Skip to main content
markusf
markusf
New Member
July 8, 2025
Solved

Adobe - W32/Tedy.7918!tr found in armsvc.exe

  • July 8, 2025
  • 4 replies
  • 4153 views

Today, all of a sudden 100+ clients reported W32/Tedy.7918!tr malware in C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe. The definition was just updated today and it may be a false positive, but I want to verify if the alert is legit. Did anyone have the same issue and what would be best practice to verify this alert?

Thanks,

Markus

Best answer by Wi3tse

Response from tac 

Thank you for bringing this issue to our attention.



Our analysis shows that these files(md5:798cd6d62ca995eb320059595efd0b03 & md5:8fb10da817e73f639d2e905c8b6b43f0) do not contain any malicious behaviour.



We have already removed the detection "W32/Tedy.7918!tr" on these samples at AVDB 93.04459 @ 2025-07-08 06:40:22 PST, please update your AVDB and try again.



If for any reason you believe these files are still being detected after update, please contact us again.



Sorry for the inconveniences caused.

4 replies

DonRosalino
DonRosalino
New Member
July 9, 2025

Got the same here, just for one user on the hundred i got here.

Wi3tse
Wi3tse
Explorer
July 9, 2025

Hi Markus,

 

We have the same, 842 instances of armsvc.exe quarantined with filehash E730922F614E4DFFE70D229EC118CD3052A31E9CA4DAB274A1A15DF1CBFA5674

Another randomfilename.msi with filehash 1942A8CC615E3CDCB06A336AA9F808358005D320E5FD9DF31264BACBCAEB9267

 

Both files are not found to be malicious in virustotal, even not by fortinet.

File is also signed by Adobe, and we have the option of "skip trusted signed files" on in the malware protection profile.

 

Looks like the same issue like in januari 2024.

Forticlient is ignoring its own settings again.

 

Tried to get Fortinet to say something about this, via webchat on support, but they asked me to open a ticket, which I have done under casenr #10889545.

 

 

 

flrinppst
flrinppst
New Member
July 9, 2025

have the same here with 6 clients.

Richie_C
Staff
Richie_C
Staff
July 9, 2025

Hi @markusf 

 

I think this should be raised with TAC. The Fortiguard team can investigate and roll out the appropriate signature update.

 

Regards 

    Wi3tse
    Wi3tseAnswer
    Explorer
    July 9, 2025

    Response from tac 

    Thank you for bringing this issue to our attention.



    Our analysis shows that these files(md5:798cd6d62ca995eb320059595efd0b03 & md5:8fb10da817e73f639d2e905c8b6b43f0) do not contain any malicious behaviour.



    We have already removed the detection "W32/Tedy.7918!tr" on these samples at AVDB 93.04459 @ 2025-07-08 06:40:22 PST, please update your AVDB and try again.



    If for any reason you believe these files are still being detected after update, please contact us again.



    Sorry for the inconveniences caused.

      Terms & ConditionsAccessibility statement