happening to us as well. Two machines so far detected it. It appears to also be detected in older versions of Adobe. Data1.cab file is flagged. Eset does not provide the option to clean, only delete.

 

Quote

C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template3.pdf15 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template2.pdf16 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template1.pdf25 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template2.pdf25 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template3.pdf25 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template1.pdf26 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template2.pdf26 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template3.pdf26 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template1.pdf27 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template2.pdf27 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template3.pdf27 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template2.pdf28 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template3.pdf28 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion

 

Edited by Jonas
Link to post
Share on other sites

 

We are also getting same alert from eset but on Acrobat Professional  C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-7760-000000000006}\Data1.cab » CAB » template3.pdf15 - PDF/TrojanDropper.Agent.AH trojan 

the above file shows last modification date as 2012

Link to post
Share on other sites

My company started seeing this today as well. It seems to affect all versions of Adobe that we have, 10, 11, and DC.

This is just a setup file too, the functionality of Acrobat is not impacted at all that we've seen.

C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-7760-000000000006}\Data1.cab    PDF/TrojanDropper.Agent.AH trojan

Edited by bhicks
Link to post
Share on other sites

I am having the same thing but using NOD32.  I run multiple daily scans on the same directory for the past few months with no positives.  This appears to be a false positive:

Version of virus signature database: 15520 (20170602)
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template2.pdf28 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template3.pdf26 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template2.pdf26 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template1.pdf26 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template3.pdf28 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template2.pdf28 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template3.pdf27 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template2.pdf27 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template1.pdf27 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template3.pdf25 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template2.pdf25 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template1.pdf25 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template2.pdf16 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion
C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template3.pdf15 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion

Edited by Urashima Taro
Link to post
Share on other sites
  • Administrators

We confirm false positive. Updates were stopped minutes ago and a new version of the Rapid response module will be released momentarily. We're also investigating possibilities of restoring the affected files from quarantine automatically.

Link to post
Share on other sites

Also seeing it here with DC I don't see any pdf's deleted yet just the templates.

I wonder if this will require a reinstall of DC to get the templates back or how much it matters on a practical level...

 

 

Link to post
Share on other sites

Same issue... My file server just came up with over 1,000 of these all on PDFs of varying degrees of age (3 years old to 1 week old).  It's disabled now, but an easy mode of restoring would be awesome as my Remote Admin Console is telling me that we have a ton of users' computers reporting and doing the same thing now.

Link to post
Share on other sites

Marcos - We would definitely be interested in the files being restored, particularly the data1.cab. The setup files in that folder are crucial to being able to deploy future Acrobat updates. It appears that the files were only removed on some of our users computers and our guess is this is due to what the end user selected from the ESET "Threats Found" dialog box.

Link to post
Share on other sites
  • Administrators

You can already do it from ERA by sending a quarantine management task to restore files by detection name as follows:

era6_qurantine_restore_by_name.png

We will do our best to restore the affected files for all users automatically within the next few hours.

Link to post
Share on other sites

Do we need to wait for the AV signature DB to released before pushing this task or will that filter exempt it from re-deleting it?

(Also, thank you.  My ERA knowledge isn't very strong.)

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...