23 Replies Latest reply on Apr 10, 2011 11:47 PM by chetanrajakumar

    Trusted Mechanisms with Acrobat X

    webpointz Level 1

      We have the following process running successfully using Acrobat Reader 9.4 which now doesn't work with Acrobat X and we require to know the solution.

       

      Background:

       

      - PDF is brought into Acrobat Pro, certified, and extended for Reader

      - document level script inside the PDF

       

              var myPath = '#PathToFile#' + this.getField('out').value;
              this.saveAs(myPath);
              this.hostContainer.postMessage(['close']);

      - Reader 9.4 processes an HTML form and uses javascript to feed variables for path and filename to the PDF

       

      In Acrobat X with Protected Mode enabled, the above throws the following error:

       

      Acrobat EScript Built-in Functions Version 10.0
      Acrobat SOAP 10.0

      NotAllowedError: Security settings prevent access to this property or method.
      Doc.saveAs:2:Field signature:Format

       

      This error makes no sense, because according to the documentation CERTIFIED documents are a TRUSTED MECHANISM???

        • 1. Re: Trusted Mechanisms with Acrobat X
          AbhigyanModi Adobe Employee

          http://kb2.adobe.com/cps/860/cpsid_86063.html#main_Unsupported_configurations

           

          A document open in Reader sandbox is never trusted and cannot be allowed saving file to arbitrary disk locations (except specific whitelisted locations such as  temp folder). You can add to whitelisted locations if you have a way to make that change on the client machine configuration - See policy configuration section in the application security guide: http://learn.adobe.com/wiki/download/attachments/64389123/AcrobatApplicationSecurity.pdf?v ersion=1


          We are also looking at providing alternate API/behaviour which would ask for user confirmation before a save.

          • 2. Re: Trusted Mechanisms with Acrobat X
            webpointz Level 1

            I understand that, but this is NOT an unsupported configuration.

             

            We have attempted to make a WhiteList configuration and still no success.  Are we perhaps configuring the network path incorrectly?

             

            We have followed the instructions as per the security documentation.  We have even added network path in configuration whitelist as recursive.

            Surely we should be able to employ BUSINESS WORKFLOW as in the past, otherwise sandbox security would be pointless without having the flexibility.

            • 3. Re: Trusted Mechanisms with Acrobat X
              AbhigyanModi Adobe Employee

              Can you paste in here examples of the path where you are trying to save the PDF file from the script and the path that you have provided on the whitelist?

              • 4. Re: Trusted Mechanisms with Acrobat X
                webpointz Level 1

                Here is the javascript inside the PDF:

                 

                        var myPath = '/main_network_pathname/sub_folder_pathname/' + this.getField('out').value;
                        this.saveAs(myPath);

                 

                 

                NOTE: this.getField('out').value = myPDF.pdf

                 

                 

                ProtectedModeWhitelistConfig.txt entries:

                 

                FILES_ALLOW_DIR_ANY = /main_network_pathname/sub_folder_pathname/
                FILES_ALLOW_ANY = /main_network_pathname/sub_folder_pathname/*

                • 5. Re: Trusted Mechanisms with Acrobat X
                  ashutoshmehra Adobe Employee

                  Assuming a network path like \\CoolServerName\ShareName\FolderName exists and you want to allow writing to it from protected mode, try adding the following likes in the ProtectedModeWhitelistConfig.txt file:

                   

                  FILES_ALLOW_ANY = \??\UNC\CoolServerName\ShareName\FolderName\*

                   

                  (Please note the \??\UNC\ prefix and the use presence of forward slashes). This should give protected view write access to the existing FolderName folder.

                  • 6. Re: Trusted Mechanisms with Acrobat X
                    webpointz Level 1

                    So you are saying that if I have the following network path:

                     

                    \\NetworkPath\myfolder\thisFolder\

                     

                    it goes into the protectedwhitelist file as:

                     

                    FILES_ALLOW_ANY = \??\UNC\NetworkPath\myfolder\thisFolder\*

                    • 8. Re: Trusted Mechanisms with Acrobat X
                      webpointz Level 1

                      Does the protectedwhitelist file need to have anything else inside of it?

                      • 9. Re: Trusted Mechanisms with Acrobat X
                        webpointz Level 1

                        I tried this pathing and also confirmed that the WhiteList is being employed (checked the HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\ADOBE\ACROBAT READER\10.0\FEATURELOCKDOWN has a DWORD entry for "bUseWhiteListConfigFile" and it is set to "1".

                         

                        Still getting the same error.

                        • 10. Re: Trusted Mechanisms with Acrobat X
                          ashutoshmehra Adobe Employee

                          Interesting; that did work for me.

                           

                          Could you try the following:

                          1. Protected Mode logging via Edit -> Preferences -> General Tab -> check the box "Create Protected Mode Log File" (towards the bottom). Press Yes if asked for confirmation.

                          2. Press OK on the Preferences dialog box.

                          3. Restart Reader.

                          4. Run your plugin/JS that should have worked.

                          5. Go to General Tab of Preferences (again) and this time click the View Log button and share the results of that file.

                           

                          If the custom policy was applied, the log should contain a line saying:

                          [02:22/21:53:10] Found custom policy file: D:\Program Files (x86)\Adobe\Reader 10.0\Reader\ProtectedModeWhitelistConfig.txt
                          [02:22/21:53:10] Adding custom policy: FILES_ALLOW_ANY = \??\UNC\blah\xyzzy\foo\*

                          If you don't see that, then there could be something wrong in getting the policy setup.

                           

                          Also, if there is a policy violation, it should contain a line saying:

                          [02:22/21:58:17] NtCreateFile: STATUS_ACCESS_DENIED
                          [02:22/21:58:17] real path: \??\UNC\blah\xyzzy\foo\flagfile.txt
                          [02:22/21:58:17] Consider modifying policy using these policy rules: FILES_ALLOW_ANY or FILES_ALLOW_DIR_ANY

                          • 11. Re: Trusted Mechanisms with Acrobat X
                            webpointz Level 1

                            [02:22/11:38:21] Found custom policy file: C:\Program Files\Adobe\Reader 10.0\Reader\ProtectedModeWhitelistConfig.txt
                            [02:22/11:38:21] Adding custom policy: FILES_ALLOW_ANY = \??\UNC\myNetworkPath\subNetworkPath\*
                            [02:22/11:38:22] NtCreateKey: STATUS_ACCESS_DENIED
                            [02:22/11:38:22] real path: \REGISTRY\MACHINE\Software\Adobe
                            [02:22/11:38:22] Consider modifying policy using this policy rule: REG_ALLOW_ANY
                            [02:22/11:38:22] NtCreateKey: STATUS_ACCESS_DENIED
                            [02:22/11:38:22] real path: \REGISTRY\MACHINE\SOFTWARE\Adobe

                            • 12. Re: Trusted Mechanisms with Acrobat X
                              ashutoshmehra Adobe Employee

                              From your log, it looks like the policy did get added, and there were no violations when accessing the network path either. So now the question is: Is your plugin/JS code bailing out at a place even before it accesses the paths? Because if the network path were accessed, the access should have been granted (per the policy) or otherwise an entry saying the access was denied would have appeared in the log.

                               

                              Could something be going wrong before or after the network file has been accessed? Which exact call is failing?

                              • 13. Re: Trusted Mechanisms with Acrobat X
                                webpointz Level 1

                                As stated...if I remove the Protected Mode, the "saveAs" function works fine.

                                 

                                It's failing here:

                                 

                                Security settings prevent access to this property or method.
                                Doc.saveAs:2:Field signature:Format

                                • 14. Re: Trusted Mechanisms with Acrobat X
                                  ashutoshmehra Adobe Employee

                                  Based on your log, things seem to be working correctly from the policy point of view, so the issue could be elsewhere (maybe something during the Save operation that's causing the problem).

                                   

                                  Could you share a simple PDF that demonstrates this problem?

                                  • 15. Re: Trusted Mechanisms with Acrobat X
                                    y=mx+b Level 1

                                    Got it working. 

                                     

                                    Constructing the rules with the right syntax is always critical, especially with little or no documentation for the whitelist.

                                    Even what the broker log reports and adding that to the white list is not an easy task.

                                     

                                    FILES_ALLOW_ANY=\??\UNC\CoolServer\Coolshare\* did the trick along with all the other recommendations from the broker log.

                                    • 16. Re: Trusted Mechanisms with Acrobat X
                                      webpointz Level 1

                                      I think WE got it working as well...so here is my question...

                                       

                                      Is the string "=\??\UNC\coolserver\coolshare\*" the actual word for word syntax???

                                       

                                      All I can say is how can Adobe so radically change it's product's security structure with little or no documentation to assist what can and IS a fundamental change affecting the WORKFLOW of any organization.

                                       

                                      This is like looking for a needle in a haystack.

                                       

                                      Thanks to everyone who chimed in on this thread...much appreciated.  I will keep open this thread until we have further tested.

                                      • 17. Re: Trusted Mechanisms with Acrobat X
                                        ashutoshmehra Adobe Employee

                                        The syntax for whitelisting a network path like "\\Hello\New\World"

                                        is:

                                        FILES_ALLOW_ANY = \??\UNC\Hello\New\World\*

                                        Basically, instead of the leading prefix "\\" use the "\??\UNC\" prefix.

                                        • 18. Re: Trusted Mechanisms with Acrobat X
                                          y=mx+b Level 1

                                          Just to not confuse anyone about my last post:

                                          FILES_ALLOW_ANY=\??\UNC\CoolServer\Coolshare\* is NOT the literal string to use.

                                           

                                          Replace CoolServer with your server name and replace Coolshare with your share name.

                                          eg. FILES_ALLOW_ANY=\??\UNC\PDFServer\PDFShare\*

                                           

                                          Here's where I wish the broker would've reported this method access error but it never did.  Took a while to get the syntax down pat.

                                          • 19. Re: Trusted Mechanisms with Acrobat X
                                            y=mx+b Level 1

                                            Final words for anyone trying to make Reader X with ProtectedMode enabled:

                                             

                                             

                                            The Brokerlog is your friend.  .

                                            However, the Brokerlog entries are not the literal rules for your ProtectedModeWhiteListConfig.txt  Some trial and error required with the syntax :-(

                                             

                                             

                                            Here's what works in my Windows 7/IE9 and XP/IE8 environment (Reader 10 Only+McAfee 8.7+Entrust 9.1) based on Broker log entries :

                                             

                                             

                                            FILES_ALLOW_ANY=\??\pipe\LOGGING
                                            FILES_ALLOW_ANY=\??\UNC\***MyServer***\***MyShare***\*
                                            REG_ALLOW_ANY=HKEY_CURRENT_USER\SOFTWARE\Adobe*
                                            REG_ALLOW_ANY=HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\MuiCache*
                                            REG_ALLOW_ANY=HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication*
                                            REG_ALLOW_ANY=HKEY_LOCAL_MACHINE\SOFTWARE\Adobe*
                                            REG_ALLOW_ANY=HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
                                            EVENTS_ALLOW_ANY=MSFT.VSA*
                                            EVENTS_ALLOW_ANY=Global\BFE_Notify_Event_*
                                            MUTANT_ALLOW_ANY=*RasPbFile*

                                             

                                            REM SECTION_ALLOW_ANY=Global\FntCache-4cea5cda-f9ce-45ec-af77-82b8733ef9a1* (at one point the broker recommended this but found later it was not needed).

                                             

                                             

                                            Also, the 10.0.1 update addresses issues with Entrust and McAfee, and the JS SaveAs method now seems to work with the proper syntax for the FILES_ALLOW_ANY rule.

                                             

                                            See: Protected Mode troubleshooting | Reader X

                                            Application Security (Acrobat and AdobeReader) , specifically the Application Security Guide

                                            • 20. Re: Trusted Mechanisms with Acrobat X
                                              TimD_CSC

                                              I'm still experiencing issues with files on DFS shares. Even after  version 10.0.1 has been applied. It would seem my issue is not in  opening normal PDF files but in the fact that the PDF files have been  Archived, and have the Black Clock Symbol on them. If i disable the  Adobe Sandbox the files "un archive" and open perfectly but with the sandbox  still enabled it fails with "Access Denied". I have even generated a customised Whitelist as specified in the AcrobatApplicationSecurity.pdf  (with help of the broker log) and with help with this article. I must add that if i use the DFS  link directly (\\server\share\xxxx\xxx\xx\filename.pdf) the PDF opens  fine even with the sandbox enabled and it being in the "Archived state" but through a mapped drive to the DFS  share it won't open (z:\xxxx\xxx\xx\filename.pdf). Here is my last broker log with "no errors seen anymore..." :

                                               

                                              [03:09/22:18:33] Adobe Reader Protected Mode Logging Initiated

                                              [03:09/22:18:33] Found custom policy file: C:\Program Files\Adobe\Reader\ProtectedModeWhitelistConfig.txt

                                              [03:09/22:18:33] Adding custom policy: FILES_ALLOW_ANY = \??\UNC\MYSERVER.NET\SVR\*

                                              [03:09/22:18:34] Adding custom policy: FILES_ALLOW_ANY = \??\UNC\MYSERVER2\SVR\*

                                              [03:09/22:18:34] Adding custom policy: FILES_ALLOW_ANY = \??\UNC\MYSERVER3\SVR\*

                                              [03:09/22:18:34] Adding custom policy: FILES_ALLOW_ANY = \??\C:\WINDOWS\system32\*

                                              [03:09/22:18:34] Adding custom policy: REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\SOFTWARE\Adobe*

                                              [03:09/22:18:34] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat*

                                              [03:09/22:18:34] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings*

                                              [03:09/22:18:34] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication*

                                              [03:09/22:18:34] Adding custom policy: EVENTS_ALLOW_ANY = MSFT.VSA*

                                              [03:09/22:18:34] Adding custom policy: EVENTS_ALLOW_ANY = _fCanRegisterWithShellService*

                                               

                                              Any help would be deeply appreciated! Tim.

                                              • 21. Re: Trusted Mechanisms with Acrobat X
                                                y=mx+b Level 1

                                                Let me get clear on your issues:

                                                1.  Applied 10.01 msp to Reader 10.

                                                2. Protected mode enabled:  Cannot open archived .pdfs.

                                                3. However, you can access archived pdfs via UNC paths (are you using FQDNs?) but not via mapped drives.

                                                 

                                                Have you tried to add a whitelist rule like

                                                 

                                                FILES_ALLOW_ANY = MAP\FOLDER\*  eg. FILES_ALLOW_ANY=Z:\SVR\*

                                                • 22. Re: Trusted Mechanisms with Acrobat X
                                                  TimD_CSC Level 1

                                                  I don't see how i can put drive letters down as the user could map any drive to the DFS Share!

                                                  However i did try putting the 3 servers in that the DFS connects to and that made no difference.

                                                  That was why i posted the Whitelist log above for everyone to see (with no errors anymore) The servers in the whitelist set as per you did previously.

                                                   

                                                  You were correct, If i use Start > Run > \\Myserver.net\svr\sharename$ and browse to the file it opens fine.

                                                  You were correct, if i used Z:\ mapped to the above and then browser to the file it fails to open!

                                                   

                                                  I tried Z:\* in the whitelist! no joy i'm afraid.

                                                   

                                                  Tim.

                                                  • 23. Re: Trusted Mechanisms with Acrobat X
                                                    chetanrajakumar

                                                    Hi ,

                                                     

                                                    The plugin which i created using Acrobat SDK works fine in AdobeReader-9 but it doesnt works as expected in AdobeReader-X.

                                                    The issues with Reader-X are listed below :

                                                    1. In Reader-X, there is an option which we can select for 'Enable Protected-Mode'.

                                                         a. If this is enabled i am able to see all the buttons of MyPlugin but when i clicked on each button it wont do its task instead i get error message saying unable to create HelperObject (Class not Registered Error) . Why MyPlugin's buttons not performing its task when the Protected-Mode is Enabled?

                                                         b.If i disable the Protected-Mode , i will see to see all the buttons of MyPlugin and the when i click on those buttons it will be  able to do its task as expected.

                                                     

                                                    Here is what my application does,

                                                    The plug-in is written in VC++ and it interacts with C# .

                                                    The C# code reads\writes to registry and file system. It also accesses Acrobat APIs using DDE.

                                                     

                                                    When protected mode is ON, it displays a class not registered error.

                                                    Whereas the C# class is registered and is accessible when protected mode is OFF.

                                                     

                                                    Implementing the Broker Process will solve the issue ?

                                                    Is there any sample available for implementing the Broker Process ?

                                                    After reading this thread i think the Broker Process is needed to make my plug-in work even when the Protected mode is ON.

                                                    Please let me know as to how this should be achieved.

                                                     

                                                     

                                                    Thanks in advance. Please someone help me out from this..