Report: Adobe Reader is blocking antivirus tools from scanning loaded PDF documents
Adobe is blocking several antivirus tools actively from scanning PDF documents loaded by its Adobe Acrobat Reader application, according to a security report published by Minerva Labs.
The company found evidence that Adobe is blocking around 30 different security products from scanning loaded PDF documents. The list reads like the who is who of security companies, with one notable exception. Products from Trend Micro, McAfee, Symantec, ESET, Kaspersky, Malwarebytes, Avast, BitDefender and Sophos are blocked, according to the report. The one notable exception, at least from a market share point of view, is Microsoft Defender, which is not blocked by Adobe's software.
Here is the full list of affected companies and products:
Trend Micro, BitDefender, AVAST, F-Secure, McAfee, 360 Security, Citrix, Symantec, Morphisec, Malwarebytes, Checkpoint, Ahnlab, Cylance, Sophos, CyberArk, Citrix, BullGuard, Panda Security, Fortinet, Emsisoft, ESET, K7 TotalSecurity, Kaspersky, AVG, CMC Internet Security, Samsung Smart Security ESCORT, Moon Secure, NOD32, PC Matic, SentryBay
Blocked products are denied access to the loaded PDF file, which means that malicious code can't be detected or stopped by the products during the loading phase.
Security tools inject DLLs, Dynamic Link Libraries, into applications that are launched on the system, which is necessary to gain access. The blocking prevents the injection from taking place.
Adobe Acrobat uses the Chromium Embedded Framework (CEF) Dynamic Link Library, Libcef.dll, in two processes according to the report. The Chromium component includes a blacklist of its own to prevent issues and conflicts with DLL files. Software companies, who use libcef.dll, may customize the blacklist, and it appears that Adobe has done that to add the DLL files of security products to it.
Minerva Labs notes that the outcome of the blocking "could potentially be catastrophic". Besides reduced visibility, which "hinders detection and prevention capabilities inside the process and inside every created child processes", it is limiting the security application's means to monitor activity and to determine context.
It would be easy enough for a threat actor to add a command in the ‘OpenAction’ section of a pdf, which can then execute PowerShell, which could for example, download the next stage malware and execute it reflectively. Any of these actions would not be detected if the security product hooks are missing.
Minerva Labs contacted Adobe to find out why security products are blocked by Adobe Acrobat. Adobe replied that 'this is due to "incompatibility with Adobe Acrobat’s usage of CEF, a Chromium based engine with a restricted sandbox design, and may cause stability issues"'.
In other words: Adobe has chosen to address stability issues by blocking security processes. Minerva Labs points out that Adobe picked convenience and the insertion of a "malware-like" behavior over resolving the issue permanently.
Bleeping Computer received a similar answer when the site contacted Adobe. Adobe confirmed that it was working with vendors of the security products to address the incompatibilities and to "ensure proper functionality with Acrobat's CEF sandbox design going forward".
Now You: do you use Adobe Acrobat Reader or another PDF application?Advertisement