Block PDF software from creating child processes
Prevent PDF programs from running other programs to improve security.
Plain language
Blocking PDF programs from running other programs helps prevent cybercriminals from using them to install malicious software on your computer. Without this control, opening an innocent-looking PDF file could unwittingly allow attackers to sneak harmful programs into your system.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
PDF software is blocked from creating child processes.
Why it matters
If PDF apps can spawn child processes, a malicious PDF may execute malware, enabling code execution and data compromise.
Operational notes
Enforce OS policy (e.g., ASR/WDAC/AppLocker) to block PDF readers from launching child processes; audit events and exceptions regularly.
Implementation tips
- IT Team should configure PDF software settings to block it from creating child processes. This can usually be done through the software's advanced security settings options.
- System Administrator should apply group policies that restrict PDF applications from executing other programs. Use the Group Policy Editor to configure these settings across the network.
- Security Officer should ensure all staff use approved PDF readers that adhere to the organisation's security policies. Deploy chosen software via a software management tool to ensure consistency.
- IT Support should regularly update PDF software to the latest version to ensure all security patches are applied. Enable automatic updates where possible.
- IT Team should conduct regular checks to verify that the policy preventing PDF software from creating child processes is still in place and active.
Audit / evidence tips
-
AskHave the PDF applications been restricted from creating child processes?
-
GoodThe group policy clearly shows settings preventing PDF applications from creating child processes, confirmed by policy export or screenshots
-
AskAre there regular audits ensuring compliance with this policy?
-
GoodThere are documented audit logs with consistent findings, confirming adherence to the policy
Cross-framework mappings
How E8-AH-ML2.8 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1470 | E8-AH-ML2.8 requires blocking PDF software from creating child processes as a specific hardening measure | |
| handshake Supports (3) expand_less | ||
| ISM-0843 | E8-AH-ML2.8 requires PDF software to be blocked from creating child processes, typically enforced via OS/application control mechanisms (e.g | |
| ISM-0846 | E8-AH-ML2.8 requires enforcement that prevents PDF software from creating child processes | |
| ISM-1824 | E8-AH-ML2.8 requires a technical enforcement that prevents PDF software from spawning child processes | |
| link Related (1) expand_less | ||
| ISM-1670 | E8-AH-ML2.8 requires that PDF software is blocked from creating child processes to prevent PDFs launching other executables | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.