locked
EMET 5 EAF+ Breaks Adobe Reader Protected View Mode RRS feed

  • General discussion

  • With EMET 5, when opening a PDF document in Adobe Reader 11.0.7 with Protected View enabled, it won't open the document and causes errors. 

    The setting in Adobe Reader for 'Protected View' is at Edit > Preferences > Security (Enhanced) > Protected View.  The Protected View options that are available are 'Off', 'Files from potentially unsafe locations' and 'all files'. If it is set the latter two settings and a file opens in Protected View, it will fail and therefore log an EMET error similar to the following in Event Viewer:


    EMET detected EAF+ (GuardPage) mitigation and will close the application: AcroRd32.exe

    EAF+ (guard page) check failed:
      Application  : C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
      User Name  : ***
      Session ID  : 1
      PID   : 0xD78 (3448)
      TID   : 0xD8C (3468)
      Module  : AcroRd32.dll
      Mod Base  : 0x71D90000
      Mod Address  : 0x720A22F3
      Mem Address  : 0x71D9003C


    In the predetermined application rules that come with EMET 5, AcroRd32.dll is listed as one of the EAF+ modules.  Therefore, either people will be unable to use Adobe Reader with Protected Mode, or AcroRd32.dll will need to be removed from the listed modules for EAF+.

    Friday, August 1, 2014 2:50 AM

All replies

  • Hi AnaBna,

    Thanks for reporting this. I can reproduce this issue on Windows 7 64 bit SP1 (Edit: I have now confirmed this issue also occurs with Adobe Reader 11.0.07 on Windows 8.1 Update 1 64 bit).

    Since you are the first person to report this I would also suggest reporting this issue using the EMET Connect Portal (in the Feedback section). Please include details of the version of Windows that you are using.

    In the meantime, I think your suggestion of removing AcroRd32.dll from the list of EAF+ protected modules is the most effective workaround (while still maintaining EAF+ on the remaining modules of Acrofx32.dll;AcroForm.api). I have confirmed this workaround is effective for both versions of Windows mentioned above.

    I hope this helps. Thanks again.

    Please note: I am a volunteer contributor on this forum and do not work for Microsoft.

    • Edited by JamesC_836 Friday, August 1, 2014 12:19 PM
    Friday, August 1, 2014 9:28 AM
  • I can also reproduce this issue on a virtual Windows 7 64 bit SP1 with a fresh install of EMET 5.0. The issue does not occur after an upgrade from EMET 4.1 because the settings are imported. ASR for Internet Explorer was also disabled. I have also reported this on he EMET Connect Portal (in the Feedback section).

    W. Spu

    Friday, August 1, 2014 4:08 PM
  • Hi W.Spu,

    Thanks for clarifying that this does not occur when upgrading from EMET 4.1 since the settings are imported.

    You are correct, in both of the instances that I tested, I upgraded from EMET 4.1 Update 1 to EMET 5.0 but needed to manually enable EAF+ (since the settings from EMET 4.1 Update 1 do not include this mitigation and thus it is disabled by default) after the upgrade.

    Friday, August 1, 2014 5:03 PM
  • Observing the same error but iexplore.exe is a victim. Disabling only EAF+ fixes that out.

    EMET detected EAF+ (GuardPage) mitigation and will close the application: iexplore.exe

    EAF+ (guard page) check failed:
      Application : D:\Program Files\Internet Explorer\iexplore.exe
      User Name : Victor
      Session ID : 1
      PID : 0x14E8 (5352)
      TID : 0xD74 (3444)
      Module : mshtml.dll
      Mod Base : 0x000007FEE9820000
      Mod Address : 0x000007FEE9C8C947
      Mem Address : 0x000007FEE982003C

    Windows 7 Ultimate AMD64 SP1

    Update: EMET 5.1 claims to have this bug fixed.


    • Edited by Biktap Wednesday, November 12, 2014 9:04 PM
    Wednesday, November 12, 2014 7:17 PM
  • The issue with Adobe Reader and protected view is resolved in EMET 5.1 which was released on November 10, 2014. Also see EMET 5.1 is available. Which problems are solved?

    W. Spu

    Wednesday, November 12, 2014 7:28 PM
  • Observing the same error but iexplore.exe is a victim. Disabling only EAF+ works out.

    EMET detected EAF+ (GuardPage) mitigation and will close the application: iexplore.exe

    EAF+ (guard page) check failed:
      Application : D:\Program Files\Internet Explorer\iexplore.exe
      User Name : Victor
      Session ID : 1
      PID : 0x14E8 (5352)
      TID : 0xD74 (3444)
      Module : mshtml.dll
      Mod Base : 0x000007FEE9820000
      Mod Address : 0x000007FEE9C8C947
      Mem Address : 0x000007FEE982003C

    Windows 7 Ultimate AMD64 SP1



    I can confirm the same happening on Windows 8.1 x64 with updates from November 12 2014.

    Removing mshtml.dll from the EAF+ list helps.

    Wednesday, November 12, 2014 8:01 PM
  • Oh, i see EMET 5.1 came out and it fixes that issue.

    http://blogs.technet.com/b/srd/archive/2014/11/10/emet-5-1-is-available.aspx

    I hope that we will see EMET automatically updates with Windows Update...

    Wednesday, November 12, 2014 8:07 PM
  • I had the same problem with EMET 5.0 and IE 11. Updating EMET to 5.1 fixed it.
    Monday, November 17, 2014 4:55 PM