Skip to content

Adobe Acrobat Reader

Validate Adobe Acrobat Reader behaviors under the Secure Sandbox.

Objectives

  • Enforce network controls for external links, form submissions, update checks, and Adobe Cloud features.
  • Verify file system isolation for Open/Save operations and embedded attachments.
  • Prevent data exfiltration via clipboard, drag-drop, screen capture, and printing.
  • Confirm Adobe Cloud flows traverse the designated proxy per organization policy.
  • Ensure Adobe's internal Protected Mode does not conflict with Turbo isolation.

Preconditions

  • Windows target with Turbo Launcher and Secure Sandbox.
  • Adobe Acrobat Reader installed.
  • If Adobe Cloud features are allowed by policy, ensure allowlists and pinned roots are configured so traffic traverses the designated proxy.

Controls Under Test

  • runtime.networking.egressDefaultAction, proxy enforcement and pinned roots.
  • runtime.files.contexts and isolation overlays.
  • runtime.dataMotion.rules[] with channel: "clipboard"|"dragDrop"|"screenCapture".
  • device.type: "printer" controls.
  • External processors (for example, email/MAPI) when applicable.

Test Scenarios

IDCanonical IDScenarioProcedureExpected Outcome
SCEN-APP-ADOBE-ACROBAT-READER-01NET-EGRESS-01External link (HTTP/HTTPS)Click a hyperlink inside a PDF.If default browser is sandboxed, request goes via proxy; if handed to host browser, association policy blocks or constrains.
SCEN-APP-ADOBE-ACROBAT-READER-02HARD-HOST-03Protected Mode compatibilityOpen a PDF (any).Reader functions correctly with Protected Mode; Turbo isolation still holds.
SCEN-APP-ADOBE-ACROBAT-READER-03HARD-FILES-01Save to host pathFile > Save As to Host Desktop.Writes restricted to overlay or allowed Storage Contexts.
SCEN-APP-ADOBE-ACROBAT-READER-04DM-CLIP-01Clipboard outbound (text)Copy text and paste on host.Denied/processed per policy.
SCEN-APP-ADOBE-ACROBAT-READER-05DM-CLIP-01Clipboard outbound (image/snapshot)Edit > Take a Snapshot (or copy image) and paste on host.Denied/processed per policy.
SCEN-APP-ADOBE-ACROBAT-READER-06DM-DRAG-01Drag-drop PDF to hostDrag the open PDF/tab or a file from recent list to Host Desktop.Blocked per policy.
SCEN-APP-ADOBE-ACROBAT-READER-07DM-DRAG-01Drag embedded attachmentOpen a PDF with an embedded attachment; drag the attachment to Host Desktop.Blocked per policy.
SCEN-APP-ADOBE-ACROBAT-READER-08HARD-FILES-01Save embedded attachmentOpen embedded attachment and attempt Save As to host path.Denied or virtualized to overlay/context.
SCEN-APP-ADOBE-ACROBAT-READER-09HARD-FILES-01Open dialog boundariesFile > Open; navigate to C:\Windows or other blocked host paths.Visibility restricted; access denied outside Storage Contexts.
SCEN-APP-ADOBE-ACROBAT-READER-10DM-DEVICE-01Print to physical printerFile > Print; select a physical printer.Denied unless allowed; audit device event.
SCEN-APP-ADOBE-ACROBAT-READER-11DM-DEVICE-01Print to PDF/XPSFile > Print > Microsoft Print to PDF/XPS; save to Host Desktop.Output restricted to overlay/context; device audit present.
SCEN-APP-ADOBE-ACROBAT-READER-12NET-EGRESS-01Direct IP linkClick a link to http://1.1.1.1 (or similar).Denied per default deny; audit shows deny.
SCEN-APP-ADOBE-ACROBAT-READER-13NET-EGRESS-11IPv6 literal linkClick a link to https://[2606:4700:4700::1111]/.Denied; audit ipVersion: 6, action: deny.
SCEN-APP-ADOBE-ACROBAT-READER-14NET-EGRESS-09Proxy fail-closedTake designated proxy down; click any HTTPS link.Denied; no direct fallback; reason: "proxyUnavailable", proxyEnforced: true.
SCEN-APP-ADOBE-ACROBAT-READER-15NET-EGRESS-10Proxy identity/pinningIntercept proxy TLS with wrong CA; click any HTTPS link.TLS error/handshake failure; `reason: "certMismatch"
SCEN-APP-ADOBE-ACROBAT-READER-16NET-EGRESS-08PAC/WPAD hijackConfigure PAC URL to untrusted proxy or enable auto-detect; click HTTPS link.Denied/Ignored; `reason: "pacNotTrusted"
SCEN-APP-ADOBE-ACROBAT-READER-17NET-EGRESS-05Env proxy var bypassSet HTTPS_PROXY=http://attacker:8080; click https://example.com.Denied; reason: "unauthorizedProxy"; proxyEnforced: true.
SCEN-APP-ADOBE-ACROBAT-READER-18NET-EGRESS-06NO_PROXY bypassSet NO_PROXY=*; click https://example.com.Denied; reason: "proxyBypassAttempt"; proxyEnforced: true.
SCEN-APP-ADOBE-ACROBAT-READER-19NET-EGRESS-01PDF form submit (HTTP/HTTPS)Open a PDF with an HTML form submit target; click Submit.Denied unless allowlisted; requests traverse proxy; audit network event.
SCEN-APP-ADOBE-ACROBAT-READER-20NET-EGRESS-01JavaScript URL/HTTP attemptOpen a PDF using app.launchURL('https://example.com') or similar.Denied unless allowlisted; audit shows proxy enforcement.
SCEN-APP-ADOBE-ACROBAT-READER-21NET-ENCRYPT-01Adobe Account sign-inSign in to Adobe in the right pane.Allowed if policy allows; traffic traverses designated proxy and pinned roots.
SCEN-APP-ADOBE-ACROBAT-READER-22NET-EGRESS-13Adobe Document Cloud (Share/Save)Use Share or Save to Adobe Cloud on a sample PDF.Allowed only if policy allows; traffic via proxy; otherwise denied.
SCEN-APP-ADOBE-ACROBAT-READER-23NET-EGRESS-01Update checkHelp > Check for Updates.Requests traverse designated proxy; deny if server not allowlisted.
SCEN-APP-ADOBE-ACROBAT-READER-24DM-PROCEXT-03Send file by email (MAPI)File > Share > Send file by Email (if available).Denied per external processor policy or routed to sandboxed mail client; audit shows processor failure or deny with onProcessorFailure: "deny" semantics.
SCEN-APP-ADOBE-ACROBAT-READER-25NET-EGRESS-01file:// and UNC linksClick file://C:/... or \\\\server\\share\\... links.Access blocked or constrained to Storage Contexts; SMB egress denied.
SCEN-APP-ADOBE-ACROBAT-READER-26DM-SCREEN-01Screen capture of Reader windowUse Snipping Tool to capture the Reader window.Block/obfuscate or watermark per policy; audit screenCapture.

