git-svn: trunk@4512
Török Edvin authored on 2008/12/03 07:17:09... | ... |
@@ -1,3 +1,9 @@ |
1 |
+Wed Dec 3 00:21:43 EET 2008 (edwin) |
|
2 |
+------------------------------------ |
|
3 |
+ * libclamav/special.c: use a more precise J48 tree (built from more |
|
4 |
+ input data), and lower threshold for detection. This detects ~14% |
|
5 |
+ more samples. |
|
6 |
+ |
|
1 | 7 |
Tue Dec 2 22:00:10 EET 2008 (edwin) |
2 | 8 |
------------------------------------ |
3 | 9 |
* libclamav/dconf.c, libclamav/dconf.h, libclamav/pe.c, |
... | ... |
@@ -360,16 +360,46 @@ static inline int swizz_j48(const uint16_t n[]) |
360 | 360 |
{ |
361 | 361 |
cli_dbgmsg("swizz_j48: %u, %u, %u\n",n[0],n[1],n[2]); |
362 | 362 |
/* rules based on J48 tree */ |
363 |
- if (n[0] <= 951 || n[1] == 0) |
|
363 |
+ if (n[0] <= 924) |
|
364 | 364 |
return CL_CLEAN; |
365 |
- if (n[2] == 0) { |
|
366 |
- if (n[0] <= 984) |
|
365 |
+ if (n[0] <= 940) { |
|
366 |
+ return (n[2] > 1 && n[2] <= 8) ? CL_VIRUS : CL_CLEAN; |
|
367 |
+ } |
|
368 |
+ if (n[2] <= 14) { |
|
369 |
+ if (n[2] <= 0) { |
|
370 |
+ if (n[0] <= 999) |
|
371 |
+ return CL_CLEAN; |
|
372 |
+ if (n[0] <= 1012) { |
|
373 |
+ if (n[1] <= 23) { |
|
374 |
+ if (n[0] <= 1003) |
|
375 |
+ return CL_CLEAN; |
|
376 |
+ return (n[1] <= 19 && n[0] > 1007 && n[1] > 15) || (n[1] > 19) ? CL_VIRUS : CL_CLEAN; |
|
377 |
+ } |
|
378 |
+ return CL_VIRUS; |
|
379 |
+ } |
|
380 |
+ return n[1] == 0 ? CL_CLEAN : CL_VIRUS; |
|
381 |
+ } |
|
382 |
+ if (n[2] <= 8) |
|
383 |
+ return CL_VIRUS; |
|
384 |
+ if (n[0] <= 954) |
|
367 | 385 |
return CL_CLEAN; |
368 |
- if (n[1] <= 15) |
|
369 |
- return n[0] <= 1008 ? CL_CLEAN : CL_VIRUS; |
|
370 |
- return CL_CLEAN; |
|
386 |
+ if (n[2] <= 10) |
|
387 |
+ return CL_VIRUS; |
|
388 |
+ if (n[2] <= 12) { |
|
389 |
+ if (n[0] <= 1011) { |
|
390 |
+ if (n[1] <=32) |
|
391 |
+ return CL_VIRUS; |
|
392 |
+ return (n[2] <= 11 || n[1] > 51) ? CL_VIRUS : CL_CLEAN; |
|
393 |
+ } |
|
394 |
+ return CL_CLEAN; |
|
395 |
+ } |
|
396 |
+ if (n[1] <= 52) { |
|
397 |
+ return (n[1] <= 43 && n[1] > 6 && |
|
398 |
+ (n[2] <= 13 || n[1] <= 30 || n[1] > 40)) |
|
399 |
+ ? CL_CLEAN : CL_VIRUS; |
|
400 |
+ } |
|
371 | 401 |
} |
372 |
- return n[2] <= 7 ? CL_VIRUS : CL_CLEAN; |
|
402 |
+ return CL_CLEAN; |
|
373 | 403 |
} |
374 | 404 |
|
375 | 405 |
void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob) |
... | ... |
@@ -444,7 +474,7 @@ int cli_detect_swizz(struct swizz_stats *stats) |
444 | 444 |
(unsigned long)stats->suspicious, (unsigned long)stats->total, |
445 | 445 |
stats->has_version, stats->has_manifest); |
446 | 446 |
/* not all have version/manifest */ |
447 |
- if (stats->total > 128 && stats->suspicious > 3*stats->total/10) { |
|
447 |
+ if (stats->total > 128 && stats->suspicious > 2*stats->total/10) { |
|
448 | 448 |
return CL_VIRUS; |
449 | 449 |
} |
450 | 450 |
return CL_CLEAN; |