christian-taillon/follina.spl

## follina.spl
((((ParentBaseFileName IN ("*WINWORD.EXE" ,
                           "*EXCEL.EXE" ,
                           "*POWERPNT.EXE" ,
                           "*MSPUB.EXE" ,
                           "*VISIO.EXE" ,
                           "*OUTLOOK.EXE" ,
                           "*MSACCESS.EXE" ,
                           "*MSPROJECT.EXE" ,
                           "*ONENOTE.EXE"))
   AND ((CommandHistory IN ("*msdt.exe*" ,
                            "*../*" ,
                            "*..\\*"))
        OR (CommandLine IN ("*msdt.exe*" ,
                            "*../*" ,
                            "*..\\*"))
        OR (ImageFileName IN ("*msdt.exe"))))
  OR ((ParentBaseFileName IN ("*sdiagnhost.exe"))
      AND NOT (((ImageFileName IN ("*System32\\conhost.exe" ,
                                   "*System32\\netsh.exe" ,
                                   "*System32\\wpr.exe"))
                OR (ImageFileName IN ("*Framework64*")
                    AND ImageFileName IN ("*csc.exe*")
                    AND ImageFileName IN ("*Microsoft.NET*"))))))
 AND ((ParentBaseFileName IN ("*powershell.exe" ,
                              "*cscript.exe" ,
                              "*DllHost.exe" ,
                              "*gpscript.exe" ,
                              "*eqnedt32.exe" ,
                              "*hh.exe" ,
                              "*cmd.exe" ,
                              "*MSBuild.exe" ,
                              "*msdt.exe" ,
                              "*wscript.exe" ,
                              "*fltldr.exe" ,
                              "*mshta.exe" ,
                              "*RegAsm.exe" ,
                              "*regsvcs.exe" ,
                              "*rundll32.exe" ,
                              "*regsvr32.exe"))
      AND (ImageFileName IN ("*msdt.exe"))
      AND ((CommandHistory IN ("*skip*" ,
                               "*IT_RebrowseForFile*" ,
                               "*IT_BrowseForFile*" ,
                               "*ms-msdt:*" ,
                               "*af*" ,
                               "*PCWDiagnostic*"))
           OR (CommandLine IN ("*skip*" ,
                               "*IT_RebrowseForFile*" ,
                               "*IT_BrowseForFile*" ,
                               "*ms-msdt:*" ,
                               "*af*" ,
                               "*PCWDiagnostic*")))))
	((((ParentBaseFileName IN ("*WINWORD.EXE" ,
	"*EXCEL.EXE" ,
	"*POWERPNT.EXE" ,
	"*MSPUB.EXE" ,
	"*VISIO.EXE" ,
	"*OUTLOOK.EXE" ,
	"*MSACCESS.EXE" ,
	"*MSPROJECT.EXE" ,
	"*ONENOTE.EXE"))
	AND ((CommandHistory IN ("msdt.exe" ,
	"../" ,
	"..\\"))
	OR (CommandLine IN ("msdt.exe" ,
	"../" ,
	"..\\"))
	OR (ImageFileName IN ("*msdt.exe"))))
	OR ((ParentBaseFileName IN ("*sdiagnhost.exe"))
	AND NOT (((ImageFileName IN ("*System32\\conhost.exe" ,
	"*System32\\netsh.exe" ,
	"*System32\\wpr.exe"))
	OR (ImageFileName IN ("Framework64")
	AND ImageFileName IN ("csc.exe")
	AND ImageFileName IN ("Microsoft.NET"))))))
	AND ((ParentBaseFileName IN ("*powershell.exe" ,
	"*cscript.exe" ,
	"*DllHost.exe" ,
	"*gpscript.exe" ,
	"*eqnedt32.exe" ,
	"*hh.exe" ,
	"*cmd.exe" ,
	"*MSBuild.exe" ,
	"*msdt.exe" ,
	"*wscript.exe" ,
	"*fltldr.exe" ,
	"*mshta.exe" ,
	"*RegAsm.exe" ,
	"*regsvcs.exe" ,
	"*rundll32.exe" ,
	"*regsvr32.exe"))
	AND (ImageFileName IN ("*msdt.exe"))
	AND ((CommandHistory IN ("skip" ,
	"IT_RebrowseForFile" ,
	"IT_BrowseForFile" ,
	"ms-msdt:" ,
	"af" ,
	"PCWDiagnostic"))
	OR (CommandLine IN ("skip" ,
	"IT_RebrowseForFile" ,
	"IT_BrowseForFile" ,
	"ms-msdt:" ,
	"af" ,
	"PCWDiagnostic")))))