The ESA Activity Monitoring rules for monitoring Microsoft Office and Adobe Acrobat Reader are vast limits vendor rules. They are stored in the configuration file uberAgent-ESA-am-vastlimits.conf.

Microsoft Office Rules

The rules in this section detect suspicious behavior with MS Office applications.

• Detect macro execution with the default Office security configuration applied (“disable all macros with notification”)
• Detect child processes of Microsoft Office applications (dedicated rules for scripts and other types of child processes)
• Detect Microsoft Office download operations
• Detect Microsoft Office applications executing macros that access WMI to create child processes
• Suspicious DLL load by Office
• Detect loading of MAPI DLLs from processes other than Outlook

Adobe Acrobat Reader Rules

The rules in this section detect suspicious behavior with Adobe Acrobat Reader.

• Detect child processes of Adobe Reader