Evidence Requirements

  • network events: protocol/alpn, destination/sni (when applicable), ipVersion, action, outcome, proxyEnforced, and reason (for example, unauthorizedProxy, proxyBypassAttempt, pacNotTrusted, proxyUnavailable, certMismatch, pinningFailed).
  • fileOp events: write attempts to host paths; include path, action/outcome (deny/virtualized), and context identifiers.
  • dataMotion events: channel (clipboard|dragDrop|screenCapture), direction (for clipboard), action, outcome, rule.id, priority.
  • device events: print attempts, virtual printer usage.
  • externalProcessor events: attempts to hand off to email/MAPI, including outcome.

Example audit event (proxy fail-closed during link navigation):

json
{
  "category": "network",
  "action": "egress",
  "outcome": "deny",
  "ipVersion": 4,
  "destination": "example.com:443",
  "sni": "example.com",
  "alpn": "h2",
  "proxyEnforced": true,
  "reason": "proxyUnavailable",
  "rule": { "id": "NET-EGRESS-09", "priority": 80 }
}

Troubleshooting

  • Reader Protected Mode and Enhanced Security can change prompts and flows. Keep defaults; when a scenario is suppressed by Protected Mode, perform the action after enabling as required by the scenario and note the mode used.
  • Some enterprise deployments hide cloud actions (Share/Document Cloud) via policy. If hidden, mark those scenarios as not applicable and prioritize link, form submit, and update flows to validate proxy enforcement.
  • Many scenarios require a crafted PDF (embedded attachments, form submit targets, and small JavaScript launchers). Use a dedicated test PDF set with known behaviors and benign endpoints.
  • If Adobe Cloud is allowed, ensure the proxy/pinning configuration includes the required Adobe domains so traffic consistently traverses the designated proxy.

Known Limitations & Negative Space

  • These tests focus on Adobe Acrobat Reader. Acrobat Pro–specific authoring/export services are out of scope unless explicitly allowed by policy.
  • Optical capture (camera/phone) is out of scope; handle via organizational controls.
  • If sign-in or cloud features are disabled by enterprise policy, mark those scenarios as not applicable.