Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why do Splunkforwarder Processes Start Acrobat Reader?

chris
Motivator
‎01-24-2018 06:54 AM

Hi

going through sysmon logs I noticed, that the splunkforwarder (version 6.6.3) starts AcroRd32.exe on Windows clients.

Does any one know why? We are not indexing/monitoring the pdfs or the paths where the pdfs are located. Can this be turned off?

This is a sample event:
01/17/2018 03:17:38 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=server.domain.org
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=4300197
Keywords=None
Message=Process Create:
UtcTime: 2018-01-17 14:17:34.391
ProcessGuid: {F0E459B7-5AFE-5A5F-0000-00109C69EE2E}
ProcessId: 12428
Image: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
CommandLine: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9A5H81Q9\Untitled (28).pdf"
CurrentDirectory: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\
User: DOMAIN\user
LogonGuid: {F0E459B7-F487-5A5E-0000-0020274C0F00}
LogonId: 0xf4c27
TerminalSessionId: 1
IntegrityLevel: Low
Hashes: MD5=F7C513664BD4A9DB4ABBEB2B5E4E01D2,IMPHASH=1439821F22F484CB770EECF65574FF20
ParentProcessGuid: {F0E459B7-4701-5A5F-0000-00102595771B}
ParentProcessId: 11408
ParentImage: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
ParentCommandLine: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2

Regards
Chris

Tags (2)
0 Karma
Reply

mhoogcarspel_sp
Splunk Employee
Splunk Employee
‎01-29-2018 02:08 AM

Splunk Support here, feedback from chris in the case:

" there seems to be an issue with
sysmon, not reporting the parent
process correctly sometimes. "

Something to keep in mind I guess when looking at reports from sysmon, if other avenues of research (like checking for malware) don't pan out.

Reply

nickhills
Ultra Champion
‎01-24-2018 07:49 AM

They don't - Suggest you check for malware urgently.

If my comment helps, please give it a thumbs up!
Reply

chris
Motivator
‎01-24-2018 02:22 PM

Thx, I have also opened a case with splunk

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...