Maybe you read my PDF + DOC malicious document diary entry, or maybe even you tested your system with my PDF + DOC test file, and maybe you wondered if you could change Adobe Reader's behavior. Well, no more "maybes": you can. Years ago, when PDF malware was the most widespread malicious document type, disabling JavaScript in Adobe Reader was a recommendation. But you can also prevent Adobe Reader from opening embedded files and launching the associated application. Here is the setting in the Trust Manager to do this: And if PDF attachments are important in your organization, this setting will not prevent attachments from being saved (extracted). Only from being launched from within Adobe Reader. I also have a video showing the effects of this setting (plus the JavaScript setting).
Didier Stevens |
DidierStevens 524 Posts ISC Handler Sep 19th 2015 |
Thread locked Subscribe |
Sep 19th 2015 5 years ago |
I have disabled that setting for years without any adverse effects in my environment.
The registry settings for that (and a couple of others I change) in v11 are: HKCU\Software\Adobe\Adobe {Acrobat | Reader}\11.0\Originals\bAllowOpenFile = 0 HKCU\Software\Adobe\Adobe {Acrobat | Reader}\11.0\JSPrefs\bEnableGlobalSecurity = 1 HKCU\Software\Adobe\Adobe {Acrobat | Reader}\11.0\JSPrefs\bEnableJS = 0 |
K-Dee 66 Posts |
Quote |
Sep 21st 2015 5 years ago |
I was wondering. After some extensive searching I have not been able to find ADM or ADMX files for Adobe DC reflecting the ability to make the change discussed above via group policy.
I've seen a bunch of posts from others on the internet saying they had to manually create these registry changes to affect previous versions of Adobe, ergo Reader XI. Seeing as Adobe Reader DC is located in HKLM\Software\Wow6432Node\Adobe\Acrobat Reader (and not HKCU\Software\Adobe\Acrobat Reader\11.0) how would one go about making these changes for an enterprise organization? |
K-Dee 1 Posts |
Quote |
Sep 21st 2015 5 years ago |
I have always had to do it "manually" with my patch server..... which was a little tougher with the settings located in HKCU. (Had to use a VBS script to iterate thru all of the user profiles)
But if those settings are now located in HKLM with DC versions and newer, then that makes it MUCH easier to push out with a REG file. |
K-Dee 66 Posts |
Quote |
Sep 21st 2015 5 years ago |
There are tons of registry settings to harden Reader (disable javascript, 3D, external docs, cloud...).
Nice read from NSA + Recommendations for Configuring Adobe Acrobat Reader XI in a Windows Environment http://www.nsa.gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.pdf |
Julien 10 Posts |
Quote |
Sep 22nd 2015 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!