Prevent PDF Applications from Creating Child Processes
PDF software can't start other programs, stopping potential security threats.
Plain language
This control makes sure that PDF applications on your computer can't start other programs, which is important because hackers often try to trick these applications into doing dangerous things. Without this control, malicious PDFs could open up viruses that might damage your business or steal private information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 May 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
PDF applications are blocked from creating child processes.
Why it matters
If PDF apps create child processes, malware can exploit this to install malicious software, leading to data theft or operational disruptions.
Operational notes
Confirm application control rules block PDF apps spawning child processes; test with a sample PDF and review exceptions after PDF reader updates.
Implementation tips
- IT team should configure PDF applications to prevent them from launching other processes: They can do this by adjusting the settings within the PDF software to block any external process execution. This usually involves changing a setting in the application's preferences or settings panel.
- Managers should ensure all staff know why PDF security settings are important: Hold a brief meeting to explain that the settings help protect against malicious attacks that can occur through PDFs. Use examples of how these attacks can impact the business to make it relatable.
- Procurement should verify that any new PDF software complies with this control: When purchasing new software, ensure it supports preventing child processes. Check the software’s documentation or contact the vendor for verification.
- System owners should schedule regular audits of PDF application settings: Set up a routine check, perhaps quarterly, where the IT team reviews the settings to ensure the control remains in place and is effective.
- HR should include PDF security settings in onboarding training: Incorporate information on safe PDF use and the importance of settings that restrict child processes into the training for new employees.
Audit / evidence tips
- AskThe configuration settings documentation of PDF applications: Request a report or screenshot showing these settings GoodShows settings that explicitly disable the launch of other processes
- AskStaff training records related to PDF security: Request to see any records or materials used in staff training sessions GoodIs a dated training record mentioning PDF controls
- AskTo see procurement criteria for PDF software: Request the checklist or document used during procurement of PDF applications GoodIs a document showing these criteria were considered
- AskAudit reports of PDF application settings: Request past reports on the security audits for PDF software settings GoodIncludes a report showing regular reviews with confirmations
- AskEvidence of communication with software vendors: Request any emails or support tickets where vendors were asked about child process prevention features GoodIncludes vendor confirmations on compatibility with the control
Cross-framework mappings
How ISM-1670 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-AH-ML2.2 | E8-AH-ML2.2 requires blocking Microsoft Office from creating child processes to prevent Office-originated process spawning | |
| E8-AH-ML2.4 | ISM-1670 requires blocking PDF applications from creating child processes, limiting a common execution technique used by malicious PDFs | |
| handshake Supports (2) expand_less | ||
| E8-AH-ML2.9 | E8-AH-ML2.9 mandates hardening of PDF software using ASD and vendor guidance to reduce exploitation risk | |
| E8-AH-ML2.10 | ISM-1670 requires the specific control that PDF applications cannot create child processes | |
| link Related (1) expand_less | ||
| E8-AH-ML2.8 | E8-AH-ML2.8 requires that PDF software is blocked from creating child processes to prevent PDFs launching other executables | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.