Malware InstallRex / AntiFW

Hunt Hypothesis

The hypothesis is that the detection identifies an adversary attempting to install or execute malicious payloads using InstallRex or AntiFW techniques to evade firewall detection and maintain persistence. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that bypass traditional network defenses.

YARA Rule

rule PUP_InstallRex_AntiFWb {
	meta:
		description = "Malware InstallRex / AntiFW"
		author = "Florian Roth"
		date = "2015-05-13"
		hash = "bb5607cd2ee51f039f60e32cf7edc4e21a2d95cd"
		score = 65
	strings:
		$s4 = "Error %u while loading TSU.DLL %ls" fullword ascii
		$s7 = "GetModuleFileName() failed => %u" fullword ascii
		$s8 = "TSULoader.exe" fullword wide
		$s15 = "\\StringFileInfo\\%04x%04x\\Arguments" fullword wide
		$s17 = "Tsu%08lX.dll" fullword wide
	condition:
		uint16(0) == 0x5a4d and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs InstallRex as part of a system cleanup or patching process.
  Filter/Exclusion: process.parent_process == "Task Scheduler" or process.name == "schtasks.exe"

• Scenario: Admin Installing Anti-Firewall Tool for Network Monitoring
  Description: An administrator installs a legitimate anti-firewall tool (e.g., Windows Defender Firewall) to monitor network traffic.
  Filter/Exclusion: process.name == "setup.exe" or process.parent_process == "explorer.exe" with user context matching a known admin account.

• Scenario: Software Deployment via Group Policy
  Description: A group policy deployment uses InstallRex to install enterprise software, which is flagged as suspicious.
  Filter/Exclusion: process.parent_process == "gpupdate.exe" or process.name == "msiexec.exe" with a known software deployment path.

• Scenario: PowerShell Script for User Account Management
  Description: A PowerShell script runs InstallRex to configure user permissions or group policies.
  Filter/Exclusion: process.name == "powershell.exe" with command line containing *-User or *-Group and user context matching a known admin.

• Scenario: Legitimate Security Tool Installation
  Description: A security tool (e.g., Malwarebytes, Bitdefender) uses InstallRex during installation, triggering the rule.
  Filter/Exclusion: process.name == "Malwarebytes.exe" or process.name == "bitdefender.exe" or check for known vendor signatures.