The blacklist is maintained in the Windows registry and the Macintosh OS X FeatureLockdown file.On Windows, there are two blacklists, one for enterprise administrators,and one for Adobe patches and updates.
- Windows: Enterprise list: This blacklist helps enterprises roll out policies that block exploitable APIs from executing in their environment. Populating the blacklist in this location is the responsibility of the enterprise. Adobe patches never modify this registrylocation. HKLM\SOFTWARE\Policies\Adobe\<product>\<version>
- On a 64 bit Windows system, the path is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe
Blacklist rules of operation
- The two blacklists interact so that the most restrictive setting takes precedence; that is, if one blacklist blocks an API and the other does not, the API is blocked.
- To prevent breaking of existing customer workflows, blacklists can be overridden by:
The manual steps described below require administrator privileges on a machine and should only be undertaken by someone experienced in registry-level configuration. In most cases, configuration occurs via the Customization Wizard prior to client deployment or via a scripting mechanism post-deployment.
To manually configure a blacklist:
Open the registry editor.
- Create tBlacklist : right click in the right hand panel and choose New > String value
- Enter tBlacklist
- Right click on tBlacklist and choose Modify
- Add the APIs to block as a pipe-separated list in for the format of
- <some Object Name>.<Some Api Name>
- For example: Util.CharToByte|App.alert|Collab.getIcon
- Exit and restart the application