Adobe Acrobat may block antivirus tools from monitoring PDF files

Adobe Acrobat can block antivirus programs from checking PDF files

Adobe Acrobat can block antivirus programs from checking PDF files

Security researchers found that Adobe Acrobat tries to prevent security software from seeing the PDF files it opens, creating a security risk for users.

Adobe’s product checks for components from 30 security products loaded into its processes and likely blocks them, essentially blocking them from monitoring for malicious activity.

Flag Incompatible AVs

For a security tool to work, it must have visibility into all processes on the system, which is accomplished by injecting dynamic link libraries (DLLs) into software products that are launched on the machine.

PDF files have been misused in the past to run malware on the system. One method is to add a command in the “OpenAction” section of the document to run PowerShell commands for malicious activity, explain the researchers at cybersecurity firm Minerva Labs.

“Since March 2022, we have seen a gradual increase in Adobe Acrobat Reader processes that attempt to find out what security product DLLs are loaded into it by obtaining a handle from the DLL” – Minerva Labs

According to a report this week, the list has grown to 30 DLLs of security products from various vendors. Among the more popular ones with consumers are Bitdefender, Avast, Trend Micro, Symantec, Malwarebytes, ESET, Kaspersky, F-Secure, Sophos, Emsisoft.

Querying the system is done using ‘libcef.dll’, a Chromium Embedded Framework (CEF) Dynamic Link Library used by a wide variety of programs.

Although the Chromium DLL comes with a short list of components that should be blacklisted for causing conflicts, vendors using it can make changes and add any DLL they want.

The researchers explain that “libcef.dll is loaded by two Adobe processes: AcroCEF.exe and RdrCEF.exe”, so both products check the system for components of the same security products.

Looking more closely at what happens to the DLLs injected into Adobe processes, Minerva Labs found that Adobe checks whether the bBlockDllInjection value under the registry key ‘SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection\‘ is set to 1. If so, prevents the DLLs of antivirus software from being injected into processes.

It is worth noting that the value of the registry key when Adobe Reader is run for the first time is ‘0’ and can be changed at any time.

“With the name of the registry key dBlockDllInjection, and looking at the” cef documentationcan we assume that the blacklisted DLLs are designated to be removed” – Minerva Labs

According to Minerva Labs researcher Natalie Zargarov, the registry key default value is set to ‘1’, indicating active blocking. This setting may depend on the operating system or Adobe Acrobat version installed, as well as other variables on the system.

In a posting to Citrix forums on March 28, a user complaining about Sophos AV errors as a result of installing an Adobe product said the company “suggested to disable DLL injection for Acrobat and Reader.

Adobe Responds to Citrix User Experiencing Machine Errors with Sophos AV

Working on the problem

In response to BleepingComputer, Adobe confirmed that users have reported problems with DLL components of some security products being incompatible with Adobe Acrobat’s use of the CEF library.

“We are aware of reports that some security tools DLLs are not compatible with Adobe Acrobat’s use of CEF, a Chromium-based engine with a limited sandbox design, and may cause stability issues” – Adobe

The company added that it is currently working with these vendors to address the issue and “to ensure good functionality with Acrobat’s CEF sandbox design in the future.”

Minerva Labs researchers argue that Adobe has chosen a solution that fixes compatibility issues but introduces a real risk of attack by preventing security software from protecting the system.

BleepingComputer has contacted Adobe with further questions to explain the terms of the DLL blocking and will update the article once we have the information.

Leave a Comment

Your email address will not be published.