The rule 'PUA - CleanWipe Execution' is designed to detect the execution of the CleanWipe application, which is typically associated with the uninstallation of Symantec Antivirus products. This tool can pose a threat in the context of evading security measures, as attackers may use it to remove antivirus protection before conducting malicious activities. The detection logic encompasses several process selection criteria based on the executable names commonly associated with CleanWipe, such as 'SepRemovalToolNative_x64.exe', 'CATClean.exe', 'NetInstaller.exe', and 'WFPUnins.exe'. Each selection includes specific command line arguments that indicate an uninstall operation, highlighting the potential misuse of these processes. The rule triggers an alert if any one of the specified selection criteria is met, indicating potential unauthorized use of CleanWipe in the environment. Proper investigation of alerts generated by this rule is advised, especially considering the note on legitimate administrative use being a false positive that warrants validation. This rule falls under the broader category of defense evasion techniques, specifically detailed by the MITRE ATT&CK framework under T1562.001.