Earlier this year, McAfee added the Adobe Reader (acrord32.exe) to the list of protected process (defined in vscan.bof). One fix could be for McAfee to remove this process and issue a new vscan.bof, which will be picked up as part of the normal autoupdate process. However, this would leave users running pre-X versions of Adobe Reader vulnerable
I'd rather not install a "not-so-well-tested" hotfix just to be able to add an exclusion. Seems kinda strange that I would need to download and install a hotfix in order to use one of the features of VirusScan to exclude files.
I too would like to know what McAfee and Adobe is doing to correct this? And don't tell me that I need to wait until VirusScan Enterprise 8.8...
Adobe 10.0.1 released today now supports VSE 8.7 per the updated cpsid_86063 and the release notes Acrobat_Reader_ReleaseNote_10.0.1.pdf see page 5 Bug Fix "2791093 Reader is now compatible with McAfee Virus Scan Enterprise 8.7.0i when Protected Mode is enabled."
Follow up question does anyone have VSE 8.8 installed yet and does Adobe 10.0.1 work with protected mode?
We have version VSE 8.8 and Adobe Reader 10.01 and neither adding AcroRd32.exe nor the full path truly fixes the issue. And it's confirmed that reapplying the BOP manually fixes it.
What it comes down to is that the ePO Agent reads the ePO policy from the server and sees the BOP exclusion and when there is no Module or API in the policy it (or automatically in the policy from ePO database) inserts a REG_SZ value *.* for the key HKLM\Software\McAfee\SystemCore\VSCore\On Access Scanner\BehaviorBlocking\BOPExclusionAPI_0 (0 to however many BOP Exclusions you have). This seems the be the "extra registry setting" that the above post was talking about. Applying the exclusion manually resets the value so that it's completely blank.
It seems to me that it's VSE 8.8, or a patch that hasn't been installed yet, that makes it so that it doesn't like the *.* value but does work with the null value just fine. According to https://kc.mcafee.com/corporate/index?page=content&id=KB70257 you need to have the extension checked in even for 8.8, and I thought we had when we added 8.8 in.