Documentation

Contents
Contents
Contents
Contents

MS Office & Acrobat Reader Monitoring

The ESA Activity Monitoring rules for monitoring Microsoft Office and Adobe Acrobat Reader are vast limits vendor rules. They are stored in the configuration file uberAgent-ESA-am-vastlimits.conf.

Microsoft Office Rules

The rules in this section detect suspicious behavior with MS Office applications.

  • Detect child processes of Microsoft Office applications (dedicated rules for scripts and other types of child processes)
  • Detect Microsoft Office download operations
  • Detect Microsoft Office applications executing macros that access WMI to create child processes
  • Suspicious DLL load by Office
  • Detect loading of MAPI DLLs from processes other than Outlook

Adobe Acrobat Reader Rules

The rules in this section detect suspicious behavior with Adobe Acrobat Reader.

  • Detect child processes of Adobe Reader

Leave a Reply

Your email address will not be published. Required fields are marked *