config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_file_name in ("C:\ProgramData\Microsoft\v*", "C:\ProgramData\Adobe\v*", "C:\ProgramData\Comms\v*", "C:\ProgramData\Intel\v*", "C:\ProgramData\Kaspersky Lab\v*", "C:\ProgramData\Bitdefender\v*", "C:\ProgramData\ESET\v*", "C:\ProgramData\NVIDIA\v*", "C:\ProgramData\UbiSoft\v*", "C:\ProgramData\Steam\v*")) and 
 (action_file_name in ("*\prnms003.inf_*", "*\prnms009.inf_*"))) or 
 (action_file_name contains "C:\ProgramData\" and 
 ((action_file_name in ("*.save", "*\doit.bat", "*\execute.bat", "*\servtask.bat")) or 
 (action_file_name contains "\wayzgoose" and 
 action_file_name contains ".dll")))))