1. clamav-devel
  2. Commit b84f20d9abb4f71608b9a033ec5e0699b5a1abca
Browse code

use a more precise J48 tree (built from more input data), and lower threshold for detection. This detects ~14% more samples.

git-svn: trunk@4512

Török Edvin authored on 2008/12/03 07:17:09
Showing 2 changed files
ChangeLog
History View file @ b84f20d
... ... 
@@ -1,3 +1,9 @@
1 
+Wed Dec  3 00:21:43 EET 2008 (edwin)
2 
+------------------------------------
3 
+ * libclamav/special.c: use a more precise J48 tree (built from more
4 
+ input data), and lower threshold for detection. This detects ~14%
5 
+ more samples.
6 
+
1 7 
 Tue Dec  2 22:00:10 EET 2008 (edwin)
2 8 
 ------------------------------------
3 9 
  * libclamav/dconf.c, libclamav/dconf.h, libclamav/pe.c,
libclamav/special.c
History View file @ b84f20d
... ... 
@@ -360,16 +360,46 @@ static inline int swizz_j48(const uint16_t n[])
360 360 
 {
361 361 
 	cli_dbgmsg("swizz_j48: %u, %u, %u\n",n[0],n[1],n[2]);
362 362 
 	/* rules based on J48 tree */
363 
-	if (n[0] <= 951 || n[1] == 0)
363 
+	if (n[0] <= 924)
364 364 
 		return CL_CLEAN;
365 
-	if (n[2] == 0) {
366 
-		if (n[0] <= 984)
365 
+	if (n[0] <= 940) {
366 
+		return (n[2] > 1 && n[2] <= 8) ? CL_VIRUS : CL_CLEAN;
367 
+	}
368 
+	if (n[2] <= 14) {
369 
+		if (n[2] <= 0) {
370 
+			if (n[0] <= 999)
371 
+				return CL_CLEAN;
372 
+			if (n[0] <= 1012) {
373 
+				if (n[1] <= 23) {
374 
+					if (n[0] <= 1003)
375 
+						return CL_CLEAN;
376 
+					return (n[1] <= 19 && n[0] > 1007 && n[1] > 15) || (n[1] > 19) ? CL_VIRUS : CL_CLEAN;
377 
+				}
378 
+				return CL_VIRUS;
379 
+			}
380 
+			return n[1] == 0 ? CL_CLEAN : CL_VIRUS;
381 
+		}
382 
+		if (n[2] <= 8)
383 
+			return CL_VIRUS;
384 
+		if (n[0] <= 954)
367 385 
 			return CL_CLEAN;
368 
-		if (n[1] <= 15)
369 
-			return n[0] <= 1008 ? CL_CLEAN : CL_VIRUS;
370 
-		return CL_CLEAN;
386 
+		if (n[2] <= 10)
387 
+			return CL_VIRUS;
388 
+		if (n[2] <= 12) {
389 
+			if (n[0] <= 1011) {
390 
+				if (n[1] <=32)
391 
+					return CL_VIRUS;
392 
+				return (n[2] <= 11 || n[1] > 51) ? CL_VIRUS : CL_CLEAN;
393 
+			}
394 
+			return CL_CLEAN;
395 
+		}
396 
+		if (n[1] <= 52) {
397 
+			return (n[1] <= 43 && n[1] > 6 &&
398 
+					(n[2] <= 13 || n[1] <= 30 || n[1] > 40))
399 
+				? CL_CLEAN : CL_VIRUS;
400 
+		}
371 401 
 	}
372 
-	return n[2] <= 7 ? CL_VIRUS : CL_CLEAN;
402 
+	return CL_CLEAN;
373 403 
 }
374 404
375 405 
 void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob)
... ... 
@@ -444,7 +474,7 @@ int cli_detect_swizz(struct swizz_stats *stats)
444 444 
 			(unsigned long)stats->suspicious, (unsigned long)stats->total,
445 445 
 			stats->has_version, stats->has_manifest);
446 446 
 	/* not all have version/manifest */
447 
-	if (stats->total > 128 && stats->suspicious > 3*stats->total/10) {
447 
+	if (stats->total > 128 && stats->suspicious > 2*stats->total/10) {
448 448 
 		return CL_VIRUS;
449 449 
 	}
450 450 
 	return CL_CLEAN;