From d2be29b2268c8e8a2c61a70834d6ae899e245da3 Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Fri, 22 Jul 2022 16:07:41 -0400
Subject: [PATCH] [Rule Tuning] Potential Privacy Control Bypass via TCCDB
 Modification (#2121)

* add exception for Bitdefender
---
 ...e_evasion_privacy_controls_tcc_database_modification.toml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
index 38750e8c3..be7c89412 100644
--- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
+++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/07/18"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,8 @@ type = "eql"
 
 query = '''
 process where event.type in ("start", "process_started") and process.name : "sqlite*" and
- process.args : "/*/Application Support/com.apple.TCC/TCC.db"
+ process.args : "/*/Application Support/com.apple.TCC/TCC.db" and
+ not process.parent.executable : "/Library/Bitdefender/AVP/product/bin/*"
 '''