Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why do Splunkforwarder Processes Start Acrobat Reader?

chris
Motivator
‎01-24-2018 06:54 AM

Hi

going through sysmon logs I noticed, that the splunkforwarder (version 6.6.3) starts AcroRd32.exe on Windows clients.

Does any one know why? We are not indexing/monitoring the pdfs or the paths where the pdfs are located. Can this be turned off?

This is a sample event:
01/17/2018 03:17:38 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=server.domain.org
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=4300197
Keywords=None
Message=Process Create:
UtcTime: 2018-01-17 14:17:34.391
ProcessGuid: {F0E459B7-5AFE-5A5F-0000-00109C69EE2E}
ProcessId: 12428
Image: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
CommandLine: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9A5H81Q9\Untitled (28).pdf"
CurrentDirectory: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\
User: DOMAIN\user
LogonGuid: {F0E459B7-F487-5A5E-0000-0020274C0F00}
LogonId: 0xf4c27
TerminalSessionId: 1
IntegrityLevel: Low
Hashes: MD5=F7C513664BD4A9DB4ABBEB2B5E4E01D2,IMPHASH=1439821F22F484CB770EECF65574FF20
ParentProcessGuid: {F0E459B7-4701-5A5F-0000-00102595771B}
ParentProcessId: 11408
ParentImage: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
ParentCommandLine: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2

Regards
Chris

Tags (2)
0 Karma
Reply

mhoogcarspel_sp
Splunk Employee
Splunk Employee
‎01-29-2018 02:08 AM

Splunk Support here, feedback from chris in the case:

" there seems to be an issue with
sysmon, not reporting the parent
process correctly sometimes. "

Something to keep in mind I guess when looking at reports from sysmon, if other avenues of research (like checking for malware) don't pan out.

Reply

nickhills
Ultra Champion
‎01-24-2018 07:49 AM

They don't - Suggest you check for malware urgently.

If my comment helps, please give it a thumbs up!
Reply

chris
Motivator
‎01-24-2018 02:22 PM

Thx, I have also opened a case with splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...