Acrobat Reader DC works with creating/deleting temp files while the end-user is opening files that may inadvertently trigger Triofox's Ransomware protection feature when it is enabled. This may cause false triggers, and when there is a lower value defined for the "Disable a device if the device changes more than n files in 10 minutes" setting, it can lead the user to be locked off their device until the tenant/cluster Administrator re-enables the device for access.
To circumvent this behavior, define the acrobat.exe process on the "Ignore the following processes when applying the above policy (i.e. qbw32.exe; excel.exe)" setting as such: (please use all lower cases for the process name here)
Since the settings on the Windows Client are queried from the server during client startup, the Windows Client will need to be restarted for it to pull the new configuration.