From 8e1569164a581ea24a621b87ff7a87b8946a2c27 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 20 Oct 2022 13:14:37 -0400
Subject: [PATCH] Add exceptions for /Library/Python and /Library/Caches/.0%

---
 detection/evasion/unexpected-library-entries-macos.sql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection/evasion/unexpected-library-entries-macos.sql b/detection/evasion/unexpected-library-entries-macos.sql
index 503c3fd..d3a76bc 100644
--- a/detection/evasion/unexpected-library-entries-macos.sql
+++ b/detection/evasion/unexpected-library-entries-macos.sql
@@ -93,6 +93,7 @@ WHERE
     '/Library/Preferences/.GlobalPreferences.plist',
     '/Library/Printers/',
     '/Library/PrivilegedHelperTools/',
+    '/Library/Python/',
     '/Library/QuickLook/',
     '/Library/Receipts/',
     '/Library/Ruby/',
@@ -122,4 +123,4 @@ WHERE
     '/Library/WebServer/Documents/index.html.en',
     '/Library/WebServer/share/'
   )
-  AND NOT file.path LIKE '/Library/Caches/.00%'
+  AND NOT file.path LIKE '/Library/Caches/.0%'