diff --git a/build.py b/build.py
index e5565d4..a81905a 100644
--- a/build.py
+++ b/build.py
@@ -5,7 +5,9 @@
 import tarfile
 from configparser import ConfigParser
 from os import environ, path
-from re import search, sub
+from pathlib import PurePath
+from posixpath import join as posixjoin
+from re import search
 from subprocess import check_call
 from sys import executable
 
@@ -50,18 +52,31 @@ def exclusion(tarinfo):
     # exclude certain folders/files
     pathname = tarinfo.name
     if search(
-        r"/\.|\\\.|__pycache__|pyproject\.toml|requirements|build\.py|tar\.gz", pathname
+        r"/\.|\\\.|__pycache__|pyproject\.toml|requirements|build\.py|\.tar\.gz|\.tgz",
+        pathname,
     ):
         return None
 
-    # rename parent folder as "TA-malware-filter"
-    tarinfo.name = sub(r"^.", "TA-malware-filter", pathname)
+    app = PurePath(pathname).parts[0]
 
     # reset file stats
-    # based on https://splunkbase.splunk.com/app/833
-    tarinfo.uid = 1001
-    tarinfo.gid = 123
+    tarinfo.uid = 0
+    tarinfo.gid = 0
     tarinfo.uname = tarinfo.gname = ""
+    if tarinfo.isfile():
+        # remove execution permission
+        tarinfo.mode = 0o644
+
+        # except for scripts
+        # tarinfo uses posix (not nt)
+        if (
+            tarinfo.name.startswith(posixjoin(app, "bin"))
+            and path.splitext(tarinfo.name)[-1] == ".py"
+        ):
+            tarinfo.mode = 0o744
+    if tarinfo.isdir():
+        # remove write permission from group & world
+        tarinfo.mode = 0o755
 
     return tarinfo
 
@@ -84,4 +99,4 @@ check_call(
 pkg_file = f"TA-malware-filter-{version()}.tar.gz"
 print(f"Creating {pkg_file}...")
 with tarfile.open(pkg_file, "w:gz") as tar:
-    tar.add(".", filter=exclusion)
+    tar.add(".", filter=exclusion, arcname="TA-malware-filter")