TDR and Adobe ARM

Has anyone else experienced any issues between TDR and Adobe ARM?
TDR has been marking Adobe ARM .tmp files as suspicious.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @BrianSteingraber

    Thanks for writing.

    I don't see any reports of it on our (TDR) side, however, looking around adobe's fourms, it looks like other software may be doing the same thing. See:
    https://forums.adobe.com/thread/2457657

    The top comment there is from Adobe staff mentioning that this looks like an updater service. If that's the same thing, you can make an exclusion for it using the directions here:

    (Configure TDR Exclusions)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_exclusions_c.html

    If you'd like more info, or to have this investigated more deeply, I'd suggest opening a case using the support center link on the top right of this page.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • @James_Carson, what are the chances that the WatchGuard Threat Feed for these temp files is updated? After all, this is a False Positive it appears.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @BrianSteingraber

    I don't have any information on that with the information provided. If you'd like a more definitive answer, our technicians will have to take a look at the file via a case.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative

    Good morning all. If the files that are causing issue here were marked as Heuristics: Suspicious and Threat Feed: Not Matched then it is not on our Threat Feed, which is why it was not Quarantined. If these files are an annoyance you can add an exclusion for the directory. Also, these files are eligible for submission to APT Blocker. Most times APT blocker will make a final determination on whether the file was clean or a real threat. All you need to do is be in at Cybercon 4 or below and these files will get automatically submitted to APT Blocker.

    Ricardo Arroyo | Principal Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

  • @Ricardo_Arroyo,
    These files are marked as Threat Feed: MATCHED (Source: WatchGuard)

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative

    @BrianSteingraber Please put in a Support Case and attach the MD5s. If they are indeed false positives, we need to evaluate them. In the mean time you can whitelist that one so it no longer triggers an indicator. In all honesty though If I were in your shoes I would not trust those files without doing more research on them. I also would not Whitelist them or exclude the directory until I can confirm they are benign.

    Ricardo Arroyo | Principal Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

Sign In to comment.