Adobe Acrobat Prevents Antiviruses from Examining PDF Files
Information security experts have noticed that Adobe Acrobat is trying to prevent antiviruses from studying PDF files opened by users, thereby creating a security risk.
It is reported that Adobe Acrobat checks whether components of about 30 security products are interested in its processes, and then blocks them, effectively making it impossible to track malicious activity.
You may also be interested to know that SharkBot malware disguises itself as an antivirus on the Google Play Store.
Minerva Labs analysts explain that security solutions usually require “visibility” of all processes in the system to work.
According to the report, Adobe is currently looking for about 30 DLLs, including those related to Bitdefender, Avast, Trend Micro, Symantec, Malwarebytes, ESET, Kaspersky, F-Secure, Sophos, Emsisoft antivirus.
Requests to the system are made using the Chromium Embedded Framework (CEF) libcef.dll library used by a wide range of programs. The researchers write that “libcef.dll is loaded by two Adobe processes: AcroCEF.exe and RdrCEF.exe”, that is, both products check the system for components of the same security solutions.
After examining what happens to DLLs injected into Adobe processes, Minerva Labs found that Adobe checks to see if the bBlockDllInjection value in the SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection\ registry key is set to “1”. If the answer is yes, it prevents injection of antivirus software DLLs.
It is noted that, judging by the March posts on the Citrix forums, a user complained about the errors of Sophos AV, which did not work correctly due to Adobe products. The victim wrote that the company suggested that he should “disable DLL injection for Acrobat and Reader.”
According to Bleeping Computer, Adobe representatives confirm that users do indeed complain about “stability problems” that arise due to the fact that the DLL components of some security products are incompatible with the CEF library used by Adobe Acrobat. The company says it is currently working on the issue with security vendors.
In turn, Minerva Labs researchers argue that Adobe has chosen a method that solves compatibility problems, but creates a security risk and increases the risk of attacks, preventing antiviruses from properly protecting the system.