This rule is designed to detect the execution of an AnyDesk application binary version that is prior to 8.0.8, which utilized a compromised signing certificate. The detection is critical as the certificate can allow threat actors to sign malicious binaries, evading standard detection mechanisms. The rule specifies conditions based on the characteristics of the process being created, including the image name, its description, product information, and the company’s name, combined with file version checks for specific hazardous versions. It aims to ensure that organizations are alerted to potentially risky instances of AnyDesk being executed, thus mitigating the risk of unauthorized remote access by attackers using compromised software. Users who unsafely install older versions may also inadvertently increase their exposure to risks, making this detection rule essential for system security.