Acrobat products provide a way for you to add, remove, open, and save file attachments. However, attachments represent a potential security risk because they can contain malicious content, open other dangerous file, or launch applications. Certainly most users do perceive certain file types as dangerous, including s .bin, .exe, .bat, and so on.

To mitigate the risk inherent in attachments, you should:

  • Know what the content is and from where it originated.

  • Be aware of dangerous file types and how the application manages those types. Adobe applications maintain Black lists and white lists which control application behavior.

  • Prevent attachments from opening other files and launching applications. This is the default behavior.

Basic configuration

Note that the settings described below work in tandem; that is, if any of bAllowOpenFile, bSecureOpenFile, and tBuiltInPermsList are set to prevent the opening of an attachment, then the attachment type won’t open (or all attachments depending on the setting).

Attachments and 3rd party apps

bAllowOpenFile specifies whether to open non-PDF attachments in their native application. If can be set by checking Preferences > Trust Manager > Attachment panel > Allow opening of Non-PDF file attachments with external applications.

The registry setting is:

[HKEY_CURRENT_USER\Software\Adobe\(Product name)\(version)\Originals]"bAllowOpenFile"=dword:00000001

Opening non-PDF file types

bSecureOpenFile specifies whether to allow opening attachments which are not PDF. There is no corresponding user interface item.

The registry setting is:

[HKEY_CURRENT_USER\Software\Adobe\(Product name)\(version)\Originals]"bSecureOpenFile"=dword:00000001

Setting file type permissions

The default application behavior for file types in the attachment list can be modified manually as needed. New file extensions can be added to the list, existing ones removed, and the behavior changed for file types already in the list.

Permissions settings are as follows:

  • 0: User is warned that the file may be unsafe and is given two choices: open or permanently set the behavior to Prohibited.

  • 1: User is warned that the file may be unsafe and is given three choices: open or permanently set the behavior to Allowed or Prohibited.

  • 2: Always open this file type.

  • 3: This file type does not open and a warning message appears.


Modifying the registry settings in HKLM requires administrator rights. To modify file attachments permissions:

  1. On 64 bit machines, navigate to HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product name)\(version)\FeatureLockdown\cDefaultLaunchAttachmentPerms.

  2. Double click the tBuiltInPermList value.

  3. Edit or add an extension and value in the format of .extension>:#. For example, zip:1. This is a simple, pipe-separated list (e.g. |doc|docx|dv|emf|). Refer to the actual preference values for a list of current settings.


The ordering of the entries is irrelevant, but it is important that the list has no duplicate entries.

Attachment permissions example



To edit the registry to modify the default behavior of file attachments in Macintosh:

  1. Locate the FeatureLockDown file and edit it in a text editor. This file is normally located in Applications/<application> <version number><product name>/<application> [version number] Professional/Contents/MacOS/Preferences.

  2. Hold the Ctrl key and click the application file in Applications/Adobe Acrobat <product name>.

  3. Choose Show Package Contents.

  4. Navigate to Contents > MacOS > Preferences.

  5. Locate the FeatureLockDown file in the Preferences folder, and open it in a text editor.

  6. Find BuiltInPermList [/s.

  7. Edit or add an extension and value in the format of <.extension>:<0-3>. For example, .zip:1.


To edit the registry to modify the default behavior of file attachments in Linux:

  1. Navigate to <install location>/Adobe/<application and version/Reader/globalPrefs.

  2. Open AttachmentPerms in a text editor.

  3. Edit or add an extension and value in the format of <.extension>:<0-3>. For example, .zip:1.

Adding Custom Attachment Extensions

To add custom extensions, add your own file extension entries to the very end of the list. The method is the same on both Windows and Macintosh. Use the following format for each custom extension:


For example, to add the extension .`ext` with a value of Always Allowed, you would add:


Attachment user interface

Resetting attachment permissions

Because the registry list could grow over time and users do not have direct access to the lists through the user interface, resetting the list to its original state may result in the highest level of security.

To reset the black and white lists:

  1. Choose Preferences > Trust Manager.

  2. In the PDF File Attachments panel, choose Restore.

Attachment panel in Trust Manager


Allowing attachments to launch applications

The Trust Manager enables users to control whether or not non-PDF attachments can open with other applications. By default, this option is enabled so that common file types such as .doc (not on the application’s black list) can be easily opened in the appropriate application.

To set attachment preferences:

  1. Choose Preferences > Trust Manager.

  2. Configure Allow opening of non-PDF file attachments with external applications:

    • Checked: Default. The application uses its stored black list to determine whether Acrobat should let the attachment launch an application action, so the attachment can be opened.

    • Unchecked: Clicking or opening an attachment will never result in launching it’s associated viewing application. Use this option if a higher level of security is needed.

Modifying permissions on-the-fly

Users can indirectly manage the registry list of which file types can be opened and saved. In other words, the list in Attachment black list can be extended one at a time as each attached file is opened. Administrators can modify the registry.

