The ESA Activity Monitoring rules for monitoring changes to root CA certificates are vast limits vendor rules. They are stored in the configuration file uberAgent-ESA-am-vastlimits.conf.

The rules detect certificate chain cloning and cloned root trust attacks by monitoring writes to user and machine registry keys. For details, check the following rules:

• Detect AuthRoot, CA and Root certificate changes per machine
• Detect AuthRoot, CA and Root certificate changes per user