TDR and Adobe ARM
Has anyone else experienced any issues between TDR and Adobe ARM?
TDR has been marking Adobe ARM .tmp files as suspicious.
0
Sign In to comment.
Has anyone else experienced any issues between TDR and Adobe ARM?
TDR has been marking Adobe ARM .tmp files as suspicious.
Comments
Hi @BrianSteingraber
Thanks for writing.
I don't see any reports of it on our (TDR) side, however, looking around adobe's fourms, it looks like other software may be doing the same thing. See:
https://forums.adobe.com/thread/2457657
The top comment there is from Adobe staff mentioning that this looks like an updater service. If that's the same thing, you can make an exclusion for it using the directions here:
(Configure TDR Exclusions)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_exclusions_c.html
If you'd like more info, or to have this investigated more deeply, I'd suggest opening a case using the support center link on the top right of this page.
Thank you,
-James Carson
WatchGuard Customer Support
@James_Carson, what are the chances that the WatchGuard Threat Feed for these temp files is updated? After all, this is a False Positive it appears.
Hi @BrianSteingraber
I don't have any information on that with the information provided. If you'd like a more definitive answer, our technicians will have to take a look at the file via a case.
Thank you,
-James Carson
WatchGuard Customer Support
Good morning all. If the files that are causing issue here were marked as Heuristics: Suspicious and Threat Feed: Not Matched then it is not on our Threat Feed, which is why it was not Quarantined. If these files are an annoyance you can add an exclusion for the directory. Also, these files are eligible for submission to APT Blocker. Most times APT blocker will make a final determination on whether the file was clean or a real threat. All you need to do is be in at Cybercon 4 or below and these files will get automatically submitted to APT Blocker.
Ricardo Arroyo | Principal Product Manager / ThreatSync Guru
WatchGuard Technologies, Inc.
@Ricardo_Arroyo,
These files are marked as Threat Feed: MATCHED (Source: WatchGuard)
@BrianSteingraber Please put in a Support Case and attach the MD5s. If they are indeed false positives, we need to evaluate them. In the mean time you can whitelist that one so it no longer triggers an indicator. In all honesty though If I were in your shoes I would not trust those files without doing more research on them. I also would not Whitelist them or exclude the directory until I can confirm they are benign.
Ricardo Arroyo | Principal Product Manager / ThreatSync Guru
WatchGuard Technologies, Inc.