Setupprodoffscrubexe Top -

rule Suspicious_OffScrub_Impersonation meta: description = "Detects unsigned or misnamed SetupProd_OffScrub.exe" strings: $sig = "Microsoft Corporation" wide ascii $name = "SetupProd_OffScrub.exe" nocase condition: filename == $name and not $sig

Use cases include:

: Unlike the standard Control Panel uninstaller, this tool targets residual files like templates (e.g., NORMAL.DOTM ) and deep registry keys. Version Compatibility setupprodoffscrubexe top