Questions Regarding Adobe Acrobat Reader Protected Mode, SRP, and Rehips

Started by Reset, September 04, 2021, 06:16:36 AM

Previous topic - Next topic

Reset

Hi fixer,

I am running the demo version of Rehips 2.5 on Win 10 (home version, 64-bit). After installing and updating adobe acrobat reader, I found that I could not run it in the isolated environment which is automatically generated by Rehips. Only if I turn off the Protected Mode of Acrobat Reader and turn off SRP (As I am using the home version of Win 10, I enabled/disabled SRP through Hard_Configurator https://github.com/AndyFul/Hard_Configurator), Acrobat Reader can be launched in the isolated environment. My questions are:

1. Could Rehips work with the Protected Mode of Acrobat Reader?
2. Why SRP could interfere the isolated environment of Rehips for Acrobat Reader?

Best wishes

fixer

Hello, Reset.

1. Your Windows and Reader are fully updated, I guess?
2. What version of Reader do you use?
3. What errors does it show or why you couldn't run it in isolation?

Reset

Hi, fixer,

>1. Your Windows and Reader are fully updated, I guess?
Sure.

>2. What version of Reader do you use?
21.005.20060

>3. What errors does it show or why you couldn't run it in isolation?
When I created this thread last week, Reader just did not launch in the isolated environment with no notification/message. However, after changing some settings for Defender, I cannot reproduce that problem now (sorry). Now when I launch Reader in the isolated environment, it shows a pop-up window saying that Adobe Reader cannot open with Protected Mode owing to incompatibility issues and asking whether I would like to open Adobe Reader with turning Protected Mode off. If I choose to open Reader with turning Protected Mode off, Reader could actually be launched in the isolated environment.

So, now my question is, could I run Reader in isolation without turning off Protected Mode? If not, then what would be the best practice, running Reader in the isolated environment of ReHIPS or running Reader in the Protected Mode (plus Appcontainer)?

Thanks.

fixer

Looks like you're right, Acrobat complains trying to enable Protected Mode. Will add to our TODO list to investigate the issue. If I remember correctly, they use Chrome isolation, guess they added something custom.

There was a blogpost about AppContainer and isolation here https://forum.rehips.com/index.php?topic=9533.0 In a few words:
-if an app uses AppContainer only, most likely it's the hardest isolation, no need to use ReHIPS;
-if some (or all) processes are not isolated, ReHIPS is recommended.

In Reader case I'd use ReHIPS and drop Protected Mode.

fixer

It still uses Chrome isolation. But for some reason now they also want WINSTA_ENUMDESKTOPS WinStation access right. Don't know why they need it as it works fine even without actually granting it. But updated rules in RulesManager anyway. So should be solved in the new 2.5.0.