CIS 10 is snagging PDFs coming in via emails as executables and then sandboxing or listing as unknown executables. PDFs are not executable files, although I know they can be trojan downloaders. Is this behaviour intended or is it a bug?
I tried to attach a screenshot of a couple of PDFs snagged on a user today, but getting forum error message that folder is full ???
It is caused by heuristic command-line analysis under HIPS settings. Also for PDF files it only applies when they are opened from removable media or the temp folder. You should either save them to a folder and then open from that folder or you can disabled acrord32.exe from do heuristic analysis for certain applications list.
Interesting, especially since HIPS is disabled?
How do I disable heuristics in relation to acrord32.exe ?
Open HIPS settings and look for “Do heuristic command-line analysis for certain applications” click the certain applications link and in the new window look for the entry *\acrord32.exe and to the right click the switch off. Then ok out all windows.
Done, thanks. It is OK now, I can open PDFs without sandboxing, I accept the risk of doing so.
However, HIPS remains disabled. That means that advanced HIPS settings are not impacted by whether HIPS monitoring is on or off, correct?
Some of CIS’ security mechanisms are listed in HIPS section but will be on all the time despite HIPS being on/off.