config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path in ("*~1.bat*", "*~1.dll*", "*~1.exe*", "*~1.hta*", "*~1.js*", "*~1.msi*", "*~1.ps1*", "*~1.tmp*", "*~1.vbe*", "*~1.vbs*", "*~2.bat*", "*~2.dll*", "*~2.exe*", "*~2.hta*", "*~2.js*", "*~2.msi*", "*~2.ps1*", "*~2.tmp*", "*~2.vbe*", "*~2.vbs*")) and 
 (not 
 actor_process_image_path = "C:\Windows\explorer.exe") and 
 (not 
 (actor_process_image_path contains "\WebEx\WebexHost.exe" or 
 actor_process_image_path contains "\thor\thor64.exe" or 
 action_process_image_path = "C:\PROGRA~1\WinZip\WZPREL~1.EXE" or 
 action_process_image_path contains "\VCREDI~1.EXE"))))