From 300dbe8f3e871a08c5cb5afbf4b2e8a65f4e7a7b Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Tue, 9 May 2017 23:12:02 +0200
Subject: [PATCH] Fixed condition

AND has higher precedence than OR.
---
 rules/windows/builtin/win_susp_msmpeng_crash.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml
index 34d7dd126..705d66002 100644
--- a/rules/windows/builtin/win_susp_msmpeng_crash.yml
+++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml
@@ -20,7 +20,7 @@ detection:
         - 'MsMpEng.exe'
     keyword2:
         - 'mpengine.dll'
-    condition: selection1 or selection2 and keyword1 and keyword2
+    condition: (selection1 or selection2) and keyword1 and keyword2
 falsepositives: 
     - Unknown
 level: high