Сlarity and Trust – We take pride in being the site where you can feel free to express your opinion and leave feedback. Whenever you click on the websites of products reviewed by us, we participate in the revenue sharing and get commissions that help us maintain our project. Read more about how we work.

Adobe Acrobat Prevents Antiviruses from Examining PDF Files

Now Reading
Adobe Acrobat Prevents Antiviruses from Examining PDF Files

Information security experts have noticed that Adobe Acrobat is trying to prevent antiviruses from studying PDF files opened by users, thereby creating a security risk.

It is reported that Adobe Acrobat checks whether components of about 30 security products are interested in its processes, and then blocks them, effectively making it impossible to track malicious activity.

You may also be interested to know that SharkBot malware disguises itself as an antivirus on the Google Play Store.

Minerva Labs analysts explain that security solutions usually require “visibility” of all processes in the system to work.

As a rule, this is achieved by injecting the DLL (dynamic-link library) into the software that runs on the user’s machine. Since March 2022, experts have observed a gradual increase in the activity of Adobe Acrobat Reader processes that are trying to find out which DLLs are associated with security products that were loaded (through obtaining a DLL handle).experts from Minerva Labs said.

According to the report, Adobe is currently looking for about 30 DLLs, including those related to Bitdefender, Avast, Trend Micro, Symantec, Malwarebytes, ESET, Kaspersky, F-Secure, Sophos, Emsisoft antivirus.

Requests to the system are made using the Chromium Embedded Framework (CEF) libcef.dll library used by a wide range of programs. The researchers write that “libcef.dll is loaded by two Adobe processes: AcroCEF.exe and RdrCEF.exe”, that is, both products check the system for components of the same security solutions.

After examining what happens to DLLs injected into Adobe processes, Minerva Labs found that Adobe checks to see if the bBlockDllInjection value in the SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection\ registry key is set to “1”. If the answer is yes, it prevents injection of antivirus software DLLs.

It is noted that, judging by the March posts on the Citrix forums, a user complained about the errors of Sophos AV, which did not work correctly due to Adobe products. The victim wrote that the company suggested that he should “disable DLL injection for Acrobat and Reader.”

Adobe Acrobat and antiviruses

According to Bleeping Computer, Adobe representatives confirm that users do indeed complain about “stability problems” that arise due to the fact that the DLL components of some security products are incompatible with the CEF library used by Adobe Acrobat. The company says it is currently working on the issue with security vendors.

In turn, Minerva Labs researchers argue that Adobe has chosen a method that solves compatibility problems, but creates a security risk and increases the risk of attacks, preventing antiviruses from properly protecting the system.

What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Vladimir Krasnogolovy
Leave a response

Leave a Response