Report: Adobe Reader is obstructing antivirus instruments from scanning loaded PDF paperwork

Adobe is obstructing a number of antivirus instruments actively from scanning PDF paperwork loaded by its Adobe Acrobat Reader software, in response to a safety report printed by Minerva Labs.

The corporate discovered proof that Adobe is obstructing round 30 totally different safety merchandise from scanning loaded PDF paperwork. The record reads just like the who’s who of safety corporations, with one notable exception. Merchandise from Development Micro, McAfee, Symantec, ESET, Kaspersky, Malwarebytes, Avast, BitDefender and Sophos are blocked, in response to the report. The one notable exception, at the least from a market share viewpoint, is Microsoft Defender, which isn’t blocked by Adobe’s software program.

Right here is the total record of affected corporations and merchandise:

Development Micro, BitDefender, AVAST, F-Safe, McAfee, 360 Safety, Citrix, Symantec, Morphisec, Malwarebytes, Checkpoint, Ahnlab, Cylance, Sophos, CyberArk, Citrix, BullGuard,  Panda Safety, Fortinet, Emsisoft, ESET, K7 TotalSecurity, Kaspersky, AVG, CMC Web Safety, Samsung Sensible Safety ESCORT, Moon Safe, NOD32, PC Matic, SentryBay

Blocked merchandise are denied entry to the loaded PDF file, which signifies that malicious code cannot be detected or stopped by the merchandise throughout the loading part.

Safety instruments inject DLLs, Dynamic Hyperlink Libraries, into functions which can be launched on the system, which is important to realize entry. The blocking prevents the injection from going down.

Adobe Acrobat makes use of the Chromium Embedded Framework (CEF) Dynamic Hyperlink Library, Libcef.dll, in two processes in response to the report. The Chromium element features a blacklist of its personal to forestall points and conflicts with DLL recordsdata. Software program corporations, who use libcef.dll, might customise the blacklist, and it seems that Adobe has performed that so as to add the DLL recordsdata of safety merchandise to it.

See also  LibreOffice safety replace fixes macro execution bypass and potential password leaking

Minerva Labs notes that the result of the blocking “might probably be catastrophic”. In addition to lowered visibility, which “hinders detection and prevention capabilities inside the method and inside each created baby processes”, it’s limiting the safety software’s means to observe exercise and to find out context.

It will be simple sufficient for a risk actor so as to add a command within the ‘OpenAction’ part of a pdf, which may then execute PowerShell, which might for instance, obtain the following stage malware and execute it reflectively. Any of those actions wouldn’t be detected if the safety product hooks are lacking.

Minerva Labs contacted Adobe to search out out why safety merchandise are blocked by Adobe Acrobat. Adobe replied that ‘this is because of “incompatibility with Adobe Acrobat’s utilization of CEF, a Chromium based mostly engine with a restricted sandbox design, and will trigger stability points”‘.

In different phrases: Adobe has chosen to handle stability points by blocking safety processes. Minerva Labs factors out that Adobe picked comfort and the insertion of a “malware-like” conduct over resolving the difficulty completely.

Bleeping Pc acquired an analogous reply when the location contacted Adobe. Adobe confirmed that it was working with distributors of the safety merchandise to handle the incompatibilities and to “guarantee correct performance with Acrobat’s CEF sandbox design going ahead”.

Now You: do you utilize Adobe Acrobat Reader or one other PDF software?