Endpoint Protection

Installed the new Adobe Reader X (v10) today which has uses new sandboxing technology. Unfortunately it refuses to start in protected mode when you have SEP with NTP installed. On machines without NTP Adobe Reader starts in protected mode. The SEP firewall is disabled and the Application and Device control policy only protects symantec services and registry entries.

Adobe Reader X Anti-virus software conflicts

By default, Adobe Reader X runs in Protected Mode. In certain situations Reader experiences compatibility issues with anti-virus software when that software intercepts some system calls for the Reader sandbox. In these cases, Reader could fail to open or crash after displaying an incompatible-configuration dialog.

For example, Protected Mode is known to be incompatible with:

• Some Symantec Endpoint Protection configurations.

http://kb2.adobe.com/cps/860/cpsid_86063.html#main_antivirus

Software vendors who are deploying such cutting edge sandboxing technology are working with anti-virus companies to resolve these problems.

Very good to know. Thanks for posting this.

That's right,SEP interferes with protected mode of Adobe Reader 10.

When does Symantec intend to release a fix for SEP?

No time frame.

Adobe is working with various AV vendors.

Have you tried with RU6 MP1? Please try calling support  once. They would either fix it, or would create a defect, so that it could be  fixed....

I contacted Symantec Support & the guy I spoke to knew nothing of the issue.

I've been able to find a workaround, uninstalling NTP & rebooting will allow protected mode to run, but of course you're removing a core feature of SEP to make Reader more secure...

Here is the exact workaround,

The problem is not with NTP but with Application and Device Control (ADC). I withdrawn the ADC  policy alone and rebooted the PC, Should be able to open Adobe Reader X with protection mode enabled.

Note: ADC is disabled by default when you uninstall NTP component.

The problem is not only with SEP. It's not working with other AV programs as well. Adobe is still working on it.

I would say, call support and let them analyse the logs etc...to come up with a possible defect, so that a fix could be made available....

Nice to know, we are planning on rolling out Adobe Reader X here shortly. Thanks!

I have been performing some testing, similar to Ted's, and have not been able to reproduce this issue with SEP RU6MP1. Unfortunately I have not had a chance to create an image running an older build of SEP to test with.

Anyone running RU5 with Application and Device Control should certainly migrate to RU6MP1 to address the known issues with ADC in RU5.

I can post more information once I have tested further.

I have tested on 3 different OSes so far and was not able to reproduce this. Here's the OSes I tested and SEP client configurations.

Note: that 64-bit OSes don't use A&D Control, but tested them anyway to be thorough.

Managed SEP Client on Windows XP Pro SP3 = working fine.

Managed SEP Client on Win 2008 R2 Server = working fine.

Unmanaged SEP Client on Windows XP Pro SP3 = working fine.

Managed SEP Client on Win 7 Enterprise 64-bit = working fine.

All machines are running RU6MP1 with the Application and Device Control policy enabled.

No one having the issue has mentioned which build of SEP they are running. I'm suspecting it's an older build, as I'm having no luck reproducing this with RU6MP1

EDIT: OK further testing has resulted in me and my fellow employee being able to reproduce the issue as long at we have A&D Control protecting Symantec services and registry keys. Have not tried any other options at this point.

The machines I tested it on were all Windows 7 32bit machines with SEP version 11.0.6100.645 installed. On these machines Adobe Reader X could not start in protected mode. These machines have ADC policy protecting Symantec Services and Registry keys.

same here:
Windows XP and 7 32bit machines with SEP version 11.0.6100.645 has this error message.
Win 7 64bit machine with SEP version 11.0.6100.645 = no problem.

ADC policy protecting Registry keys, enable or disable, makes no differnce.

Hi Kurt

am I the only one or two having this problem?
Are you still testing?

HansZ

We are having the same issue, with Windows XP SP3, SEP 11.0.6100. I have not removed NTP or the ADC policy to verify that is the specific issue.

Is it safe to install X if you are not using application device control? We have NTP configured. I'm going to test a GP deployment. 

Thanks

Mike

X is running fine for me with the NTP component installed and policy enabled.

I have the ADC component installed but the policy is disabled.

XP SP3

ok, I'm going to test it out today, and see if everything works. Thanks for the heads up.

I know not directly related to SEP, but for anyone looking to deploy X via GP Adobe has not released their customization wizard for 10 yet. That's a drag because you can't create transform files to auto accept the EULA, etc... etc...

So, I think at least for now I'll stick with 9.4.

Mike

Happy new year

still no solution for: Windows 7 32bit machines with SEP version 11.0.6100.645 ?

It's a bit odd, isn't it?

If there is a solution, it would likely be available in MP3...I doubt an out of band patch would be released for something like this.

just realized there is a MP2 relesae (11.0.6200.754)

Problem gone...

The KB article on the adobe site was updated and apparantly the problem should be fixed in MP2:

http://kb2.adobe.com/cps/860/cpsid_86063.html

Anti-virus software conflicts

By default, Adobe Reader X runs in Protected Mode. In certain situations Reader experiences compatibility issues with anti-virus software when that software intercepts some system calls for the Reader sandbox. In these cases, Reader could fail to open or crash after displaying an incompatible-configuration dialog.

