False Positive in Adobe Acrobat 9.2 - ELEVATOR.EXE

[Dewg]

From the log file:

SYSTEM   1300   Sign of "Win32:Malware-gen" has been found in "C:\ProgramData\Adobe\Acrobat\9.2\ARM\Elevator.exe" file.

All my new systems are experiencing this now.  New systems (fresh install of Windows 7), install Adobe Acrobat 9.0 (reader or Standard).  It automatically downloades Acrobat 9.2 as an update.  After restarting - Acrobat's automatic update begins downloading several packages to update to latest version 9.4.2.  Once it has those packages downloaded in the background, the update software runs "ELEVATOR.EXE" (which is also downloaded with the other packages by ARM - the Adobe update manager) to notify the user of the updates.

That final notification is being falsely ID'd as "Malware-gen" so the updates fail.

I've submitted the file a few times - but when the ARM fails, it deletes the packages (including the Elevator.exe), so I'm not sure it's getting sent to Avast.

Please look into this and fix in the next available update as it's causing panics throughout the company with new users.

Thanks!

[polonus]

Read here: http://www.prevx.com/filenames/1245534800640107916-X1/ELEVATOR.EXE.html
and
http://www.file.net/process/elevator.exe.html
the risks are given here, the file is almost certainly safe....
: http://www.backgroundtask.eu/Systeemtaken/taakinfo/48028/Elevator.exe/
via this link click through on file versions via the blue question mark button

polonus

[frinklabs]

How do we know for sure that this is safe?

I haven't seen anything on Adobe's site about this false-positive.

You gotta pay them to contact their support directly.

[polonus]

Hi frinklabs,

You could establish that ELEVATOR.EXE is OK after a system restore,
it could also be your instance of the executable has been infected through a secondary infection with malware like
Win32 Heur or Win32 Alureon infection....
At backgroundtask.eu you can find the right MD5 Hash of Elevator.exe C60C86F64FF83DA274B6C19E6C45D56F
Size 21,3 KB
Risico NoU
As far as we can see this file is safe;  you can start or close this background task safely to set free mem or processor load...

C60C86F64FF83DA274B6C19E6C45D56F

File Threath Rank: Secure
Version
0.0.0.0
Digitally signed
N0
Last check
2011-01-24
Internet connection
None or Secure
Mail traffic
None or Secure

polonus

[Pondus]

MD5 Hash of Elevator.exe C60C86F64FF83DA274B6C19E6C45D56F

VirusTotal - last scan 28/12-2010
http://www.virustotal.com/file-scan/report.html?id=09dcb5771920a8a24c7d7e94d5772c40d65d0c28e306a8182370c966f5827ce6-1293518610

[frinklabs]

How am I supposed to get the MD5 hash of this file if it never gets written to the hard drive?   The on-access scanner catches it as the Adobe updater attempts to write it to the hard drive.

Also, it isn't clear if this was an actual false-positive or if everyone's Adobe updater has somehow been compromised.

If it IS a false-positive, will this be fixed in a virus signature database update?

[Pondus]

If it IS a false-positive, will this be fixed in a virus signature database update?

I am sure they have seen this and is working on it   

[mbraeken]

We have these false-positive notifications since Feb 27.
It takes pretty long to update this in the antivirus definitions if you ask me...

Mario

[Asyn]

You can report a FP here: http://www.avast.com/contact-form.php?loadStyles
asyn

[Dewg]

Still affecting me - now all my Adobe Acrobat users that aren't on the latest version of Acrobat are getting Virus warnings and Adobe won't update.

We're on Avast 4.8 Pro.

No, we're not moving to Avast 6 until a full Pro version is available (silent installs with preset configs, central administration console, etc.) for corporations.  Avast 5 and 6 are great for small shops but it's not ready for hundreds of users in an enterprise environment.

[CITS-Wayno]

I also am seeing the same behavior on a Win 7 machine (64 bit).  Issue is clearly a false positive.  I just manually updated Adobe Reader 9.4 with no issues.  When attempting to update Adobe Acrobat 9.2 the warning instantly pops up and wipes out the downloaded file.

I would like to try to add some sort of exclusion or exception but the Avast password is unknown at this time. 

PC is running Avast 4.8 Pro as well

Avast logs show this first occurred on 2/28/11

I already submitted a request to Avast false positive site (thanks for the link Asyn) as well as sent an email to support@avast.com but haven't heard from either.

Don't suppose anyone has a contact number for them?  Everything I find on their website is for home user support - I need enterprise\corporate support.

[Asyn]

Don't suppose anyone has a contact number for them?  Everything I find on their website is for home user support - I need enterprise\corporate support.

http://www.avast.com/contacts