Adobe Reader protected mode conflicts with McAfee DLP

What would be at risk of turning the Protected mode off?

Please can you explain what you mean by saying "Protected mode is a two level protection"? By any means have you come across real time examples of cases in which turning protected mode on was helpful.

Secondly, are you saying the solution to the issue is "You can turn off protected mode in preferences. It makes it more vulnerable to unknown threats" I am confused, turning off Protected mode will make adobe reader more vulnerable to the risk we are trying avoid...Please can you clarify the statement?

I also have an issue where Adobe Protected Mode conflicts with McAfee DLP. With Protected Mode enabled and the McAfee DLP Clipboard handler enabled causes a memory exception. The memory dump files indicate an issue with AcroRd32.dll.
Either disabling the Protected Mode or disabling the McAfee Clipboard protection the issue goes away.

Adobe's response to anything related to the Protected Mode seems to be to whitelist the AcroRd32.exe process from whatever third party software whether it be an AV solution or in this case McAfee DLP which in this case is not an acceptable workaround.

While Adobe's Protected Mode "protects your computer from threats" whitelisting the AcroRd32.exe process from the McAfee DLP clipboard protection allows for copy/paste of potentially sensitive information such as PII, PCI, HIPAA, GDPR data to be leaked which is also a "threat".

The other workaround is to disable Adobe Protected Mode. Based on the below memory dump, the issue is clearly with Adobe Protected Mode as the McAfee clipboard .dll file isn't even in the stack and based on other forum posts has multiple compatibility issues with other third party products and Adobe's response to everything seems to be to whitelist their product from every other security solution instead of addressing the issue with their own product.

Since Adobe Reader is a free tool, Adobe doesn't seem to want to provide any support for these types of issues. This is a serious security concern and we are left with an option of leaving ourselves open for attack or open for data loss and neither is an option. It seems the only way to get any support for this is through this forum. How does one get a memory dump to your developers to provide a real solution without paying the price of an Enterprise contract for a free product?

Comment: 'Dump created by DbgHost. First chance exception 0X80000003'

Loading unloaded module list

.....

This dump file has a breakpoint exception stored in it.

CONTEXT:  (.ecxr)

eax=0075ecb8 ebx=0075ed9c ecx=0075ed5c edx=02810bd0 esi=084b1a60 edi=0075ed5c

eip=60059904 esp=0075eca0 ebp=0075ecc8 iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000244

AcroRd32!AX_PDXlateToHostEx+0x2bcab:

60059904 cc              int     3

Resetting default scope

FAULTING_IP:

AcroRd32!AX_PDXlateToHostEx+2bcab

60059904 cc              int     3

EXCEPTION_RECORD:  (.exr -1)

ExceptionAddress: 60059904 (AcroRd32!AX_PDXlateToHostEx+0x0002bcab)

   ExceptionCode: 80000003 (Break instruction exception)

  ExceptionFlags: 00000000

NumberParameters: 1

   Parameter[0]: 00000000

BUGCHECK_STR:  BREAKPOINT

DEFAULT_BUCKET_ID:  BREAKPOINT

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

EXCEPTION_CODE_STR:  80000003

EXCEPTION_PARAMETER1:  00000000

WATSON_BKT_PROCSTAMP:  5c1a86ce

WATSON_BKT_PROCVER:  19.10.20069.49826

PROCESS_VER_PRODUCT:  Adobe Acrobat Reader DC

WATSON_BKT_MODULE:  AcroRd32.dll

WATSON_BKT_MODSTAMP:  5c1a86c2

WATSON_BKT_MODOFFSET:  379904

WATSON_BKT_MODVER:  19.10.20069.49826

BUILD_VERSION_STRING:  10.0.16299.15 (WinBuild.160101.0800)

MODLIST_WITH_TSCHKSUM_HASH:  0108102941e4fc286f163b45bab4fad2d209bc40

MODLIST_SHA1_HASH:  ade4547248f53d3999c119517b0ceefe234b3ce6

COMMENT:  Dump created by DbgHost. First chance exception 0X80000003

NTGLOBALFLAG:  0

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_FLAGS:  8000c07

DUMP_TYPE:  3

PROCESS_NAME:  unknown

ANALYSIS_SESSION_TIME:  01-30-2019 12:17:16.0552

ANALYSIS_VERSION: 10.0.17763.132 x86fre

THREAD_ATTRIBUTES:

