Overview
When a user accesses a PDF document, the document opens in Acrobat reader but 2 events are created: access-allowed event and access-denied event. If GFI EndPointSecurity is configured to send an alert for access-denied events, the alert will be a false positive.
In rare cases, the user may get a pop-up error that if they click OK, the document will open.
Environment
- GFI EndPointSecurity
- Adobe Acrobat Reader
Root Cause
When Acrobat Reader opens a PDF, it launches 2 Acrord32.exe processes. Our developers have found that one of these instances uses a token that is invalid thus causing an access-denied event to be written.
GFI has opened a case with Adobe in this issue.
Resolution
The only solution to this problem is to create a rule in your email client to ignore these emails.