From e943d06060369d9ed4813ce249e97b9f75b68279 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?T=C3=B6r=C3=B6k=20Edvin?= <edwin@clamav.net>
Date: Wed, 24 Feb 2010 13:39:07 +0200
Subject: [PATCH] Tweak swizzor threshold to fix some false positives.

---
 libclamav/special.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libclamav/special.c b/libclamav/special.c
index ff518c8f7..ac72f55d7 100644
--- a/libclamav/special.c
+++ b/libclamav/special.c
@@ -358,12 +358,12 @@ static inline int swizz_j48(const uint16_t n[])
 {
 	cli_dbgmsg("swizz_j48: %u, %u, %u\n",n[0],n[1],n[2]);
 	/* rules based on J48 tree */
-	if (n[0] <= 945 || !n[1])
+	if (n[0] <= 961 || !n[1])
 		return 0;
 	if (n[0] <= 1006)
 		return (n[2] > 0 && n[2] <= 6);
 	else
-		return n[1] <= 10;
+		return n[1] <= 10 && n[2];
 }
 
 void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob)
@@ -429,7 +429,7 @@ void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_s
 		ngram_cnts[i] = (v<<10)/all;
 	}
 	ret = swizz_j48(ngram_cnts) ? CL_VIRUS : CL_CLEAN;
-	if (!words) ret = CL_CLEAN;
+	if (words < 3) ret = CL_CLEAN;
 	cli_dbgmsg("cli_detect_swizz_str: %s, %u words\n", ret == CL_VIRUS ? "suspicious" : "ok", words);
 	if (ret == CL_VIRUS) {
 		stats->suspicious += j;