OS_LOCALE:  ENU

PRIMARY_PROBLEM_CLASS:  BREAKPOINT

PROBLEM_CLASSES:

    ID:     [0n321]

    Type:   [@APPLICATION_FAULT_STRING]

    Class:  Primary

    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)

            BUCKET_ID

    Name:   Omit

    Data:   Add

            String: [BREAKPOINT]

    PID:    [Unspecified]

    TID:    [Unspecified]

    Frame:  [0]

LAST_CONTROL_TRANSFER:  from 60064f3d to 60059904

STACK_TEXT: 

WARNING: Stack unwind information not available. Following frames may be wrong.

0075ecc8 60064f3d 0075ed5c fffffffc dbe3164e AcroRd32!AX_PDXlateToHostEx+0x2bcab

0075ed38 60076184 0075ed9c 05e84d20 0075edb4 AcroRd32!AX_PDXlateToHostEx+0x372e4

0075ed84 600ec5cb 0075ed9c 05e84d20 0075edb4 AcroRd32!AX_PDXlateToHostEx+0x4852b

0075eda0 600ec715 05e84d20 0075edb4 084b1a60 AcroRd32!AX_PDXlateToHostEx+0xbe972

0075edb8 5fdd5504 05e84d20 0075edd8 085057a8 AcroRd32!AX_PDXlateToHostEx+0xbeabc

0075edd0 60527b37 00000000 084b1a60 084b1a60 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x603bb

0075ede4 5fe352b6 084b1a60 085057a8 00000001 AcroRd32!AIDE::PixelPartInfo::operator=+0xf2ef7

0075ee0c 5fe88aad 00000000 073729b0 00000000 AcroRd32!CTJPEGWriter::CTJPEGWriter+0xc016d

0075ee20 5fd60a6b 00000001 dbe31512 08406250 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x113964

0075ee64 5fd60abc 00000001 dbe315de 083ec7a0 AcroRd32!DllCanUnloadNow+0xe987

0075eea8 5fd60abc 00000001 dbe3159a 00000001 AcroRd32!DllCanUnloadNow+0xe9d8

0075eeec 5fe887f1 00000001 083eb0b0 5fe89bea AcroRd32!DllCanUnloadNow+0xe9d8

0075ef10 5fe89900 00000001 00000000 00000000 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x1136a8

0075ef2c 5fd114a8 00000001 00000000 00000000 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x1147b7

0075ef4c 76a1e0bb 000b0c8a 00000006 00000001 AcroRd32!AcroWinMainSandbox+0x7232

0075ef78 76a28849 5fd1140a 000b0c8a 00000006 user32!_InternalCallWinProc+0x2b

0075ef9c 76a2b145 00000006 00000001 00000000 user32!InternalCallWinProc+0x20

0075f06c 76a2833a 5fd1140a 00000000 00000006 user32!UserCallWinProcCheckWow+0x1be

0075f0b0 76a0fbab 00000006 00000001 00000000 user32!CallWindowProcAorW+0xd4

0075f0c8 5fd620b8 5fd1140a 000b0c8a 00000006 user32!CallWindowProcW+0x1b

0075f0f4 5fd619f5 00000006 00000001 00000000 AcroRd32!DllCanUnloadNow+0xffd4

0075f110 76a1e0bb 000b0c8a 00000006 00000001 AcroRd32!DllCanUnloadNow+0xf911

0075f13c 76a28849 5fd61941 000b0c8a 00000006 user32!_InternalCallWinProc+0x2b

0075f160 76a2b145 00000006 00000001 00000000 user32!InternalCallWinProc+0x20

0075f230 76a18503 5fd61941 00000000 00000006 user32!UserCallWinProcCheckWow+0x1be

