From 30869e1b2b3369c46e431a77c8a69ab1c81789be Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Thu, 10 Nov 2022 17:15:22 +0100
Subject: [PATCH] fix: fp with defender def updates

---
 .../builtin/system/win_system_susp_service_installation.yml     | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/builtin/system/win_system_susp_service_installation.yml b/rules/windows/builtin/system/win_system_susp_service_installation.yml
index d2f4a5a3a..b7a9c0d96 100644
--- a/rules/windows/builtin/system/win_system_susp_service_installation.yml
+++ b/rules/windows/builtin/system/win_system_susp_service_installation.yml
@@ -44,6 +44,8 @@ detection:
             - ' aQBlAHgA' # PowerShell encoded commands
     filter_thor_remote:
         ImagePath|startswith: 'C:\WINDOWS\TEMP\thor10-remote\thor64.exe'
+    filter_defender_def_updates:
+        ImagePath|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Definition Updates\'
     condition: selection and ( suspicious1 or all of suspicious2* ) and not 1 of filter_*
 falsepositives:
     - Unknown