This detection rule is designed to identify malicious or unauthorized loading of the Volume Shadow Copy Service (VSS) library, 'vsstrace.dll', by executables that are not typically associated with this activity. The rule targets instances where 'vsstrace.dll' is loaded by unusual processes, thereby potentially signaling an attempt at evading detection or manipulating shadow copies for malicious purposes. By comparing the executing processes against a whitelist of common Windows executables (such as 'explorer.exe' or 'SystemSettings.exe'), the rule filters out irrelevant image loads, thus reducing false positives. The detection logic comprises a selection based on the suffix of the DLL and a condition that requires the loading process not to be one of the designated legitimate applications. This makes it a vital tool for identifying defense-evasion tactics used by adversaries in Windows environments.