0075f298 76a18aa0 040cefb0 00000000 00000006 user32!DispatchClientMessage+0x1b3

0075f2e0 77051a6d 0075f2fc 00000020 0075f5c0 user32!__fnDWORD+0x50

0075f318 76a1b274 0075f36c 00000000 00000000 ntdll!KiUserCallbackDispatcher+0x4d

0075f334 5fd70a76 0075f36c 00000000 00000000 user32!GetMessageW+0x34

0075f5cc 5fd708a4 dbe30d72 00000001 02973d50 AcroRd32!DllCanUnloadNow+0x1e992

0075f604 5fd0ab59 dbe30d06 02961b18 0075fb44 AcroRd32!DllCanUnloadNow+0x1e7c0

0075f670 5fd0a42d 5fce0000 00160000 02961b18 AcroRd32!AcroWinMainSandbox+0x8e3

0075fa8c 00167319 5fce0000 00160000 02961b18 AcroRd32!AcroWinMainSandbox+0x1b7

0075fe54 00268f7a 00160000 00000000 028e1f3c AcroRd32_exe+0x7319

0075fea0 74ed8674 00589000 74ed8650 638fcb5d AcroRd32_exe!AcroRd32IsBrokerProcess+0x94f4a

0075feb4 77045e17 00589000 9999f07a 00000000 kernel32!BaseThreadInitThunk+0x24

0075fefc 77045de7 ffffffff 7706ad8c 00000000 ntdll!__RtlUserThreadStart+0x2f

0075ff0c 00000000 00161367 00589000 00000000 ntdll!_RtlUserThreadStart+0x1b

THREAD_SHA1_HASH_MOD_FUNC:  1b67e13b41bb62067dcf464047c1f35f7af102e9

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  04018edc20213641dd7d6ff32078727dd8494ada

THREAD_SHA1_HASH_MOD:  11224748b2bee98bc2c13620314d628bde551efd

FOLLOWUP_IP:

AcroRd32!AX_PDXlateToHostEx+2bcab

60059904 cc              int     3

FAULT_INSTR_CODE:  8b16ebcc

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  AcroRd32!AX_PDXlateToHostEx+2bcab

MODULE_NAME: AcroRd32

IMAGE_NAME:  AcroRd32.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5c1a86c2

STACK_COMMAND:  ~0s ; .ecxr ; kb

BUCKET_ID:  BREAKPOINT_AcroRd32!AX_PDXlateToHostEx+2bcab

FAILURE_EXCEPTION_CODE:  80000003

FAILURE_IMAGE_NAME:  AcroRd32.dll

BUCKET_ID_IMAGE_STR:  AcroRd32.dll

FAILURE_MODULE_NAME:  AcroRd32

BUCKET_ID_MODULE_STR:  AcroRd32

FAILURE_FUNCTION_NAME:  AX_PDXlateToHostEx

BUCKET_ID_FUNCTION_STR:  AX_PDXlateToHostEx

BUCKET_ID_OFFSET:  2bcab

BUCKET_ID_MODTIMEDATESTAMP:  5c1a86c2

BUCKET_ID_MODCHECKSUM:  189b0d3

BUCKET_ID_MODVER_STR:  19.10.20069.49826

BUCKET_ID_PREFIX_STR:  BREAKPOINT_

FAILURE_PROBLEM_CLASS:  BREAKPOINT

FAILURE_SYMBOL_NAME:  AcroRd32.dll!AX_PDXlateToHostEx

FAILURE_BUCKET_ID:  BREAKPOINT_80000003_AcroRd32.dll!AX_PDXlateToHostEx

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/unknown/19.10.20069.49826/5c1a86ce/AcroRd32.dll/19.10.20069.498...

TARGET_TIME:  2019-01-30T17:31:22.000Z

OSBUILD:  9200

OSSERVICEPACK:  431

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 8

OSEDITION:  Windows 8 WinNt SingleUserTS

USER_LCID:  0

BUILDDATESTAMP_STR:  160101.0800

BUILDLAB_STR:  WinBuild

BUILDOSVER_STR:  10.0.16299.15

ANALYSIS_SESSION_ELAPSED_TIME:  abc5

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:breakpoint_80000003_acrord32.dll!ax_pdxlatetohostex

FAILURE_ID_HASH:  {47b1da0e-8307-c87f-9dc1-9c2e5b438a1a}

You cannot predict what next year's hackers will do, but you already know how to protect from it?

Yes. Did you read about sandboxing?