I'm pretty sure this is just a couple of bugg in the signature logic, unless I'm misunderstanding the intent of the signature.
1) the loop was continuing ONLY IF the process name was in the list of whitelist_proc
2) there were two whitelist regexes for AcroRd64.exe and none for AcroRd32.exe
I'm pretty sure this is just a couple of bugg in the signature logic, unless I'm misunderstanding the intent of the signature.
1) the loop was continuing ONLY IF the process name was in the list of whitelist_proc 2) there were two whitelist regexes for AcroRd64.exe and none for AcroRd32.exe