diff --git a/detection/evasion/ssh-notty.sql b/detection/evasion/ssh-notty.sql
index fc9d167..eaaabc4 100644
--- a/detection/evasion/ssh-notty.sql
+++ b/detection/evasion/ssh-notty.sql
@@ -8,4 +8,6 @@ SELECT * FROM (
 )
 WHERE INSTR(cmdline, '@notty') > 0
 OR
-INSTR(open_files, '/dev/ptmx') = 0;
\ No newline at end of file
+(
+    open_files != "/dev/null" AND INSTR(open_files, '/dev/ptmx') = 0
+)
\ No newline at end of file