File attachments

Acrobat products allow you to open and save PDF and FDF file attachments; however, attachments are associated with a potential security risk since they may contain malicious content, open other dangerous files, or launch bad applications. To mitigate the potential risks with attachments, certain file types such as .bin, .exe, and .bat are blocked by default.

For a complete guide to attachment configuration, see the Application Security Guide.

To mitigate the risk inherent in attachments:

  • Know what the content is.

  • Decide whether the content’s origin should be trusted.

  • Prevent attachments from opening other files and launching applications other than those white listed in tBuiltInPermList. This is the default behavior.

  • Be aware of dangerous file types and how the application manages those types. Adobe applications maintain black lists and white lists that control application behavior, and application behavior is controlled by the file type’s membership in a list:

    • File types on the white list: These can be attached and may be opened or saved if the file extension is associated with the requisite program.

    • File types on the black list: These can be attached, but a warning dialog appears stating that they cannot be saved or opened from the application. No actions are available for these files.

    • File types not on any list: These can be attached without a warning dialog. Trying to open or save them invokes a dialog which allows the user to perform the action just once or to add them to the white list or black list.

Attachment blacklist

_images/attach1.png

Block “open” actions

To prevent users from opening or launching any file type other than PDF and FDF from a document opened in the application, check Prevent document from opening other files and launching other applications.

This feature locks the setting so that it cannot be changed by end users and sets:

[HKLM\SOFTWARE\Policies\Adobe\<product>\<version>\FeatureLockDown]
"iFileAttachmentPerms"=dword:00000001

Modify black-white lists

To modify the level of user access to file types:

  1. In the Add and Modify File Types (Extensions) list, scroll to the file type you want to modify.

  2. Set the user access level when opening or launching the file type to one of the following:

    • Unspecified: Sets tBuiltInPermList to 1.

    • Allowed: Sets tBuiltInPermList to 2.

    • Prohibited: Sets tBuiltInPermList to 3.

This feature sets:

[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown\cDefaultLaunchAttachmentPerms]
"tBuiltInPermList"

Note

PDF (documents) and FDF file extensions are always allowed. You cannot prohibit them or mark them as Unspecified.

Restore default behaviors

To restore the default behaviors of the ‘Add and Modify File Types (Extension)’ list:

  1. Choose Restore Defaults.

  2. Choose Yes to confirm.

This feature sets:

[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown\cDefaultLaunchAttachmentPerms]
"tBuiltInPermList"

Note

The level of access for all default file types (except PDF and FDF) is set to Prohibited; any new file types that you added to the list are removed.

Unknown file types

To control user access to file types marked Unspecified or that are not listed in the Add and Modify File Types (Extension) list, select one of the following options:

Unknown file type attachment options

Registry

Wizard UI

Description

0

Prompt user without the ability to set the file type as Allowed

If a file with an unspecified file extension is launched then a dialog appears with two options: Open File and Never Allow.

1

Prompt user with the ability to set the file type as Allowed

If a file with an unspecified file extension is launched then a dialog appears with three options: Open File, Always Allow, and Never Allow.

2

None

The file opens if it’s extension is associated with an extension.

3

Never launch files of Unspecified Types

If a file with an unspecified file extension is launched then a dialog appears indicating that the application doesn’t allow such files to launch.

After installation, if Prevent document from opening other files and launching other applications is selected, users do not have access to any other file types. To check this in the product, go to Preferences > Edit > Trust Manager and verify the PDF File Attachments options are unavailable.

This features sets:

[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown\cDefaultLaunchAttachmentPerms]
"iUnlistedAttachmentTypePerm"

Unknown file type behavior

_images/attach2.png