open-dsi
/
clamav
mirror of https://github.com/Cisco-Talos/clamav
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

use a more precise J48 tree (built from more input data), and lower threshold

Browse Source 
for detection. This detects ~14% more samples.

git-svn: trunk@4512
0.95
Török Edvin 17 years ago
parent 42d26ac94c
commit b84f20d9ab
2 changed files with 44 additions and 8 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 6
      ChangeLog
  2. 46
      libclamav/special.c

6
ChangeLog
Unescape View File

@ -1,3 +1,9 @@
Wed Dec 3 00:21:43 EET 2008 (edwin)
------------------------------------
* libclamav/special.c: use a more precise J48 tree (built from more
input data), and lower threshold for detection. This detects ~14%
more samples.
Tue Dec 2 22:00:10 EET 2008 (edwin)
------------------------------------
* libclamav/dconf.c, libclamav/dconf.h, libclamav/pe.c,

46
libclamav/special.c
Unescape View File

@ -360,16 +360,46 @@ static inline int swizz_j48(const uint16_t n[])
{
cli_dbgmsg("swizz_j48: %u, %u, %u\n",n[0],n[1],n[2]);
/* rules based on J48 tree */
if (n[0] <= 951 || n[1] == 0)
if (n[0] <= 924)
return CL_CLEAN;
if (n[2] == 0) {
if (n[0] <= 984)
if (n[0] <= 940) {
return (n[2] > 1 && n[2] <= 8) ? CL_VIRUS : CL_CLEAN;
}
if (n[2] <= 14) {
if (n[2] <= 0) {
if (n[0] <= 999)
return CL_CLEAN;
if (n[0] <= 1012) {
if (n[1] <= 23) {
if (n[0] <= 1003)
return CL_CLEAN;
return (n[1] <= 19 && n[0] > 1007 && n[1] > 15) || (n[1] > 19) ? CL_VIRUS : CL_CLEAN;
}
return CL_VIRUS;
}
return n[1] == 0 ? CL_CLEAN : CL_VIRUS;
}
if (n[2] <= 8)
return CL_VIRUS;
if (n[0] <= 954)
return CL_CLEAN;
if (n[1] <= 15)
return n[0] <= 1008 ? CL_CLEAN : CL_VIRUS;
return CL_CLEAN;
if (n[2] <= 10)
return CL_VIRUS;
if (n[2] <= 12) {
if (n[0] <= 1011) {
if (n[1] <=32)
return CL_VIRUS;
return (n[2] <= 11 || n[1] > 51) ? CL_VIRUS : CL_CLEAN;
}
return CL_CLEAN;
}
if (n[1] <= 52) {
return (n[1] <= 43 && n[1] > 6 &&
(n[2] <= 13 || n[1] <= 30 || n[1] > 40))
? CL_CLEAN : CL_VIRUS;
}
}
return n[2] <= 7 ? CL_VIRUS : CL_CLEAN;
return CL_CLEAN;
}
void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob)
@ -444,7 +474,7 @@ int cli_detect_swizz(struct swizz_stats *stats)
(unsigned long)stats->suspicious, (unsigned long)stats->total,
stats->has_version, stats->has_manifest);
/* not all have version/manifest */
if (stats->total > 128 && stats->suspicious > 3*stats->total/10) {
if (stats->total > 128 && stats->suspicious > 2*stats->total/10) {
return CL_VIRUS;
}
return CL_CLEAN;

Write Preview
Loading…
Cancel
Save