7 Replies Latest reply on Jun 14, 2010 2:01 PM by kwhelan

    Access Protection to prevent Acrobat/Flash issues.

      http://www.computerworld.com/s/article/9177705/Update_Attackers_exploit_critical _bug_in_Adobe_s_Flash_Reader?source=CTWNLE_nlt_dailyam_2010-06-07



      I was just wondering if anyone had written a complete Access Protection rule to resolve the ongoing issues with Flash and Acrobat?    If so,  do you mind sharing what you have done on this.



        • 1. Re: Access Protection to prevent Acrobat/Flash issues.

          I appreciate all the help that this message has generated,   Adobe products are getting attacked left and right and there isn't a single idea on how to protect against these using McAfee products.


          I've reached the end of my rope with McAfee products,   I chatted with a technician and he was completely unaware of the issues with adobe products and had no clue how to protect against these issues.


          I opened a ticket,  It went to a "Work In Progress" status and is still sitting there.   There has not been a response from McAfee support.


          And there have been no answers to my forum question.


          Three different avenues of trying to get some help from McAfee and no response whatsoever.    Did everyone go on vacation and leave the offices empty?


          Ken Whelan

          (who is now looking for a new AV product to switch to).

          • 2. Re: Access Protection to prevent Acrobat/Flash issues.

            Good morning


            I just saw your message and want to ensure your issue is resolved swiftly.


            Please let me know what country you are in and what SR number you have been allocated.



            • 3. Re: Access Protection to prevent Acrobat/Flash issues.

              The article says -


              In the meantime, Reader and Acrobat users can protect themselves by deleting or renaming authplay.dll. Doing so, however, means that opening a PDF file containing Flash content will crash the software or produce an error message.

              Therefore you could use Access Protection to create a file-based rule that prevents Reads of this file, accepting the consequence also mentioned in the article. Thus enforcing 0-day protection with a 0-day protection feature.


              That is the benefit of Access Protection - You don't need someone to tell you what to do; You can be empowered with the knowledge of how something behaves, and create a rule to block that behavior.


              I should add a cautionary note: If you are unfamiliar with a program or the scope of impact a rule might have, create the rule in Report only mode and monitor the events where it is triggered - make sure only your targeted application is affected. You certainly don't want to be in a state where you've told VirusScan to cripple your operating system.



              Message was edited by: William Warren on 6/14/10 12:26:30 PM CDT
              • 4. Re: Access Protection to prevent Acrobat/Flash issues.

                I am in the USA,  Case number 3-916602131


                Sorry it took me so long to respond,  had a number of issues to work through this morning.

                • 5. Re: Access Protection to prevent Acrobat/Flash issues.

                  Thank you for your response, I understand how Access Protection works and authplay.dll is only one avenue of infection with acrobat. Blocking authplay.dll ONLY protects against flash embeded in a PDF.


                  I can and have written a AP rule for authplay.  What I was looking for was someone that had more experience with Adobe products than I had and could help me completely protect ALL of the two products Acrobat and Flash execution and perhaps even buffer overflow on these two products.




                  • 6. Re: Access Protection to prevent Acrobat/Flash issues.



                    You will need to create a new SR (or call into Support to have one created for you).

                    The SR you mentioned was auto-closed by the system because it was not submitted, presumed abandoned.


                    When you get to page 2 when creating SRs online, where potential KB articles for your request are shown, be sure to finish submitting the SR.