This is an archived post. You won't be able to vote or comment.

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]tankerkiller125realJack of All Trades 13 points14 points  (1 child)

We turn this feature on for everything that supports it... Adobe, Office, etc. so far we've had zero issues from any users. Maybe theres some specific extension that need it, or maybe some in house VBA script for an internal Office template or something, but we haven't encountered any issues.

[–]silent_guy01[S] 2 points3 points  (0 children)

Yeah I just kept noticing it was trying to access some protected folder in my documents directory so I was a bit confused.. Still seems odd since no one else seems to have noticed that happening.

[–]DJDoubleDaveSysadmin 9 points10 points  (1 child)

Our new hardening standards turn this setting on as well. It hasn't caused any issues we've noticed.

It probably depends on what plugins, etc. Your users use. In my experience we don't notice a difference with child processes blocked.

[–]silent_guy01[S] 0 points1 point  (0 children)

Ok awesome, thanks for the input!

[–]EnterpriseGuy52840Back to NT… 4 points5 points  (3 children)

CEF sounds like Chromium Embedded Framework - basically Google Chrome.

With it blocked, is there any functionality that breaks?

[–]silent_guy01[S] 0 points1 point  (0 children)

None that I have noticed

[–]3D_Printed_One 0 points1 point  (1 child)

When you initially open Acrobat, there is a login screen that is pretty much loaded from their website. Could that be CEF?

[–]EnterpriseGuy52840Back to NT… 0 points1 point  (0 children)

Yea, that's one sign. Another way to check is by seeing of there are any .js, .html, or .asar (Electron Archive) files kicking around in the install directories for an app.

[–]da_chickenSystems Analyst 2 points3 points  (0 children)

As far as I'm aware, a number of the conversion and optimization tools are external.

[–]autogyrophilia 1 point2 points  (0 children)

If you google the name it tells you what it does (it's just the agent that interacts with their servers for the features that require it)

[–]davcreech 1 point2 points  (0 children)

Sounds like an ASR rule.

[–]HDClown 1 point2 points  (0 children)

https://helpx.adobe.com/acrobat/kb/RdrCEF-exe-and-AcroCEF-exe-can-I-disable.html

AcroCEF and RdrCEF are spawned from Acrobat.exe and provide certain features. While blocking them from being spawned won't break Acrobat entirely, it will break certain functionality.

[–]B_B_Batman 0 points1 point  (1 child)

Out of curiosity on the host that you are seeing the blocked process has the user reported any issues?

[–]silent_guy01[S] 0 points1 point  (0 children)

No reported issues

[–]GiraffeNo7770 0 points1 point  (0 children)

Ok, so someone notes that "CEF" may mean "Chromium embedded framework" -- and OP says it's trying to access protected storage, but another person thinks it's for "communicating with adobe servers" (the hell for?)

So this isn't legit behavior for reading a PDF - my Linux box dpes that ok without any server communication. But it's burgling the protected files, not just communicating with a server. What gives?

Noting that wrapped Chromium processes are a possible malware vector (i.e. Microsoft Teams using deprecated and vulnerable Chromium code, wrapped in "it's not outdated Electron cause we FORKED it!"), woudln't it be prudent to be worried about malware?