rockshox 7 Posted June 2, 2017 Share Posted June 2, 2017 (edited) We just started noticing that in the last few hours every computer on our network with Adobe Acrobat DC is reporting that they have files that are infected with PDF/TrojanDropper.Agent.AH Trojan. A quick look on Virus Radar shows that this definition was added/updated today and it looks like it is a false positive. ESET is flagging the installer files for Adobe Acrobat DC as having this infection along with files in the local users profiles also placed there by Adobe. The log files are showing hits on: C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template3.pdf28 - PDF/TrojanDropper.Agent.AH trojan C:\Users\username\AppData\LocalLow\Adobe\Acrobat\2015\Acrobat\Synchronizer\resources\resource-18 - PDF/TrojanDropper.Agent.AH trojan Anyone else seeing this and is this a false positive? Edited June 2, 2017 by rockshox Link to comment Share on other sites More sharing options...
GeorgeFayad 0 Posted June 2, 2017 Share Posted June 2, 2017 Joined to reply to this thread. We've got the same issue. hundreds of files have been deleted off our file server due to this update. We're currently trying to get by somehow, possibly adding pdf's as an exception temporarily. We've copied a few of the pdf's that were flagged onto a computer with eset real time disabled and the pdf's open fine. Scanning with other utilities show the pdfs are clean. Link to comment Share on other sites More sharing options...
Jonas 0 Posted June 2, 2017 Share Posted June 2, 2017 (edited) This just started happening to us as well. Two machines so far detected it. It appears to also be detected in older versions of Adobe. Data1.cab file is flagged. Eset does not provide the option to clean, only delete. Quote C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template3.pdf15 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template2.pdf16 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template1.pdf25 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template2.pdf25 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template3.pdf25 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template1.pdf26 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template2.pdf26 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template3.pdf26 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template1.pdf27 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template2.pdf27 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template3.pdf27 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template2.pdf28 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 2015\Setup Files\{AC76BA86-1033-FFFF-7760-0E0F06755100}\Data1.cab » CAB » template3.pdf28 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion Edited June 2, 2017 by Jonas Link to comment Share on other sites More sharing options...
nikejayr 0 Posted June 2, 2017 Share Posted June 2, 2017 We are seeing the same thing OBJECT URI hxxp://trustlist.adobe.com/tl10.acrobatsecuritysettings Link to comment Share on other sites More sharing options...
MBAnk 0 Posted June 2, 2017 Share Posted June 2, 2017 We are also getting same alert from eset but on Acrobat Professional C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-7760-000000000006}\Data1.cab » CAB » template3.pdf15 - PDF/TrojanDropper.Agent.AH trojan the above file shows last modification date as 2012 Link to comment Share on other sites More sharing options...
bhicks 0 Posted June 2, 2017 Share Posted June 2, 2017 (edited) My company started seeing this today as well. It seems to affect all versions of Adobe that we have, 10, 11, and DC. This is just a setup file too, the functionality of Acrobat is not impacted at all that we've seen. C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-7760-000000000006}\Data1.cab PDF/TrojanDropper.Agent.AH trojan Edited June 2, 2017 by bhicks Link to comment Share on other sites More sharing options...
Urashima Taro 0 Posted June 2, 2017 Share Posted June 2, 2017 (edited) I am having the same thing but using NOD32. I run multiple daily scans on the same directory for the past few months with no positives. This appears to be a false positive: Version of virus signature database: 15520 (20170602) C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template2.pdf28 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template3.pdf26 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template2.pdf26 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template1.pdf26 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template3.pdf28 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template2.pdf28 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template3.pdf27 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template2.pdf27 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template1.pdf27 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template3.pdf25 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template2.pdf25 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template1.pdf25 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template2.pdf16 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion C:\Program Files (x86)\Adobe\Acrobat 11.0\Setup Files\{AC76BA86-1033-FFFF-BA7E-000000000006}\Data1.cab » CAB » template3.pdf15 - PDF/TrojanDropper.Agent.AH trojan - action selection postponed until scan completion Edited June 2, 2017 by Urashima Taro Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted June 2, 2017 Administrators Share Posted June 2, 2017 We confirm false positive. Updates were stopped minutes ago and a new version of the Rapid response module will be released momentarily. We're also investigating possibilities of restoring the affected files from quarantine automatically. Link to comment Share on other sites More sharing options...
bjfitzwater 0 Posted June 2, 2017 Share Posted June 2, 2017 Also seeing it here with DC I don't see any pdf's deleted yet just the templates. I wonder if this will require a reinstall of DC to get the templates back or how much it matters on a practical level... Link to comment Share on other sites More sharing options...
ajvau 0 Posted June 2, 2017 Share Posted June 2, 2017 Same issue... My file server just came up with over 1,000 of these all on PDFs of varying degrees of age (3 years old to 1 week old). It's disabled now, but an easy mode of restoring would be awesome as my Remote Admin Console is telling me that we have a ton of users' computers reporting and doing the same thing now. Link to comment Share on other sites More sharing options...
rockshox 7 Posted June 2, 2017 Author Share Posted June 2, 2017 Marcos - We would definitely be interested in the files being restored, particularly the data1.cab. The setup files in that folder are crucial to being able to deploy future Acrobat updates. It appears that the files were only removed on some of our users computers and our guess is this is due to what the end user selected from the ESET "Threats Found" dialog box. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted June 2, 2017 Administrators Share Posted June 2, 2017 You can already do it from ERA by sending a quarantine management task to restore files by detection name as follows: We will do our best to restore the affected files for all users automatically within the next few hours. Link to comment Share on other sites More sharing options...
ajvau 0 Posted June 2, 2017 Share Posted June 2, 2017 Do we need to wait for the AV signature DB to released before pushing this task or will that filter exempt it from re-deleting it? (Also, thank you. My ERA knowledge isn't very strong.) Link to comment Share on other sites More sharing options...
schuetzdentalCB 8 Posted June 3, 2017 Share Posted June 3, 2017 For me it looks like restoring via Client Task + rescanning worked. No detection anymore. Hope it stays the same after our Clients Login on Tuesday Link to comment Share on other sites More sharing options...
Recommended Posts