Detected my Immunet is this a virus.

[tankace]

This morning and yesterday when I turn on my computer Immunet detected and quarantined these 3 items

1.  C:\ProgramData\Adobe\ARM\S\24691\AdobeeARM.msi

2  C:\User\Janedoe\AppDat\Local\Adobe\ARM\S\BITCE1A.tmp      Detection Name    Clam.Win.VirusExpiro-9934335-0

3.  C:\User\Janedoe\AppDat\Local\Adobe\ARM\S\ARM.mis            Detection Name    Clam.Win.VirusExpiro-9934335-0

 

Immunet quarantineed them and I deleted it using immunet. 

Questions:

1.  Is this real virus? 

2.  What else should I do????

3.  I notice  there is a lot of files located under C:\ProgramData\Adobe\ARM\S\'number' ..   Are these previous folder created by the virus???   Can is and should I just delete these files. 

 

 

[ritchie58]

Hi tankace,

Adobe ARM is an executable that launches at Windows start-up to look for, notify you and install updates or new versions of Adobe reader if there are any.

I don't believe these files are malicious in nature.

These are detections by the ClamAV module so I would suggest you report these False Positives directly to the ClamAV support team at this link right away if you can.

https://www.clamav.net/reports/fp

If you get any more of these types of Adobe files being quarantined try to use the "Restore' feature instead of deleting them.

You should also create a few 'custom Exclusion rules with Immunet' for these file paths if you need to continue using Adobe.

C:\Program Files\Adobe\

C:\ProgramData\Adobe\ARM\ 

C:\User\Janedoe\AppDat\Local\Adobe\ARM\

Make sure you get the exact file paths correct so there's no typographical errors to the exclusions.

Best wishes, Ritchie...

[tankace]

I understand about reporting to ClamAV and doing the exclusion. 

This may be beyond this forum but I sill getting these files and folder added at startup.  So to clearly is your suggestion try to do a 'System Restore' to a earlier point to prevent it all more files and folders?? 

Thanks. 

[ritchie58]

No, I didn't mean to use a Windows System Restore point! 

With Immunet if a file gets quarantined you have the option to delete it or use the 'Restore' feature which automatically moves the file to the Exclusion list.

Did you add those custom Exclusion rules I mentioned, including Adobe's entire Program Files folder & the temp file paths that ARM uses?

If you haven't already give that a try!

Another (more drastic) option would be to just disable the ClamAV module & updates for it. That's not recommended however if you're using Immunet as a stand-alone AV.

Personally, I don't even use the ClamAV module since I have Immunet paired with a different paid AV product. I use just the ETHOS & SPERO cloud engines.

I don't even miss using it since most of the reported False Positives come from ClamAV.

[tankace]

Richie, Sorry about all these questions but I want to get it right.  And I am really a Newbie when it comes to virus (computers)

Immunet quarantined same files just today.  Is this is what is happening.  Adobe creates these files for some reason, Immunet quarantines it, and Adobe re-creates these files because it needs it for some reason???

So if we are restoring the suspected virus and move the file to a "exclusion list' (exclusion list=so it will not detect it as a virus, right?)  then we are sure it is not a virus!  The risk is that it is a virus and we are releasing it. 

Is this an option??? Right now I have window 10 defender (whatever they call it now) and I think it is still running in the background (and just yesterday I ran an virus scan with defender).  Can I uninstall immunet and run defender for a while.  If it is not a virus defender should not detected it if is show up again, right?  Is this what you mean by saying disable ClamAV module???

If so how do you go about disabling immunet???  Can you use window 10 uninstaller????  Does immunet comes with an uninstaller?  I don't see it in my program file?

thanks

 

PS it sound like you alluded to it.  But is way you can disable immunet (but not ununstalled) so I can run defender for a while?  If so how?  Thanks

Edited January 13, 2022 by tankace

[ritchie58]

Like I mentioned before Adobe ARM is used to update the app you use. You could actually disable the ARM feature and just update manually when a new build of Acrobat or Reader is available instead. If you're not sure how that's done contact Adobe support and I'm sure they could give you detailed instructions on how to do that. That is another option you could use.

If you added those custom exclusions I'm a little surprised that you're still getting quarantine responses however. These are False Positives & not anything malicious.

Did you add those exclusions? Also, did you report these detections with the ClamAV team as I suggested?

If you're using Microsoft Defender with Immunet then you can disable the ClamAV module. That's always been recommended if Immunet is used as a companion AV to another product. Just leave the cloud engines enabled like I do. You should be able to run a scan with Defender without disabling Immunet. 

Immunet does come with it's own uninstaller.

With Win 10 you can view all the apps that are installed on your computer by first clicking on the Start icon -> click on the All Apps icon. If you wish to uninstall an app click on Start -> click on the Settings icon -> click on Apps, this will open the Apps & features window. There you can click on an app and then choose to uninstall it.