Adobe Acrobat Reader DC can't open in Protected Mode with EDR installed
Last Modified: 2023-07-13 05:12:27 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Adobe Acrobat Reader DC can't open in Protected Mode with EDR installed
Technical Articles ID:
KB95294
Last Modified: 2023-07-13 05:12:27 Etc/GMT Environment
Endpoint Detection and Response (EDR) 3.4.0 or later Adobe Acrobat Reader DC Summary
Recent updates to this article
Problem
PDFs can't open in Adobe Acrobat Reader DC in Protected mode, when EDR 3.4.0 or later is installed and the Trace Plug-in is enabled. When opening the document, the Adobe Acrobat Reader application either becomes unresponsive or displays the following error: Would you like to open Adobe Reader with Protected Mode disabled? You might also see the document search fail and stop responding (crash). Cause
The Adobe process creates a child process. When the child process initialization is delayed, Acrobat Reader assumes that the file failed to open. This behavior occurs in the absence of our products. The criteria to cause this issue isn't specific to our software and isn't our problem to resolve.
Solution
We've provided Adobe with sufficient instructions to identify the root cause of this issue and show the problem without Trellix software present. We recommend that you follow up with Adobe for a solution to the issue. If we learn of an available solution from Adobe, we'll update this article accordingly. To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Workaround 1
This issue occurs with the 32-bit version of Adobe Acrobat products, for example, Reader. Switch to a 64-bit version of the Adobe applications to resolve the issue.
Workaround 2
The cause of the issue is tied to an unquantified delay when Acrobat Reader creates the child process. You can retest the behavior with later versions of our software because optimizations in code might avoid the issue. NOTE: If the issue resolves after you update our software, it isn't a guarantee of resolution. The problematic code is still present if not resolved by Adobe. Workaround 3
IMPORTANT: Implement the following workaround only if you're running Adobe Acrobat Reader, you're facing this problem, and there's no solution from Adobe. This workaround (for example, excluding the Acrobat Reader process from EDR's Trace function) weakens the device's security posture and is considered a "last resort" option. Trellix doesn't recommend implementing this workaround as a permanent solution.
Exclude the Adobe Acrobat Reader Application:
Affected ProductsLanguages:This article is available in the following languages: |
|