Aller au contenu principal

"Possible ransomware injection detected" for Adobe files

Thread needs solution
Beginner
Contributions: 1
Commentaires: 0

Hi folks,

 

For about a week, I've been getting a "Possible ransomware injection detected" message from Acronis Active Protection. The injection process is identified as node.exe, and the 31 affected files are all Adobe .json files in ..\AppData\Roaming\Adobe\...  At various times I've tried both available options, "Stop the process" and "Ignore". But the warnings keep coming, typically after a reboot I think.

 

What's up?

3 Users found this helpful
Legend
Contributions: 105
Commentaires: 25746

George, welcome to these public User Forums.

What version of ATI are you using here?  Is this ATI 2018 build #15470 with the original Acronis Active Protection feature, or do you have a later version?

See KB 62113: Acronis Active Protection slows down applications without a valid digital signature that modify many files in a short period of time - for more information.

Also KB 60193: Acronis True Image 2018, 2019 and 2020: Active Protection blocks legitimate applications

and KB 60173: Acronis True Image: troubleshooting issues with Acronis Active Protection

Beginner
Contributions: 0
Commentaires: 1

I too have this symptom.

Beginner
Contributions: 0
Commentaires: 5

Did anyone find a solution to this?

Forum Moderator
Contributions: 200
Commentaires: 6480

Hello Everyone,

if you have some time for the investigation, I'd recommend opening a support ticket, so that our engineers can find the reason of the false positive detection. Please note that the latest build of Acronis True Image 2021 should be installed. My colleagues would need samples of the flagged executables and Acronis system report from the machine in question. Please let me know if you need any assistance with contacting Acronis support. 

Beginner
Contributions: 2
Commentaires: 9

I'm having this exact problem also. For the past few days the message has been coming up several times a day.

Clicking on "Ignore" does nothing. I see no way to dismiss it. The message keeps being displayed until I reboot.

When the message comes up it usually (but not always) freezes my entire system, forcing me to shut down my system using the power button on my computer, losing any work that I haven't saved and potentially corrupting files.

It's a pretty serious probelm!

 

Beginner
Contributions: 0
Commentaires: 1

Me too - come on Acronis, time to pull your finger out and get this sorted.

Beginner
Contributions: 0
Commentaires: 5

I've been experiencing this problem for several weeks now, recuruing every couple of days, sometimes for than once during a day.

Is there anyone from Acronis monitoring this forum who can comment on whether this issue is being addressed?

Beginner
Contributions: 2
Commentaires: 9

I commented above that I'm experiencing this also. Additional information:

Build ~ Acronis True Image 2021, Build 39216

Offending exe ~ The Acronis message says the name of the offending exe is "node.exe". I searched my entire system disk and there were 3 executables with that name, all Adobe files: 

C:\Program Files\Adobe\Adobe Photoshop 2021\node.exe
C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe
C:\Program Files\Adobe\Common Files\Adobe\Creative Cloud Libraries\libs\node.exe

Note that the problem is much more severe than a "false positive". When this message appears it usually (but not always) freezes/hangs my system. The "Ignore" option does nothing. The only way to continue using my system is by crashing it using the power button on the case, resulting in me losing any unsaved work and risking corruption of my hard drives. 

Even when this problem does not hang my system the error message remains on my screen and on top of other applications until I reboot my system.

Fichier attaché Taille
575626-246920.jpg 37.25 Ko
Forum Star
Contributions: 190
Commentaires: 4433

As ATI 2018 is long out of support, it is unlikely that any change will be made. @Anthony Rogers, as you have ATI 2021 you should create a support ticket - nothing is likely to happen without someone raising a support ticket.

You could try whitelisting the executables that are identified, provided you are happy that there is not anything amiss - no risk there is a malware attack.

Ian

Beginner
Contributions: 0
Commentaires: 5

I just submitted a ticket uploading a screenshot of the ransomware attack and creating the Acronis System Report, which was too big to upload with the report. But I'm supposed to be contacted by support to upload it in a different way.

Legend
Contributions: 105
Commentaires: 25746

David, Acronis support will provide you with FTP details for uploading your system report zip file when they communicate on your support case.

Beginner
Contributions: 0
Commentaires: 5

Thanks, Steve!

Forum Star
Contributions: 190
Commentaires: 4433

IanL-S wrote:

As ATI 2018 is long out of support, it is unlikely that any change will be made. ...

Ian

As I understand it ATI regularly downloads updates to the database that informs the operation of Active Protection; this may continue beyond the expiry of technical support. So it is possible if it is fixed for ATI 2021 it may flow through to ATI 2017 to 2020. 

Ian 

Beginner
Contributions: 2
Commentaires: 9

David Kaplan wrote:

I just submitted a ticket uploading a screenshot of the ransomware attack and creating the Acronis System Report, which was too big to upload with the report. But I'm supposed to be contacted by support to upload it in a different way.

Thank you David! 

Forum Member
Contributions: 2
Commentaires: 48

I too just submitted a ticket for ATI 2021 permanent license. Submitted screen shot, have generated report awaiting instructions on how to upload it since it is too big for ticket submission site.  Same exact problem - don't know what to do with message, neither choice is clear what it means and neither choice seems to do anything much.  Of course I'm worried I do have ransomware and if so how to stop it! Attached is my message screen shot.