For example, Protected Mode is known to be incompatible with:

• Some Symantec Endpoint Protection configurations for versions earlier than 11.0.6200. You can get the latest software by going to https://fileconnect.symantec.com/, logging in with your serial number, and downloading the software under Symantec Endpoint Protection 11.0.

The only problem I have that with our configuration protected mode protected mode still didn't work with MP2. We are using ADC policies that are based on the ADC+SEP Hardening from Symantec.

http://www.symantec.com/business/support/index?page=content&id=TECH132337&actp=search&viewlocale=en_US&searchid=1294178107683

If I have rule AC20 enabled Reader X won't start in protected mode. The message you get is:

Application and Device Control rule Prevent Process Launching [AC20-1.2]_CreateProcess has blocked AcroRd32.exe trying to access AcroRd32.exe Process Launching Blocked

I already had added eula.exe to the exception processes of rule [AC20-1.2] but if you add AcroRd32.exe to these exceptions Adobe Reader X will start in Protected Mode.

Same exact things here, but we're not protecting the registry. 

We have A&D control preventing certain devices from being used, and app control preventing some apps from installing or running from certain spots.

It is protecting Symantec services as well, but I don't see protecting Symantec services as having anything to do with much.........

Musings: Good old Adobe - *some of the worst issues on earth as far as security* in Flash and Reader, and they don't test their software with AV products before dumping it out. Once again, Adobe does it good. Even out Microsoft'ed Microsoft on security holes per week.

We simply want to open, read and print PDF files, why does it have to be so complex..........

What is rule AC20-1.2 and where is it found? So far I've not seen any of the built-in rules to be findable......... I'm probably missing someting obvious.

I don't think the rule matters. I believe this happens if ADC is even enabled, regardless of the rule being used.

Looks like you are correct..............

I imported the "ADC SEP Hardening policy" that you can download from Symantec on the page specified below:

http://www.symantec.com/business/support/index?page=content&id=TECH132337&actp=search&viewlocale=en_US&searchid=1294178107683

This policy contains several Application Control Rule sets. The description of each rule set contains a different label (e.g. AC20) . Each rule contained in the ruleset is unique numbered as well. (e.g. [AC20]-1.1)

If I make the changes I mentioned in an earlier post to the policy supplied by Symantec in combination with MP2 (11.0.6200.754 ) I can run Acrobat Reader X in protected mode with ADC enabled.

While I REALLY appreciate their supplying rule-sets, etc. - the problem I have with them is this:

I already have a complex set of application control rules. Each set has some complex and specific exclusions to allow IE, for example, to work with certain webinar software. It prevents JAVA risks, while allowing valid JAVA upgrades/updates and so on.

so if I download Symantec's set of rules, and use that, then mine go away. I've prefer to actually integrate or ADD their rules to my own complex set to further harden what I've done. (frankly, a number of their things are a whole lot like those I posted many months ago, and uploaded as well, although I know theirs have to be improved and cleaned up!)

So how can I use bits and pieces of theirs, and not make mine go away?

You can import this ADC policy (or any other policy). You don't have to assign it to any group. You can then edit the policy you imported.

Goto Appplication Control section of the imported policy. You can right click on each individual Application Control Rule Set and Copy it to the clipboard.

Close the policy and edit another policy. Goto Appplication Control, right click and choose Paste.

You mean there's a copy and paste option in the policy editing part of SEPM?

Holy buckets...... wish I could give 10 thumbs-up on that one. LOL - I REALLY can't believe after these years I've missed that. I've been taking screen shots, printing them, then looking at the printed copies and recreating them into new policies all this time. Do I really feel dumb.

Shadows, you get a thumbs up for feeling better (and welcome back BTW) and for enabling me to LOL really hard... 

That Symantec example policy is great. I did import it into the generic policies area, grabbed some via copy, then pasted them into my app control policy. There were a couple that were very much like what I was doing, but Symantec's were cleaner so I used them to replace my own. More to go, but it's a great start - and maybe now we can make SEP and Acrobat reader work together.

Thanks - yeah, I was laughing at myself for a bit there, too.
On me myself, wow, what a year, what a life! Done with PT - arm is mostly back to where I can do things again - little pain, still have homework, curls and weights to get the strength back and the bicep is once again working. No pain where they reattached things. Typing and computer use is normal and pain-free again.  And a few weeks ago I learned something that sure explains who/what I am and how I am. AD/HD. Not just a little, I peg and max every psych test. LOL - now I know why some friends in the past have called me intense. I guess I thought this was "normal". Guess not! It's not a bad thing, though - it does explain how I can do such detailed work and literally hyper-focus. for someone like me, there is no thinking outside of the box because no box exists! I also know why to this day, 6+ years later, I can't remember the names of half the people who work in this building.
With my arm more normal (doc says still don't lift any 200 pound transmissions or engine blocks just yet) and a bit of insight maybe now I can work on taking advantage of the "hunter/gatherer" but a bit scattered brain I've been wired with.