Trust Overrides - Adobe 12001196 - Acrobat - Mac Manual

Application Security Guide
Note
The application uses an internal key. The actual key does not exist by default and so does not appear
until the key is manually created.

3.3.2 Trust overrides

None. PM is designed to protect users transparently and without impacting other features.
3.3.3 PM and shell extensions
While Protected Mode can be disabled for PDFs viewed with the product, Adobe continues to protect you
when 3rd party software invokes a Reader process; that is, Protected Mode sandboxing cannot be
disabled for shell extensions. For example, when you use Windows Explorer to preview a PDF in the
Preview Pane, it starts a Reader process to display the preview. In such cases, Task Manager shows that
two AcroRd32.exe processes spawn and that the operation is occurring with Protected Mode enabled.
3.3.4 Logging registry config
Logging is available for users who need to troubleshoot problems where a workflow or plugin does not
work when Protected Mode is enabled. The log may provide guidance as to whether a custom policy file
should be used to re-enable broken workflows or plugins.
In addition to enabling logging via the UI (above), you can turn on logging and configure a log file location
via the registry.
To enable logging, specify a log file location:
1. Go to HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Privileged.
2. Right click and choose New > REG_SZ Value.
3. Create tBrokerLogfilePath.
4. Right click on tBrokerLogfilePath and choose Modify.
5. Set the value. For example: C:\DOCUME~1\<username>\LOCALS~1\Temp\BrL4FBA.tmp.
Policy logging for a policy violation:
[08:12/13:46:16] real_path: \BaseNamedObjects\ZonesCacheCounterMutex
[08:12/13:46:16] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY
[08:12/13:46:16] NtCreateMutant: STATUS_ACCESS_DENIED
[08:12/13:46:16] real_path: \BaseNamedObjects\ZonesLockedCacheCounterMutex
[08:12/13:46:16] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY
[08:12/13:46:16] NtCreateKey: STATUS_ACCESS_DENIED
[08:12/13:46:16] real path: \REGISTRY\USER\S-1-5-21-762979615-2031575299-929701000-51250\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
[08:12/13:46:16] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[08:12/13:46:16] NtCreateKey: STATUS_ACCESS_DENIED
[08:12/13:46:16] real path: \REGISTRY\USER\S-1-5-21-762979615-2031575299-929701000-51250\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
[08:12/13:46:16] Consider modifying policy using this policy rule: REG_ALLOW_ANY
3.3.5 Locking Protected Mode
Protected Mode can be locked as enabled or disabled as follows:
1. Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown.
2. Right click and choose New > DWORD Value.
3. Create bProtectedMode.
4. Right click on the key and choose Modify.
5. Set the value as follows:
Section 3 Protected Mode
Section 3 Protected Mode
Page 11