Can you provide some additional details, like the version of Windows and variant of Flash Player we're talking about (I'm assuming Active X), and the method you used to discover this?
The OS is Windows 7 Enterprise SP1 64 or 32bits
FlashPlayer AX is InstallAX.18.104.22.168.exe deployed via SCCM
Method used: Behavioral based Antivirus
Specifically, what AV product? I just want to reproduce it with a known-pristine copy of Flash Player so that I can confirm that it's a false positive.
Sorry for the late response...We are using Carbon Black Endpoint Security.
It's hard to guess about why a particular antivirus product is flagging a behavior. If the installer you're running is authentic and unmodified, then the antivirus is throwing a false positive. Carbon Black defines their heuristics, and is best positioned to tell you why they're flagging a legitimate installer, and what you can do about that. I suspect that they get enough data back from the field that they should be able to determine whether or not this particular heuristic returns a high false positive rate, and what the frequent fliers are.
I've sent this thread over to our installer engineers to see if they can provide some insight, but its a weird question (e.g. why does your high level code call some low-level system service under the hood?). My guess is that we're either just doing things in an old-school way (we're talking about installers that were originally written for, and still work on WinXP) or those actual accesses happen underneath us as the result of calling into a system service or something.
What I *can* definitively tell you, is whether or not the binary you're attempting to deploy is identical to the one that we distributed. If you want to give me a sha256 hash of the file, I can definitely do that. You could also upload it to VirusTotal as a secondary confirmation...