Safe PDF viewers.

[Andy Ful]

Post updated.

Advanced users can configure Windows to open PDF documents only in AppContainer, and only from selected folders on NTFS disk (Windows and Program Files folders are hardcoded by default). This can be done by using Wsudo tool (from Privexec) and Sumatra PDF.
https://github.com/M2Team/Privexec/releases/tag/4.4.1

Sumatra PDF reader download page

1. Download Sumatra PDF installer and install it in "Program Files" folder (use Options button to change the default installation path). Choose Sumatra PDF as a default application to open PDF files.
2. Copy the wsudo.exe (part of Privexec tool) to the Sumtra installation folder (C:\Program Files\SumatraPDF).
3. Edit the registry Default value under the key:
   HKEY_CLASSES_ROOT\Applications\SumatraPDF.exe\Shell\Open\Command
   and replace its data with a path to Wsudo which executes SumatraPDF.
   

   "C:\Program Files\SumatraPDF\wsudo.exe" -u appcontainer "C:\Program Files\SumatraPDF\SumatraPDF.exe" "%1" %*

4. Create the folder where you want to keep unsafe PDF files - I have chosen "D:\MyUnsafeDocuments". Use Icacls to give the "Modify" access of the AppContainer SID to this folder:
   

   icacls "D:\MyUnsafeDocuments" /grant *S-1-15-2-3622619446-392274758-2533929289-2204876399-3375125215-4247762128-2478433618:(OI)(CI)(M) /T

   The SID may differ on another computer (probably). See Edit2 for details.
5. Right mouse click on any PDF file choose Open with >> Choose another application >> select Windows sudo utility and tick "Always open files ....". This will make Wsudo+Sumatra the default application to open PDF files.

Now, by clicking on the PDF file it will be opened only if located in D:\MyUnsafeDocuments, and always in AppContainer.
Of course, it is possible to use right-click "Open with" option and choose another PDF viewer to open any PDF file from any location.

Edit1.
It seems that Wsudo AppContainer has built-in access to "Windows" and "Program Files" folders. I can open documents from there without applying Icacls.

Edit2.
The SID of AppContainer can be found by opening CMD or PowerShell console and executing any file via Wsudo, for example:

Path2Wsudo\wsudo.exe -u appcontainer notepad

 

[robboman]

I have been using sumatrapdf for years, it's great very lightweight and stable.

 

[Andy Ful]

I let norton scan all documents that I downloaded, so is that safe if I just use chrome to open pdfs on windows?

In the case of PDF files is not possible to see what will happen before opening them. If the PDF infected some people then Norton can detect it by signature. Using Chrome for occasional PDF viewing is OK, but this is not a super safe method.

 

[Andy Ful]

peterfat111, robboman​

The problem with SodaPDF and SumatraPDF is that they use open-source DLLs that sometimes are not patched for a long time. In the case of one SumatraPDF vulnerability, the exploit was used in the wild. Of course, the chance to be infected by this exploit was minimal in the Home environment. Exploits in the wild are usually related to the most popular applications.

Technically, the design of SodaPDF and SumatraPDF is not safe because they do not use sandboxing. One can probably make them safer by disabling JavaScript in PDFs and applying some Exploit Protection mitigations available in Windows 10. SumatraPDF can also disable Internet access.

 

[Andy Ful]

I updated the OP.

Pros
Xodo can open safely MS Office documents (*.docx, *.xlsx, *.pptx are converted to PDF) . No active content after conversion to PDF (checked on my testing documents with macros and OLE). The conversion does not use the Internet.

Cons
It is not possible to block hyperlinks, so after clicking one of them the website is opened in the web browser (not good if malicious).

 

[Andy Ful]

Sumatra PDF has extra settings for restricted use:

A restricted mode is useful if you want to use SumatraPDF as a bundled viewer for your program's documentation or in kiosk mode
In restricted mode some actions that are not appropriate in such context are disabled:

• opening new files
• launching URLs from with PDF document
• text and image selection
• printing
• changing default settings
• saving to disk
• automatic and manual update checks
• a history of recently opened files
• TeX preview support
• registering as a default PDF viewer
• opening with Adobe Acrobat
• e-mailing PDF

To restrict SumatraPDF put file sumatrapdfrestrict.ini in the same directory where SumatraPDF.exe is.

https://www.sumatrapdfreader.org/docs/Configure-SumatraPDF-for-restricted-use
https://github.com/sumatrapdfreader/sumatrapdf/blob/master/docs/sumatrapdfrestrict.ini

 

[jackuars]

You may restrict any PDF Viewer from accessing the internet and you will be safer.

I use Foxit Reader & WPS Office PDF Viewer.

 

[Andy Ful]

You may restrict any PDF Viewer from accessing the internet and you will be safer.

This will not work as well as you think. If you click on a hyperlink in the PDF document, then PDF viewer does not use the Intenet but simply the call is redirected to your default web browser. This cannot be also blocked by blocking child processes for the PDF viewer. Blocking Internet access to the PDF viewer can help when the viewer is exploited and the malicious code runs in the memory of this viewer to download the payload from the Internet. But, this will not help if the payload is embedded in the PDF document.

Another thing is that we really do not know how many Adobe Reader's vulnerabilities are present in other PDF readers. All these applications deal with the same PDF documents so some vulnerabilities may be shared. We only suspect that the differences between Adobe Reader and other PDF viewers can efficiently reduce the number of shared vulnerabilities, but there is no information on how efficient this can be.
One can argue that it would be hard to find people who use Foxit Reader and were infected via PDFs, but this can follow as well from the fact that many more people use Adobe Reader.

 

[Freki123]

I go with a sandboxied Foxitreader with tweaked settings for both. Nobody cares about a niche second sandbox (yes its overkill).
Under trust manager (in Foxit) you can deny pdf all internet acess (no clue if it would stop exploits)

 

[Andy Ful]

There is a way to block opening Internet hyperlinks in any document. This will also work for other applications (like email clients) that use the web browser to open hyperlinks. This can significantly reduce the infection rate on the computers of casual users.

1. Install 3rd party web browser - I will use Opera as an example.
2. Make it a default application for web browsing.
3. Use Exploit Protection to activate ACG mitigation for file name opera.exe. The executable that is used can be found out via Task Manager (when the web browser is running).

That is all. If you will press the Internet hyperlink in the document, then Windows will try to open it in Opera. The exploit mitigation will block Opera.
It is worth mentioning that Opera must be blocked by file name (opera.exe) and not by full file path (like C:\Program Files\Opera\78.0.4093.184\opera.exe). Blocking by full path will not work after the next Opera update. If one would like to block it by a full path, then the updating of this particular web browser has to be blocked as well.

Edit.
Blocking the default web browser is super safe but may be inconvenient for normal users (like MT members). For example, many applications can use the default web browser to display help files, tutorials, etc.

 

[Andy Ful]

I go with a sandboxied Foxitreader with tweaked settings for both. Nobody cares about a niche second sandbox (yes its overkill).

Using sandbox for unsandboxed document viewers is not overkill.
Using additional sandbox for Google Chrome or Edge would be probably overkill.