We have a followig problem that happens on new workstations with Windows 7 x64 and Acrobat Reader XI only.
Every few days the following key is automatically added to registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CA8A9780-280D-11CF-A24D-444553540000}
This key has the effect that Acrobat Reader XI gets disabled in Internet Explorer add-ons.
So when user opens PDF in IE (or SAP or other Windows software using IE), it is not opened within IE but in a new separate window.
All the client workstations use Microsoft System Center 2012 R2 and Microsoft System Center Endpoint protection as antivirus solution.
Can you please suggest what can be the reason for this, like group policy, antivirus etc.?
Best Answer
Reproducing the problem
Assuming you have installed
the following seems to happen here:
MalwareProtection registers a component named Microsoft Antimalware IOfficeAntiVirus implementation (MpOAv) for Extension Validation with IE.
MpOAv registers as a CLSID of
{2781761E-28E1-4109-99FE-B9D127C57AFE}
.You can inspect the detailed properties of MpOAv in the registry. The associated DLL usually resides at
C:\Program Files (x86)\Microsoft Security Client\MpOAv.dll
Now everytime IE wants to run an ActiveX control, the registered MpOAv is being called before that and sometimes misbehaves or simply thinks that the Reader ActiveX control is not safe. I have no idea what its behavior really depends on.
This all results in IE (iexplore.exe) writing 2 keys to the registry: The CLSIDs of MpOAv
{2781761E-28E1-4109-99FE-B9D127C57AFE}
and Reader{CA8A9780-280D-11CF-A24D-444553540000}
.From this point on IE will not run the Reader ActiveX control until someone manually removes its CLSID from there. This is the observed problem.
Workarounds
Stop IE from calling the Extension Validation component in the first place: Remove CLSID of MpOAv from the Extension Validation keys
[HKLM\…\Internet Explorer\Extension Validation]
. This requires adminstrative rights and can be distributed via Group Policy. Be careful: Future updates of MalwareProtection might recreate the registry entry.Uninstall Microsoft System Center Endpoint Protection / Microsoft Malware Protection. Use a different product.
Long term solution