Jump to content


Photo

Probable false positive - Adobe Premeire Elements


  • Please log in to reply
3 replies to this topic

#1 jconde

jconde

    New Member

  • Members
  • Pip
  • 3 posts
  • OS:Windows XP
  • AV:microsoft
  • HIPS:OA Free

Posted 29 December 2011 - 05:20 PM

The attached files show warnings that I receive when running Adobe Premeire Elements. As you can see OA recognizes that both files are signed by Adobe but still gives warnings that the files are dangerous. I've redownloaded the files and confirmed that they are unmodified from the ones that Adobe is distributing.

John

#2 Rob R.

Rob R.

    Forum Regular

  • Emsisoft Employee
  • 982 posts
  • LocationNetherlands
  • OS:Other Windows version
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor

Posted 30 December 2011 - 12:06 PM

jconde,

The signature is blacklisted and that causes the warning. There's nothing wrong with the files signed by Adobe, but signed installers (especially Flash installers signed by Adobe) are also used to install malware.
Here is a nice blog post that explains how malware is installed by signed installers.

For that reason the signature is blacklisted, so OA will show the extra warning.

#3 jconde

jconde

    New Member

  • Members
  • Pip
  • 3 posts
  • OS:Windows XP
  • AV:microsoft
  • HIPS:OA Free

Posted 30 December 2011 - 05:41 PM

I understand the problem with malicious dlls, but I don't see what that has to do with the particular problem I'm having.

Are you saying that a malicious dll was detected piggybacking on the signed installer? If so why doesn't the warning say that?

Or are are you saying that all Adobe signatures have been black listed because someone might bundle a malicious dll with an Adobe product?

#4 Andrew F.

Andrew F.

    Developer

  • Emsisoft Employee
  • 825 posts
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor

Posted 31 December 2011 - 01:49 AM

Hello JConde,

The Adobe certificate was blacklisted.
This means that OA will not TRUST (mark as Trusted) any executable files signed with this certificate.

As for why the particular executable is being marked as "Not Trusted":

Could you please delete the entry for it in the "Programs", enable debug mode, reproduce the issue and send the debug logs to oasupport (at) emsisoft (dot) com with a link to this thread in the message body? I can't tell you why it was marked "Not Trusted" without logs.

KB article about OA logs: http://support.emsis...mor-debug-logs/

Thank you in advance and have a good New Year
Best regards,

Andrey Fedorinin [Development]
Emsisoft Team - www.emsisoft.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users