From ec425c836d3e609fddc25e49f1767b98507ca2eb Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 25 Oct 2022 01:55:08 +0200
Subject: [PATCH] fix: fix FP with bonjour in CI rule

---
 .../code_integrity/win_codeintegrity_failed_dll_load.yml     | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_failed_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_failed_dll_load.yml
index 8035439fe..7afd13ddd 100644
--- a/rules/windows/builtin/code_integrity/win_codeintegrity_failed_dll_load.yml
+++ b/rules/windows/builtin/code_integrity/win_codeintegrity_failed_dll_load.yml
@@ -35,6 +35,11 @@ detection:
         ProcessNameBuffer|endswith: '\AppData\Local\Keybase\Gui\Keybase.exe'
         RequestedPolicy: 8
         ValidatedPolicy: 1
+    filter_bonjour:
+        FileNameBuffer|endswith: '\Program Files\Bonjour\mdnsNSP.dll'
+        ProcessNameBuffer|endswith: '\Windows\System32\svchost.exe'
+        RequestedPolicy: 8
+        ValidatedPolicy: 1
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown