22.8 (L1) Ensure 'ASR: Block Adobe Reader from creating child processes' is set to 'Block'

Information

This rule prevents attacks by blocking Adobe Reader from creating processes.

Malware can download and launch payloads and break out of Adobe Reader through social engineering or exploits. By blocking child processes from being generated by Adobe Reader, malware attempting to use Adobe Reader as an attack vector are prevented from spreading.

The recommended state for this setting is: Block

Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Block

Defender\Block Adobe Reader from creating child processes

Impact:

When a rule is triggered, a notification will be displayed from the Action Center.

See Also

https://workbench.cisecurity.org/benchmarks/21719

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Windows

Control ID: 27f367ede6c070fc402d92ae27b6cc566a4fb7136f69db62d110a334417a2589