def rule(event):
    if all(
        [
            any(
                [
                    all(
                        [
                            event.deep_get("Image", default="").endswith("\\schtasks.exe"),
                            any(
                                [
                                    " -create " in event.deep_get("CommandLine", default=""),
                                    " /create " in event.deep_get("CommandLine", default=""),
                                    " –create " in event.deep_get("CommandLine", default=""),
                                    " —create " in event.deep_get("CommandLine", default=""),
                                    " ―create " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    ":\\Perflogs" in event.deep_get("CommandLine", default=""),
                                    ":\\Users\\All Users\\"
                                    in event.deep_get("CommandLine", default=""),
                                    ":\\Users\\Default\\"
                                    in event.deep_get("CommandLine", default=""),
                                    ":\\Users\\Public" in event.deep_get("CommandLine", default=""),
                                    ":\\Windows\\Temp" in event.deep_get("CommandLine", default=""),
                                    "\\AppData\\Local\\"
                                    in event.deep_get("CommandLine", default=""),
                                    "\\AppData\\Roaming\\"
                                    in event.deep_get("CommandLine", default=""),
                                    "%AppData%" in event.deep_get("CommandLine", default=""),
                                    "%Public%" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("ParentCommandLine", default="").endswith(
                                "\\svchost.exe -k netsvcs -p -s Schedule"
                            ),
                            any(
                                [
                                    ":\\Perflogs" in event.deep_get("CommandLine", default=""),
                                    ":\\Windows\\Temp" in event.deep_get("CommandLine", default=""),
                                    "\\Users\\Public" in event.deep_get("CommandLine", default=""),
                                    "%Public%" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    any(
                        [
                            "unattended.ini" in event.deep_get("ParentCommandLine", default=""),
                            "update_task.xml" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    "/Create /TN TVInstallRestore /TR" in event.deep_get("CommandLine", default=""),
                    all(
                        [
                            "/Create /Xml " in event.deep_get("CommandLine", default=""),
                            "\\Temp\\.CR." in event.deep_get("CommandLine", default=""),
                            "\\Avira_Security_Installation.xml"
                            in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "/Create /F /TN" in event.deep_get("CommandLine", default=""),
                            "/Xml " in event.deep_get("CommandLine", default=""),
                            "\\Temp\\" in event.deep_get("CommandLine", default=""),
                            "Avira_" in event.deep_get("CommandLine", default=""),
                            any(
                                [
                                    ".tmp\\UpdateFallbackTask.xml"
                                    in event.deep_get("CommandLine", default=""),
                                    ".tmp\\WatchdogServiceControlManagerTimeout.xml"
                                    in event.deep_get("CommandLine", default=""),
                                    ".tmp\\SystrayAutostart.xml"
                                    in event.deep_get("CommandLine", default=""),
                                    ".tmp\\MaintenanceTask.xml"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            "\\Temp\\" in event.deep_get("CommandLine", default=""),
                            '/Create /TN "klcp_update" /XML '
                            in event.deep_get("CommandLine", default=""),
                            "\\klcp_update_task.xml" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
