From 74c054f3e76338dfe49cf6fc59fd22747e30e963 Mon Sep 17 00:00:00 2001
From: Djordje Lukic <djordjelukic22@gmail.com>
Date: Thu, 26 Dec 2024 15:14:13 +0100
Subject: [PATCH] Update for kaspersky variant

---
 .../win_codeintegrity_attempted_dll_load.yml               | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
index 2abfe2b2a66..134b36a25fa 100644
--- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
+++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
@@ -109,9 +109,12 @@ detection:
         FileNameBuffer|contains: '\National Instruments\Shared\mDNS Responder\'
     filter_optional_kaspersky:
         # Example: \Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\antimalware_provider.dll
-        FileNameBuffer|contains|all:
-            - 'antimalware_provider.dll'
+        - ProcessNameBuffer|contains|all:
+            -  '\Kaspersky Lab\'
+            -  '\avp.exe'
+        - FileNameBuffer|contains|all:
             - '\Kaspersky Lab\'
+            - '\antimalware_provider.dll'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.