Fichier attaché Taille
576281-247384.JPG 88.65 Ko
Legend
Contributions: 105
Commentaires: 25746

Pamela, have you tried first checking that ptedit54.exe is a valid application on your PC, and if yes, adding this to the Protection Exclusions in ATI 2021?

A search on Google suggests it is Brother P-touch Editor 5.4 and should be found in C:\Program Files (x86)\Brother\Ptedit folder?  Do you have label print program installed?

Forum Star
Contributions: 190
Commentaires: 4433

Interesting that I have not had this flagged - I have Brother P-touch Editor 5.4 on the PC I am using at the moment. The location is correct for the file. Not sure why it is now being flagged, the digital certificate is dated July 2020.

But that may have something to do with my running ATI 2021 rather than ATI 2018.

Ian

Beginner
Contributions: 0
Commentaires: 5

I just installed the latest version of Acronis True Image today and when I opened Photoshop 2021 it froze my computer. I rebooted and got the ransomeware notice about the node.exe file as mentioned previously by Anthony Rogers. Is there a fix for this issue?

Legend
Contributions: 105
Commentaires: 25746

Mark, welcome to these public User Forums.

Please raise this issue direct with Acronis by either opening a Support case or else submitting Feedback along with an Acronis System Report.

Beginner
Contributions: 0
Commentaires: 1

I just got this symptom today and I quarantined the files.

I am going to be super POed if this breaks my indesign install.

 

I could install a new version of acronis but my pc works and I don't want to rock the boat

per the message from Mark about Photoshop freezing up the PC.

Beginner
Contributions: 2
Commentaires: 9

nrs250: It isn't Photoshop that's freezing our PCs ~ it's Acronis. The flagging of the Adobe file Node.exe by Acronis True Image is a false positive, and not an actual ransomware attack or a problem with Photoshop or Adobe. At least that's what we're all assuming.

I advise against allowing Acronis to stop the Node.exe process. That could screw up your Photoshop install. Click "Ignore" instead.

I just got this symptom today and I quarantined the files or allowing Acronis to 

I am going to be super POed if this breaks my indesign install.

I could install a new version of acronis but my pc works and I don't want to rock the boat

per the message from Mark about Photoshop freezing up the PC.

Forum Star
Contributions: 190
Commentaires: 4433

Alternatively, add "Node.exe" to the whitelist. That is what I have done with several video editing apps that I use - the way they work could be mistaken for files being encrypted by malware. 

Ian

Beginner
Contributions: 0
Commentaires: 5

I must admit, I have been a client of Acronis for 15+ years and now that I need support I find it very difficult, if not impossible to get answers to a problem that the Acronis product created. Submitting a ticket should be simple and straight forward. I keep looking but can't seem to find a way to create a ticket. All I can do is submit feedback. I purchased Acronis 2021 and when I log in to my account, click Support > Technical Assistance ... all my products I have purchased from Acronis 2020 to True Image 8 are there but not the latest version I have, 2021. If I visit the Products page, you show that I have a 5 Workstation licenses....but no way to submit a ticket that I can see.

I would appreciate it if you can send me a link to submit a ticket and get this resolved. Thank you.

Forum Star
Contributions: 190
Commentaires: 4433

Something very odd going on Mark. If you have a subscription rather than perpetual licence, the product will be listed as "Acronis True Image Subscription" and if you also have cloud storage as part of your subscription there will also be "Acronis True Image Cloud".

The forum moderator, Ekaterina may be able to help, but I think she is on leave at the moment.

Ian

Beginner
Contributions: 0
Commentaires: 5

On my products page every license I have ever had was "Perpetual" and show as follows (I attached a screenshot as well, but not sure if the public can see). Now my latest Product shows Subscription and not True Image 2021 but rather Acronis True Image Essential.

...

Acronis True Image 2019 "Perpetual License"

Acronis True Image 2020 "Perpetual License"

Acronis True Image Essential "Subscription License"

 

Not sure why it changed. All I did was renew as I have for the past 15 years when Acronis sent me a renewal email. Why would this make a difference anyway, I just installed the new version a couple weeks ago so why can't I get support?

 

Fichier attaché Taille
576920-253931.png 49.83 Ko
Legend
Contributions: 105
Commentaires: 25746

Mark, you need to choose the subscription product when wanting to open a support case.  The Essential subscription is the most basic of the subscription offerings and in my personal opinion is worse than having a perpetual license!  It only offers the same functionality as perpetual with no cloud storage, no cyber protection and becomes a lemon if the subscription is not renewed year on year!

Beginner
Contributions: 0
Commentaires: 5

I am still confused. All I use Acronis for is to automatically backup my hard drives and files. I don't need cloud storage as I use a different service for that. I use ESET Nod32 for anti virus protection. I do renew my Acronis product every year...always have. Since I don't need the features of the other options and it shows on the Products page that I get Support with my version, why am I not getting support???

