From efd1756d494558b72a0d797629f7bf2a04778edd Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 29 Jan 2026 17:02:14 +0000
Subject: [PATCH] Update impact_hosts_file_modified.toml (#5655)

---
 rules/cross-platform/impact_hosts_file_modified.toml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml
index 7dee2bad9..982cc50f0 100644
--- a/rules/cross-platform/impact_hosts_file_modified.toml
+++ b/rules/cross-platform/impact_hosts_file_modified.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/07/07"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/12/11"
+updated_date = "2026/01/29"
 
 [rule]
 author = ["Elastic"]
@@ -87,18 +87,23 @@ any where process.executable != null and
      file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") and 
      not process.name in ("dockerd", "rootlesskit", "podman", "crio") and
      not process.executable : ("C:\\Program Files\\Fortinet\\FortiClient\\FCDBLog.exe",
+                               "C:\\Program Files\\Fortinet\\FortiClient\\FortiWF.exe",
+                               "C:\\Program Files\\Fortinet\\FortiClient\\fmon.exe",
                                "C:\\Program Files\\Seqrite\\Seqrite\\SCANNER.EXE",
+                               "C:\\Windows\\System32\\SearchProtocolHost.exe",
                                "C:\\Windows\\Temp\\*.ins\\inst.exe",
                                "C:\\Windows\\System32\\svchost.exe",
                                "C:\\Program Files\\NordVPN\\nordvpn-service.exe",
                                "C:\\Program Files\\Tailscale\\tailscaled.exe",
                                "C:\\Program Files\\Docker\\Docker\\com.docker.service",
+                               "C:\\Program Files\\Docker\\Docker\\InstallerCli.exe",
                                "C:\\Program Files\\Quick Heal\\Quick Heal AntiVirus Pro\\scanner.exe",
                                "C:\\Program Files (x86)\\Quick Heal AntiVirus Pro\\SCANNER.EXE",
                                "C:\\Program Files\\Quick Heal\\Quick Heal Internet Security\\scanner.exe",
                                "C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe",
                                "/opt/IBM/InformationServer/Server/DSEngine/bin/uvsh",
-                               "/usr/local/demisto/server")
+                               "/usr/local/demisto/server", 
+                               "/usr/local/bin/defender")
   )
   or