LoFP / endpoint security installers, updaters and post installation verification scripts.

process where event.type == "start" and
process.name : "grep" and user.id != "0" and
 not process.parent.executable : ("/Library/Application Support/*", "/opt/McAfee/agent/scripts/ma") and
   process.args :
         ("Little Snitch*",
          "Avast*",
          "Avira*",
          "ESET*",
          "BlockBlock*",
          "360Sec*",
          "LuLu*",
          "KnockKnock*",
          "kav",
          "KIS",
          "RTProtectionDaemon*",
          "Malware*",
          "VShieldScanner*",
          "WebProtection*",
          "webinspectord*",
          "McAfee*",
          "isecespd*",
          "macmnsvc*",
          "masvc*",
          "kesl*",
          "avscan*",
          "guard*",
          "rtvscand*",
          "symcfgd*",
          "scmdaemon*",
          "symantec*",
          "sophos*",
          "osquery*",
          "elastic-endpoint*"
          ) and
   not (
     (process.args : "Avast" and process.args : "Passwords") or
     (process.args == "osquery.conf") or 
     (process.parent.args : "/opt/McAfee/agent/scripts/ma" and process.parent.args : "checkhealth") or
     (process.command_line : (
       "grep ESET Command-line scanner, version %s -A2",
       "grep -i McAfee Web Gateway Core version:",
       "grep --color=auto ESET Command-line scanner, version %s -A2"
       )
     ) or
     (process.parent.command_line : (
       """sh -c printf "command_start_%s"*; perl -pe 's/[^ -~]/\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf "command_done_%s*""",
       """bash -c perl -pe 's/[^ -~]/\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1"""
       )
     )
    )