Fichier attaché Taille
576944-253973.png 84.08 Ko
Legend
Contributions: 105
Commentaires: 25746

Mark, if you have purchased ATI Essential on a subscription then this should be shown in your Acronis Account in the list of products, and be an option when selecting Support.  If you don't see it there, then you are either looking at the wrong account, i.e. it is registered to a different Acronis Account? or else there is an issue at the Acronis side that only they can fix for you.

The images below show what I see for my own account.  I had to scroll down the page on the Support panel to see the subscription option for support!


Beginner
Contributions: 0
Commentaires: 5

@Steve Smith that was it. I see it now. Very confusing. It was on the Support page, but even though it is a 2021 subscription, it is listed between the 2019 and 2018 products. I was focused on looking for it at the top of the list above my 2020 product purchase. Thank you.

Beginner
Contributions: 2
Commentaires: 9

I've whitelisted the Adobe node.exe files, and that appears to have fixed the problem.

In True Image white-listings are referred to as protection exclusions. On my system there were 3 Adobe files called node.exe, so I added protection exclusions for all of them:

C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe
C:\Program Files\Adobe\Adobe Photoshop 2021\node.exe
C:\Program Files\Common Files\Adobe\Creative Cloud Libraries\libs\node.exe

Beginner
Contributions: 0
Commentaires: 5

That should be the solution those affected have sought, Anthony! :)

Beginner
Contributions: 1
Commentaires: 1

Thanks Anthony - this false positive has been ruining my PC sessions lately.  On my (heavily configured) Dell XPS deskside, if I don't catch the "ransomware" notice within a short window, the entire PC locks up.  I can't bring up the task manager or even power off gracefully - I have to pull the big red switch (as they say).  It is always "node.exe" that is blamed but no path to the faulty file is given.  I've added the three "node.exe" files you identified to my exclusion list - now let's see if it happens again.  I'm running the Adobe photographers plan subscription (Lightroom+Photoshop). 

Good info - thanks!

     Duane

Beginner
Contributions: 1
Commentaires: 8

I've also started to receive these "Possible ransomware injection detected" messages related to various Adobe files.

I'm curious to know why "whitelisting Adobe node.exe" files is considered a "solution". Surely if Acronis considers these files to be suspect, why would a user override this assessment and deem them to be safe or not infected with ransomware?

Please would someone provide a definitive course of action that would give a user some comfort that Acronis is working as intended.

Thanks,

 

Beginner
Contributions: 2
Commentaires: 9

Max Voigt wrote:

I've also started to receive these "Possible ransomware injection detected" messages related to various Adobe files.

I'm curious to know why "whitelisting Adobe node.exe" files is considered a "solution". Surely if Acronis considers these files to be suspect, why would a user override this assessment and deem them to be safe or not infected with ransomware?

Please would someone provide a definitive course of action that would give a user some comfort that Acronis is working as intended.

Max,

Acronis thinks the Adobe files are suspect because of their behavior, not because they're on a list of suspect files or some such. Detecting behavior rather than particular file names makes sense. It makes the feature adaptable to new ransomeware systems.

What should be happening is that Acronis should whitelist these files, just as they whitelist explorer.com, so we don't have to. 

It would be wonderful if someone opened a formal support ticket and hashed this out with Acronis support. It's not like we're the only people that use both Acronis and Adobe products! If you're up for investing the time to do that please do!

 

Beginner
Contributions: 1
Commentaires: 8

Thanks Anthony - I had opened a support ticket at the same time as my post, just to cover all my options.

They have just sent me the predictable instructions to add the protection exclusions (as you outlined in your earlier post). I'll be doing this now, but will certainly push for a better solution to include whitelisting from their side. As I said, this is happening for both Adobe and Dropbox, affecting hundreds of files, so going through the long list and manually excluding protection will be a laborious task for any user.

My main reason for using ATI is as a backup tool. Ransomware and Virus protection is a bonus, but having selected the option to use them, I would expect Acronis to proactively whitelist the top-shelf software items from false positives so that users could be in the same "set it and forget it" frame as we are when using their very efficient backup software. Don't know about you, but I get the fright of my life when I see that "Possible ransomware injection detected" message. If I "whitelist" it myself, I'll never be entirely comforted that I'm still protected from ransomware. What if I excluded the wrong file/ folder? What if other malicious files creep into an excluded folder?

I'll follow up in my support thread now, and report back here with any news.

Max

 

Beginner
Contributions: 0
Commentaires: 1

Just installed Movavi Picverse today  ran it and got a bunch of "Possible ransomware injection detected" messages,

I do not have the time to trouble shoot this so I either scrap movavi or look into Acronis alternatives.

 

Have had similar issues with adobe photoshop in the past, have been a long term acronis user and am beginning to doubt my wisdom.

Forum Moderator
Contributions: 200
Commentaires: 6480

Hello Everyone,

the issue shall not reproduce in the new build for Acronis Cyber Protect Home Office. We welcome you to check a free trial version. Please let me know, if you still experience any issues with Adobe after installation of Acronis Cyber Protect Home Office.

Beginner
Contributions: 1
Commentaires: 8

Thanks for this - the problem persisted with the earlier build of Cyber Protect, but will try this new build and see if it goes away.