This detection rule monitors the execution of the TAP installer (`tapinstall.exe`), a component commonly associated with VPN software such as OpenVPN, Avast SecureLine VPN, and ProtonVPN. The rule aims to identify malicious attempts to install TAP drivers that may be used for creating tunneling protocols to facilitate unauthorized data exfiltration. The detection logic is designed to trigger on the execution of `tapinstall.exe` unless the process originates from known legitimate installations that match specified file paths for Avast or OpenVPN software. The rule is of medium severity because, while the presence of TAP installers can indicate legitimate use, it could also signify nefarious activities aimed at bypassing security controls. This necessitates careful monitoring and correlation with other indicators of compromise (IOCs) to ascertain the legitimacy of the installation event.