Report: Adobe Reader is blocking antivirus tools from scanning loaded PDF documents

Discussion in 'other anti-virus software' started by JRViejo, Jun 22, 2022.

  1. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    85,904
    Location:
    U.S.A.
     
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,831
    Location:
    USA
    I assume the general consensus will be to get rid of it and use something else?
     
  3. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,108
    Location:
    Baden Germany
  4. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,108
    Location:
    Baden Germany
    It's flagrant, that Adobe Reader blocks 30 well know security apps from scanning loaded PDFs.
    With the except of MS Defender, which is sovereign.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,756
    Location:
    Slovenia, EU
    I somehow doubt that they actually checked for possible incompatibilities with all those AVs but rather just blacklisted them all. Kind off "guilty until proven innocent"...
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,454
    ESET should not be affected. Moreover there's no ESET dll listed in the "Full list of DLL queries" table.
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,831
    Location:
    USA
    Interesting as they were mentioned specifically in the article. Good to know. Thanks for posting.
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    4,883
    half baked as usual.
    - adobe is locking for its exclusive access as always, this is not new.
    - used pdf files have already been scanned before, writing files always trigger a file scan. and this is also happening with files from the web, either temporary or saving for later.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    16,376
    Location:
    The Netherlands
    Yes exactly, what a piece of garbage. It has always been a security risk, and now they are even making it worse. Shame on Adobe! However, why do AV's need to inject .dll files in order to scan stuff?
     
  10. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,831
    Location:
    USA
    Maybe for the sandbox?
     
  11. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    4,883
    assumption based on what?
    pdf files cant execute dll files by injection :rolleyes:
     
  12. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,108
    Location:
    Baden Germany
    But pdf files can contain Java commands and embedded files, like word files,
    and Adobe Reader is set to open them, by default.

    Adobe Reader was vulnerable, month after month, year by year.
    he's no longer necessary, as Edge can do all, most users need.
     
  13. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    4,883
    to correct you: javascript.
    and yes, pdf can contain objects.
    but those are not executed by default.

    anyhow, the discussion has left the technical base because any file is scanned when dropped on the computer, or right before it is opened if scan-on-access is performed.

    and injections do not work on non-executive files, only for processes or other loaded libraries.
     
  14. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,831
    Location:
    USA
    True but this is about Adobe Reader and not the PDF files themselves.
     
  15. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    4,883
    and? its about adobe reader blocking pdf files. files are scanned before so it do not matter if they cant be scanned while in use. and because adobe reader is blocking them the files cant be altered from other software.

    and offtopic:
    if the reader got injected, dont you think the reader could not be the main problem?
    windows defender has an anti-exploit detection which is injected into processes.
     
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,831
    Location:
    USA
    Except it's not. It's about Adobe Reader blocking injection of AV software. PDFs are another issue and if you open them with something else this does not apply.

    Yes, Adobe Reader is the problem here. You're not wrong with what you are saying, it just isn't what the article was about.
     
  17. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    4,883
    now i see, Brinkmann is mixing content, first is about pdf, second half is about injection.

    this is the point:
    did you know and did you complain at google that any chromium based is rejecting injections after start?
    this is valid since chromium v78 (maybe earlier, see below)
    https://security.stackexchange.com/...-chrome-78-block-all-methods-of-dll-injection
    and once started there is no further injection possible. Brinkmann is selling a lie.

    from the eset forum, i am pretty sure they are aware that eset is not on the list
    https://forum.eset.com/topic/16392-...cking-in-chrome-69-affect-endpoint-antivirus/

    please have in mind that ghacks is a news selling platform like other - not more, they dont need to be correct.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    16,376
    Location:
    The Netherlands
    I wasn't aware of the fact that files AV's can't scan files if they are not able to inject .dll files into them, a bit weird. You would think that they could scan files via system driver and I assume it's also not needed for cloud analysis.

    Seems like you didn't read the article good enough.
     
  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,831
    Location:
    USA
    They don't need to do so to scan an idle file. They need to inject into Acrobat Reader to scan the file while it is open and it is more likely to run any malicious code there (macros, javascript, etc.) that may be missed in an idle file.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    16,376
    Location:
    The Netherlands
    OK I see, yes this does indeed makes sense, I forgot about this. Because anti-exploit tools also use this technique in order to block exploit techniques from boobytrapped files.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.