skypilotpete

Adobe file listed as dangerous - I'm still confused

Recommended Posts

I've recently been finding that a variety of websites want me to install flashutil11e_activex.exe. This morning, in the course of startup, OA popped up saying that flashutil11e_activex.exe was trying to install itself, and asking me to decide what to do about it. I did a whole lot of googling, and everything seemed to indicate that it is a legitimate and safe Adobe product, so I allowed it. OA immediately popped up another red warning saying "Dangerous module is about to be loaded" - C:\Users\Me\AppData\Local\Temp\7D78.tmp. All the details listed clearly related to Adobe products, yet the OA warning was unequivocal "Online Armor has detected that this file is a virus or a dangerous program".

I then looked it up in the OA file database, where it was listed as safe, with no indication that it has ever been found in an unsafe form.

I have searched this forum, and read the explanation that some malware is forging Adobe signatures, hence just because it seems to be signed by Adobe, doesn't mean that it is necessarily safe.

However, I still don't understand why the OA warning for this file is so unequivocal - no "may be dangerous", but "this file is a virus or dangerous program - it is highly recommended that you block this action". Given that the OA file database lists it as safe, wouldn't a "check further before making a decision" be more warranted?

Also, I would have expected the OA file database to list the file locations where a legitimate file would be expected to reside, as this gives some guidance as to whether a file is legitimate or not. Is there some reason that OA does not do this?

Having found the suspect file in the OA database listed as safe, I then scanned it with Microsoft Security Essentials, Superantispyware Pro and Malwarebytes, all of which found no problems. Can I be confident that these steps are sufficient to decide that this, or any other flagged item, is safe to allow?

I run Windows 7 64 (home), OA Premium 5.5.0.1557

Share this post


Link to post
Share on other sites

Can you upload the file in question to VirusTotal and then post the link to the analysis for us?

The link is: https://www.virustotal.com/file/0f1e7e93af3afd25c3079bef7fcb387aa64b764760347314f50f174e25589680/analysis/1330473104/

I look forward to hearing what this means - it's gibberish to me - except that none of the scanners seem to indicate that it is a problem.

Share this post


Link to post
Share on other sites

Could you also upload the flashutil11e_activex.exe file to VirusTotal and post a link to the analysis?

Also, could you get us a screenshot of the notification you are seeing that says "this file is a virus or dangerous program - it is highly recommended that you block this action"? If you don't know how to take a screenshot, then here's a link to instructions.

Share this post


Link to post
Share on other sites

Could you also upload the flashutil11e_activex.exe file to VirusTotal and post a link to the analysis?

Also, could you get us a screenshot of the notification you are seeing that says "this file is a virus or dangerous program - it is highly recommended that you block this action"? If you don't know how to take a screenshot, then here's a link to instructions.

Here is the Virus Total link: https://www.virustot...sis/1330559522/

I unblocked flashutil11e_activex.exe in OA and ran it. The attached screenshot shows the warning. It appears that it generates a differently named .tmp file each time. This time it was DF48.tmp. Last time it was 7D78.tmp.

Share this post


Link to post
Share on other sites

My apologies. For some reason I did not see your reply.

Checking the MD5 and SHA1 hashes that VirusTotal generated against our database shows that the file is most likely legit. I'll ask some of our developers to look at this, as it may be a false positive. ;)

Share this post


Link to post
Share on other sites

OK, a quick chat with Fabian has revealed that this is an issue with Online Armor that our developers are already aware of. A quick check of our bug tracker shows that the issue is already fixed. I assume the fix will be included in the next program update to Online Armor, however I have not spoken to Andrey to confirm that. ;)

  • Upvote 1

Share this post


Link to post
Share on other sites

Just a quick follow up: I have just spoken to Andrey and he has confirmed the following information:

  • The fix will be tested in our next internal beta.
  • There is currently no ETA on a public release.
  • For now, simply mark the installer as Trusted and as an Installer in Online Armor to bypass the issue.
  • If proper rules are set up in Online Armor for the installer, then the temp file should be ignored.

Share this post


Link to post
Share on other sites

I have a new laptop and last night a web site said I needed Flash, so started to download it and OA displayed the message as shown earlier in this thread. My OA appears to be up to date. Does this mean this is still a OA problem, or is this something different. This thread and problem seems to date from February???

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.