Environment
- Endpoint Standard Sensor: 3.6.x and Below
- Microsoft Windows: All Supported Versions
- Adobe Reader: All Versions
- Adobe Acrobat Pro: All Versions
Symptoms
- Block events with no user pop-up notification
- Block events may contain wording such as "C:\users\exampleuser\ExampleFile.pdf attempted to inject code into the process "C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe" by calling the function "SetWindowsHookExW". The operation was blocked and the application terminated by Confer
- Application is prevented from completing operation, and may quit
Cause
Resolution
Add an API bypass rule for C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Applications at path: *:\**\AcroRd32.exe
Operation Attempt: Performs any API operation
Action: Bypass
OR...
Removing the Blocking & Isolation Rule for
Applications at path: **\*.pdf
Operation Attempt: Injects code or modifies memory of another process
Action: Terminate process
Additional Notes
- This issue will be addressed with the release of the 3.7 Sensor (Release Date as yet, undetermined, but likely end of Q1 2021)
- This article will be updated once the release and fix have been confirmed
Related Content
