packaged as an InstallShield installer

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: packaged as an InstallShield installer
    namespace: executable/installer/installshield
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: file
      dynamic: file
  features:
    - or:
      # AppHelp has an export ApphelpCheckInstallShieldPackage,
      # which we want to avoid FP'ing on,
      # so do an exact match for this string.
      # ok to relax if there are counterexamples.
      - string: "InstallShield"

last edited: 2023-11-24 10:34:28