diff --git a/detection/evasion/unexpected-var-executables-linux.sql b/detection/evasion/unexpected-var-executables-linux.sql
index fb6cd66..5270749 100644
--- a/detection/evasion/unexpected-var-executables-linux.sql
+++ b/detection/evasion/unexpected-var-executables-linux.sql
@@ -50,4 +50,5 @@ WHERE
     '/var/run/booted-system',
     '/var/run/current-system'
   )
+  AND magic.data NOT IN ('JSON data')
   AND file.size > 10