Adobe actively blocks several anti-virus tools from scanning PDF documents loaded by its Adobe Acrobat Reader application, according to a security report published by Minerva Labs.
The company has found evidence that Adobe blocks about 30 different security products from scanning uploaded PDF documents. The list reads like the who is who of security companies, with one notable exception. Products from Trend Micro, McAfee, Symantec, ESET, Kaspersky, Malwarebytes, Avast, BitDefender and Sophos are blocked, according to the report. The one notable exception, at least from a market share perspective, is Microsoft Defender, which is not blocked by Adobe’s software.
Here is the full list of affected companies and products:
Trend Micro, BitDefender, AVAST, F-Secure, McAfee, 360 Security, Citrix, Symantec, Morphisec, Malwarebytes, Checkpoint, Ahnlab, Cylance, Sophos, CyberArk, Citrix, BullGuard, Panda Security, Fortinet, Emsisoft, ESET, K7 TotalSecurity, Kaspersky, AVG, CMC Internet Security, Samsung Smart Security ESCORT, Moon Secure, NOD32, PC Matic, SentryBay
Blocked products are denied access to the uploaded PDF file, which means that malicious code cannot be detected or stopped by the products during the upload phase.
Security tools inject DLLs, Dynamic Link Libraries, into applications that are launched on the system, which is necessary to access them. The blockage prevents the injection from taking place.
According to the report, Adobe Acrobat uses the Chromium Embedded Framework (CEF) dynamic link library, Libcef.dll, in two processes. The Chromium component includes its own blacklist to avoid problems and conflicts with DLL files. Software vendors, using libcef.dll, can customize the blacklist, and it seems Adobe did this to add security product DLLs to it.
Minerva Labs notes that the result of the block “could potentially be catastrophic.” In addition to reduced visibility, which “hinders detection and prevention capabilities inside the process and inside each child process created”, it limits the security application’s ability to monitor activity and determine the context.
It would be quite easy for a malicious actor to add a command in the “OpenAction” section of a pdf, which can then run PowerShell, which could for example download the next stage malware and execute it thoughtfully. None of these actions would be detected if the security product hooks are missing.
Minerva Labs contacted Adobe to find out why security products are blocked by Adobe Acrobat. Adobe responded that “this is due to ‘an incompatibility with Adobe Acrobat’s use of CEF, a Chromium-based engine with restricted sandbox design, and may cause stability issues'”.
In other words: Adobe has chosen to address stability issues by blocking security processes. Minerva Labs points out that Adobe chose convenience and the insertion of “malware-like” behavior over fixing the problem permanently.
Bleeping Computer received a similar response when the site contacted Adobe. Adobe confirmed that it is working with security vendors to resolve incompatibilities and “ensure proper functionality with Acrobat’s CEF sandbox design in the future.”
Now you: Do you use Adobe Acrobat Reader or another PDF application?