Adobe Acrobat Reader blocking antivirus tools from scanning loaded PDF documents

jvickers · Jun 22, 2022

Hm... this leads me to wonder if Adobe Acrobat Pro blocks antivirus programs as well. I use Symantec's Norton 360.

Mooly · Jun 22, 2022

Adobe is blocking several antivirus tools actively from scanning PDF documents loaded by its Adobe Acrobat Reader application.....

Would/should an application (so Adobe in this case) interfering with an AV product not be classed as potential malware by the running AV product?

Perhaps Defender actually would flag the product as malicious as it detected it was being inhibited in some way and so that is why Defender is not actively blocked. Maybe it is one of the few products that can detect this behaviour.

If an application can do this then what is stop similar strategies being used by true malware. And what good are products that can not detect this happening?

Ghot · Jun 22, 2022

jvickers said:
Hm... this leads me to wonder if Adobe Acrobat Pro blocks antivirus programs as well. I use Symantec's Norton 360.

Here is the full list of affected companies and products:

Trend Micro, BitDefender, AVAST, F-Secure, McAfee, 360 Security, Citrix, Symantec, Morphisec, Malwarebytes, Checkpoint, Ahnlab, Cylance, Sophos, CyberArk, Citrix, BullGuard, Panda Security, Fortinet, Emsisoft, ESET, K7 TotalSecurity, Kaspersky, AVG, CMC Internet Security, Samsung Smart Security ESCORT, Moon Secure, NOD32, PC Matic, SentryBay

Click to expand...

Adobe's software doesn't block MS Defender, just everyone else. Seems a bit suspicious to me. ^^

Superfly · Jun 22, 2022

Mooly said:
Would/should an application (so Adobe in this case) interfering with an AV product not be classed as potential malware by the running AV product?

Perhaps Defender actually would flag the product as malicious as it detected it was being inhibited in some way and so that is why Defender is not actively blocked. Maybe it is one of the few products that can detect this behaviour.

If an application can do this then what is stop similar strategies being used by true malware. And what good are products that can not detect this happening?

Adobe, or any vendor for that matter, cannot thwart AV IMHO - the AV lies in the kernel process (highest in the OS hierarchy) and will block any attempt by way of heuristics - Adobe is trying to catch those AV checks so that it can implement an "exception rule " in it's app that the AV does not impede it's functioning. Not sure why Win Defender is excluded, however - I never really thought much of it anyway, but that's besides the point.
BTW I'm just a security enthusiast, no expert - so my opinion only.

Ghot · Jun 22, 2022

Superfly said:
Adobe, or any vendor for that matter, cannot thwart AV IMHO - the AV lies in the kernel process (highest in the OS hierarchy) and will block any attempt by way of heuristics - Adobe is trying to catch those AV checks so that it can implement an "exception rule " in it's app that the AV does not impede it's functioning. Not sure why Win Defender is excluded, however - I never really thought much of it anyway, but that's besides the point.
BTW I'm just a security enthusiast, no expert - so my opinion only.

I've always been surprised by how many programs actually DO have kernel access.
I haven't used Adobe Reader for over 15 years, but someone who does, may want to check that.

Superfly · Jun 22, 2022

Ghot said:
I've always been surprised by how many programs actually DO have kernel access.
I haven't used Adobe Reader for over 15 years, but someone who does, may want to check that.

As with Linux, drivers have to be compiled into the kernel - only MS can compile the Windows kernel so they will have to vet whatever goes into it - I would be very surprised if they allowed a non-AV in there.

Ghot · Jun 22, 2022

Superfly said:
As with Linux, drivers have to be compiled into the kernel - only MS can compile the Windows kernel so they will have to vet whatever goes into it - I would be very surprised if they allowed a non-AV in there.

For example...
AIDA64 has a kernel driver
Most backup softwares that "guard" their backups, have kernel drivers.
Most software that requires a reboot during install and/or uninstall has a kernel component.
And definitely drivers, as you pointed out.

All I still remember about Adobe is that it was terribly bloated. Nero was like that as well.
In either case, I would suspect them as having kernel components as well.

I was just looking at Autorun's Driver tab, and noticed this...

I've never had anything Adobe on Win 11 or Win 10.
But I do remember that fonts are loaded at boot. Too many fonts will drastically slow the boot times.

But... as you also mentioned, this is all more of a hobby of mine, than anything exacting. :)

/edit

I bet Revo Uninstaller has a kernel component. It would almost have to I would think.
Maybe Winaero Tweaker as well. Probably Autoruns, too.

Superfly · Jun 22, 2022

Ghot said:
For example...
AIDA64 has a kernel driver
Most backup softwares that "guard" their backups, have kernel drivers.
Most software that requires a reboot during install and/or uninstall has a kernel component.
And definitely drivers, as you pointed out.

