config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*\Software\Aerofox\Foxmail\V3.1*", "*\Software\Aerofox\FoxmailPreview*", "*\Software\DownloadManager\Passwords*", "*\Software\FTPWare\COREFTP\Sites*", "*\Software\IncrediMail\Identities*", "*\Software\Martin Prikryl\WinSCP 2\Sessions*", "*\Software\Mobatek\MobaXterm\*", "*\Software\OpenSSH\Agent\Keys*", "*\Software\OpenVPN-GUI\configs*", "*\Software\ORL\WinVNC3\Password*", "*\Software\Qualcomm\Eudora\CommandLine*", "*\Software\RealVNC\WinVNC4*", "*\Software\RimArts\B2\Settings*", "*\Software\SimonTatham\PuTTY\Sessions*", "*\Software\SimonTatham\PuTTY\SshHostKeys\*", "*\Software\Sota\FFFTP*", "*\Software\TightVNC\Server*", "*\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin*")) and 
 (not 
 (action_process_image_path contains "reg.exe" and 
 (action_process_image_command_line in ("*export*", "*save*"))))))