To add a file to a black or white list, attach the new file type to a document and then try to open it:

  1. Acrobat: Choose Document > Attach a File and attach a file type not on the black or white list (e.g.

  2. Open the file by highlighting it in the Attachments pane and choosing Open.

  3. When the Launch Attachment dialog appears, choose one of the following:

    • Open this file: Opens the files without changing the registry list.

    • Always allow opening files of this type: Adds the file type to the white list and prevents future warnings.

    • Never allow opening files of this type: Adds the file type to the black list and does not open it.

  4. Choose OK.

Launch Attachment dialog


Black lists and white lists

Acrobat products store a list of some of these good (whitelisted) and bad (blacklisted) file types in the registry. Application behavior is controlled by the file type’s membership in a list:

  • File types on the white list: These can be attached and may be opened or saved if the file extension is associated with the requisite program.

  • File types on the black list: These can be attached, but a warning dialog appears stating that they cannot be saved or opened from the application. No actions are available for these files.

  • File types not on any list: These can be attached without a warning dialog. Trying to open or save them invokes a dialog which allows the user to perform the action just once or to add them to the good type (white) list or bad type (black) list.

Attachment: Dangerous type warning


You can attach file types that are on the black list because a document recipient may have a less restrictive black list than you (the sender). While the recipient may be able to open the file, the attacker will not be able to execute or open it from within the application. Attempting to open a prohibited file type results in a warning that the action is not allowed.

Attachment: “Cannot open” warning


Blacklisted extensions

This is a partial list and new items are regularly added. Refer to the product registry for the latest list.

Attachment black list




Access Project Extension (Microsoft)


Access Project (Microsoft)


Executable Application


Active Server Page


BASIC Source Code


Batch Processing


Bzip UNIX Compressed file


Bzip 2 UNIX Compressed file (replaces BZ)


Internet Security Certificate file (MIME x-x509-ca-cert)


Compiled HTML Help


Java Class file


DOS CP/M Command file, Command file for Windows NT




Mac OS Command Line executable


Windows Control Panel Extension (Microsoft)


Certificate file


UNIX csh shell script


Executable file


FoxPro Compiled Source (Microsoft)


Gzip Compressed Archive


Macintosh BinHex 2.0 file


Windows Help file


Macintosh BinHex 4 Compressed Archive


Hypertext Application


Information or Setup file


Initialization/Configuration file


IIS Internet Communications Settings (Microsoft)


IIS Internet Service Provider Settings (Microsoft)


Internet Document Set, International Translation


Java Archive


Windows Task Scheduler Task Object


JavaScript Source Code


JScript Encoded Script file


UNIX ksh shell script


Windows Shortcut file


Compressed archive (LH ARC)


Access Module Shortcut (Microsoft)


Access (Microsoft)


Access Diagram Shortcut (Microsoft)


Access Macro Shortcut (Microsoft)


Access Query Shortcut (Microsoft)


Access Report Shortcut (Microsoft)


Access Stored Procedures (Microsoft)


Access Table Shortcut (Microsoft)


Media Attachment Unit


Access View Shortcut (Microsoft)


Access Data Access Page (Microsoft)


Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)


Access MDE Database file (Microsoft)


Access Add-in Data (Microsoft)


Access Workgroup Information (Microsoft)


Access Wizard Template (Microsoft)


Microsoft Management Console Snap-in Control file (Microsoft)


Windows Installer file (Microsoft)


Windows Installer Patch


Windows SDK Setup Transform Script


Microsoft Object Linking and Embedding (OLE) Control Extension


Office Profile Settings file


Visual Test (Microsoft)


Mac OS X Installer Package


Windows Program Information file (Microsoft)


Windows System file


Program file


MS Exchange Address Book file, Outlook Personal Folder file (Microsoft)


WinRAR Compressed Archive


Registration Information/Key for Windows 95/98, Registry Data file


Windows Explorer Command


Windows Screen Saver


Windows Script Component, Foxpro Screen (Microsoft)


Self-expanding archive (used by Stuffit for Mac files and possibly by others)


Windows Shortcut into a Document


Shell Scrap Object file


Compressed archive of Mac files (Stuffit)


Tape Archive file


UNIX Tar file Gzipped


Temporary file or Folder


Internet Location


VBScript file or Any VisualBasic Source


VBScript Encoded Script file


VBScript Script file, Visual Basic for Applications Script


Visual Studio .NET Binary-based Macro Project (Microsoft)


Visio Stencil (Microsoft)


Visio Template (Microsoft)


Visio Workspace file (Microsoft)


Mac OS Finder Internet Location


Windows Script file


Windows Script Component


Windows Script file


Windows Script Host Settings file


Compressed Archive file


ZoneLabs ZoneAlarm Mailsafe Renamed .PIF file


An early compressed file format