AdobeReader accesses Internet through svchost.exe


I updated to AcrobatReader 9.
Today I bootet my PC and saw a lot of Internetactivity. It came from “svchost.exe” located in C:\WINDOWS\system32
Before “AdobeARM” begged for Internetaccess which I denied.
When the traffic stopped an message in my systray popped up, stating, that there can new updates be installed.

When I open Adobe Reader (which is also denied to access the Internet) it can connect to update servers and states, that there are no new updates available.
I looked closely to the connection window in Comodo and there I saw that again “svchost” from system32 made access to the internet.
How is this possible? Why isn’t that detected by my Comodo Firewall.

The worst thing is, that Adobe uses spyware techniques to bypass a firewall. Adobe should be sued for that!


You can block it with Defense+, if you set it to Paranoid Mode. :slight_smile:

But thats not really an Option for me.
Defense+ always finds something to complain, even when the program doesn’t want to access internet. Thats annoying. It is the task of the firewall to prevent this hackerattack by Adobe.
Everyhackertool could so easily bypass the Firewall. I am very disappointed.

That is how CIS/CFW is designed. From the help file:

[b]Firewall only[/b] - This option is only recommended for [b][i]experienced[/i][/b] firewall users that have alternative Host Intrusion Prevention software installed on their systems. Selecting this option will install ONLY the packet filtering network firewall and not Defense+ (Defense+ is essential for blocking malicious software like worms and Trojans from making outgoing connection attempts). This isn't to say this option is an unwise choice (the network firewall is one of the strongest available - offering highly effective and configurable inbound and outbound protection) but it is important to realize that, on it's own, it does not offer the host intrusion protection as afforded by Defense+.

My main intention is not to block malicious software (i take care that such thing doesn’t come into my system), but I want to block spyware like Adobe, Microsoft, BlueSoleil, GoogleEarth
But when a Firewall can’t protect me from that, that it is no good Firewall.
Of course I like Comodo, but there should be something done, that this hacker method from Adobe is blocked, without Defense+ which is getting on my nerves.

You are probably mistaken that for windows updates and not adobe updates, if you want to block adobe updates you can create/change the network application rules for Adobe_Updater and AdobeARM to blocked application.

Adobe_Updater.exe can be blocked with the firewall, but AdobeARM.exe doesn’t connect to the Internet, so it cannot be blocked with the firewall. AdobeARM.exe uses svchost.exe that connects to the Internet, so unless one wants to block svchost.exe, Defense+ must be used to deny AdobeARM.exe Internet access through svchost.exe.

Actually, on both my windows xp sp3 x86 and windows 7 x64, I have firewall entries for adobeARM see attached screenshots. I temporay made Block and Log In/Out rules to both adobe_updater and adobeARM, I then opened adobe reader and then checked for updates form Help>Check For Updates… when it finished there are block logs for adobeARM in the firewall log. So it is possible to block adobeARM using the firewall.

[attachment deleted by admin]

Not really, because when it checks for updates, you can see svchost.exe in Active connections, and after that, the updater says No updates available. I made AdobeARM.exe a blocked application, I can see in the firewall events that it was blocked, but it can check for updates. :wink:

AdobeARM seems to try to access the Internet normaly which prevents the firewall and then it uses svchost to connect to the internet.

What technique does AdobeARM use to connect the internet using svchost.exe? It isn’t dll injection.

Block this request (access the COM interface svchost.exe), and update will fail (=no svchost.exe connection).

[attachment deleted by admin]

Yeah? Then was is this - see attachment? This program is spyware plain and simple!

[attachment deleted by admin]

You should also set the firewall to custom policy mode :-TU

I run Defensewall 3.0 along with Comodo 4 so I can see exactly what AbodeARM is doing. For starters, it will try access C:\Documents and Settings\current user\Cookies. Next it attempt to change the hidden attribute on C:\Documents and Settings\current user\Temp\Cookies. It then attempts to change IE proxy settings. Etc. etc. Eventually it will attempt service creation of BITS and the like. And this all occurs when you just read a .pdf on web.

At startup time, it will read most of your OS and security software files for what purpose only God knows.

Does this software sound like a normal updater? Not to me!

Place AdobeARM.exe block rule BEFORE system rule.

This will do the trick

P.S. i am not using Defence+ at all

Can u please explain in detail? I set the firewall setting to custom and disabled the defense setting permanetly.
whee to apply the rule for AdobeARM.exe?

All rules in CIS are read from top to bottom. Since AdobeARM.exe uses svchost.exe you need to make sure the block rule is somewhere above the “Windows System Applications” rule. This way the block rule will be read first.

EricJH, could you please explain more detailed. I don’t understand. I guess you refer to the application rules.
But when you make new rules, they will always be on top of the Win sys apps, since this entry is made by Comodo on installation of the firewall ???