MS Office & Acrobat Reader Monitoring
The ESA Activity Monitoring rules for monitoring Microsoft Office and Adobe Acrobat Reader are vast limits vendor rules. They are stored in the configuration file
The rules in this section detect suspicious behavior with MS Office applications.
- Detect macro execution with the default Office security configuration applied (“disable all macros with notification”)
- Detect child processes of Microsoft Office applications (dedicated rules for scripts and other types of child processes)
- Detect Microsoft Office download operations
- Detect Microsoft Office applications executing macros that access WMI to create child processes
- Suspicious DLL load by Office
- Detect loading of MAPI DLLs from processes other than Outlook
The rules in this section detect suspicious behavior with Adobe Acrobat Reader.
- Detect child processes of Adobe Reader