All I still remember about Adobe is that it was terribly bloated. Nero was like that as well.
In either case, I would suspect them as having kernel components as well.

I was just looking at Autorun's Driver tab, and noticed this...

View attachment 32068

I've never had anything Adobe on Win 11 or Win 10.
But I do remember that fonts are loaded at boot. Too many fonts will drastically slow the boot times.

But... as you also mentioned, this is all more of a hobby of mine, than anything exacting. :)

/edit

I bet Revo Uninstaller has a kernel component. It would almost have to I would think.

These are not related to the Windows NT kernel.

Eg: kerneld.x64 Windows process - What is it?

Ghot · Jun 22, 2022

Superfly said:
These are not related to the Windows NT kernel.

Eg: kerneld.x64 Windows process - What is it?

I'm confused.
I know it's not essential for Windows, but it is definitely essential for AIDA64.

The things in this pic are why I assume AIDA64 has a kernel driver, or access at least.

Superfly · Jun 22, 2022

Ghot said:
For example...
AIDA64 has a kernel driver
Most backup softwares that "guard" their backups, have kernel drivers.
Most software that requires a reboot during install and/or uninstall has a kernel component.
And definitely drivers, as you pointed out.

All I still remember about Adobe is that it was terribly bloated. Nero was like that as well.
In either case, I would suspect them as having kernel components as well.

I was just looking at Autorun's Driver tab, and noticed this...

View attachment 32068

I've never had anything Adobe on Win 11 or Win 10.
But I do remember that fonts are loaded at boot. Too many fonts will drastically slow the boot times.

But... as you also mentioned, this is all more of a hobby of mine, than anything exacting. :)

/edit

I bet Revo Uninstaller has a kernel component. It would almost have to I would think.

These are not related to the Windows ntskernel.

Eg: kerneld.x64 Windows process - What is it?

Ghot said:
I'm confused.
I know it's not essential for Windows, but it is definitely essential for AIDA64.

The things in this pic are why I assume AIDA64 has a kernel driver.
View attachment 32070

Yep it's in RAM like SMBIOS ... the 'kernel' driver is just to access the info - not part of Windows. I don't know the app that well just an educated guess.

Ghot · Jun 22, 2022

Superfly said:
These are not related to the Windows ntskernel.

Eg: kerneld.x64 Windows process - What is it?

Yep it's in RAM like SMBIOS ... the 'kernel' driver is just to access the info - not part of Windows. I don't know the app that well just an educated guess.

I'm just guessing myself.
Like Autoruns... it pretty much has to have kernel access.
It can start and stop anything... even Window's kernel drivers.

Superfly · Jun 22, 2022

Ghot said:
I'm just guessing myself.
Like Autoruns... it pretty much has to have kernel access.
It can start and stop anything... even Window's kernel drivers.

No it does not need kernel access - what it spawns can but that's a whole different topic. I don't use all these apps but believe me if MS allows manipulation of the kernel we are in deep doo-doo!

Ghot · Jun 22, 2022

Superfly said:
No it does not need kernel access - what it spawns can but that's a whole different topic. I don't use all these apps but believe me if MS allows manipulation of the kernel we are in deep doo-doo!

For example... I can uncheck any or all of these. I've used this to absolutely stop Defender.

Sysinternals - Sysinternals

Library, learning resources, downloads, support, and community. Evaluate and find out how to install, deploy, and maintain Windows with Sysinternals utilities.

docs.microsoft.com

Superfly · Jun 22, 2022

Ghot said:
For example... I can uncheck any or all of these. I've used this to absolutely stop Defender.

View attachment 32071

Sysinternals - Sysinternals

Library, learning resources, downloads, support, and community. Evaluate and find out how to install, deploy, and maintain Windows with Sysinternals utilities.

docs.microsoft.com

Yep those are spawned but you can't get rid of eg: mpsdrv as it's embedded in the kernel... you can just stop execution.

Edit: Anyway past my bedtime - nice discussion tho' cheers mate.

Ghot · Jun 22, 2022

Superfly said:
Yep those are spawned but you can't get rid of eg: mpsdrv as it's embedded in the kernel... you can just stop execution.

Now I'm tempted to try to get rid of c:\windows\system32\drivers\mpsdrv.sys

Maybe after my next backup.

Superfly · Jun 22, 2022

Ghot said:
Now I'm tempted to try to get rid of mpsdrv.

LOL.. good luck... off to bed now.. early start in the am. for me

Ghot · Jun 22, 2022

Superfly said:
LOL.. good luck... off to bed now.. early start in the am. for me

Gnite.

I know... I'll turn myself into a Kernel Driver Hunter...

Adobe Acrobat Reader blocking antivirus tools from scanning loaded PDF documents

The lunatics have taken over the asylum

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Similar threads