I installed CIS-Firewall (Defense+ is disabled). As a test, I selected “check for updates” in Adobe Acrobat. Acrobat had no problem contacting Adobe. The firewall never prompted me to allow the connection and the connection never showed in the Firewall Events log (I have logging enabled for all policy settings).
After a bit of searching, I found something about Acrobat using Raw Sockets API for its Adobe License Manager Service. Is the firewall not able to identify and block this traffic? I’m not concerned about Acrobat specifically, but who knows what other applications (malware) use this technique to contact sites on the Web?
I don’t know for sure that Raw Sockets is the issue here, but somehow Acrobat is contacting the internet and the firewall doesn’t seem to be aware of it.
Welcome to the forums!
Well i think it’s automatically allowed because it’s on the Trusted Software Vendors list.
Can you have a look at the firewall policy and see if the adobe updater is there and with what permissions?
I did see Adobe as a Trusted Vendor in Defense+, but shouldn’t this be separate from the firewall; especially since I have Defense+ disabled? I cleared all the vendors (except Comodo) from the Trusted Vendor list in Defense+, but this did not change the results.
The firewall policy does not have anything listed for Adobe.
Acrobat is whitelisted and therefor trusted even if you remove Adobe Systems, Incorporated from My Trusted Software Vendors.
To get alerts for Acrobat (and other whitelisted applications), set Firewall Security Level to Custom Policy Mode.
Thanks for the responses. I appreciate the help.
I already have have >Firewall Behavior Settings >Firewall Security Level set to Custom Policy Mode.
If I select “Stop All Activities” on the Summary screen, the Acrobat update will not succeed.
When I run Check For Updates…, Active Connections shows a TCP OUT for svchost.exe to 126.96.36.199:443. I think this connection occurs due to the update.
Is there a log or specific screen captures that I should attach to assist?
When Acrobat (9.2 Pro) checks for updates, it uses AdobeARM.exe, and connects to the net using svchost.
I could stop it from checking for updates, with Defense+ set to Paranoid Mode. 8)
Other Adobe applications use Adobe_Updater.exe.
What message do you get with Paranoid Mode? I also have enabled paranoid mode and Adobe Reader could access.
The method can’t be raw sockets because they are disabled by MS Network socket - Wikipedia
Support in Windows XP
When Microsoft released Windows XP in 2001 with raw socket support implemented in the Winsock interface, the media criticized Microsoft asserting that raw sockets are only of use to hackers to perform TCP reset attacks. Three years after the Windows XP release, Microsoft silently limited Winsock’s raw socket support in a non-removable hotfix and offered no further support or workarounds for applications that used them.
Block anything AdobeARM.exe tries to do (or treat is as Isolated application).
Note: If you don’t allow Acrobat.exe to run AdobeARM.exe, Acrobat will try to run Adobe_Updater.exe instead. That process tries to connect to the Internet, and can be blocked with the firewall.
I deleted AdobeARM and the Updater. That does it, too.