From a1f4ef4d34a8def7b3d4f08e991bd3d383da90af Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Tue, 18 Oct 2022 12:49:10 +0200
Subject: [PATCH] fix: FP on many systems

---
 .../application/win_msi_install_from_susp_locations.yml       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml
index f9735db0a..b871e1c10 100644
--- a/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml
+++ b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml
@@ -6,7 +6,7 @@ author: Nasreddine Bencherchali
 references:
     - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
 date: 2022/08/31
-modified: 2022/10/12
+modified: 2022/10/18
 logsource:
     product: windows
     service: application
@@ -22,7 +22,7 @@ detection:
             - '\Users\Public\'
             - '\PerfLogs\'
             - '\Desktop\'
-            - '\Downloads\'
+            # - '\Downloads\'  # too many FPs, typical legitimate staging directory
             # - '\AppData\Local\Temp\'  # too many FPs
             - 'C:\Windows\TEMP\'
             - '\\\\'