Browse code
Tweak swizzor threshold to fix some false positives.
Török Edvin authored on 2010/02/24 20:39:07Showing 1 changed files
| ... | ... |
@@ -358,12 +358,12 @@ static inline int swizz_j48(const uint16_t n[]) |
| 358 | 358 |
{
|
| 359 | 359 |
cli_dbgmsg("swizz_j48: %u, %u, %u\n",n[0],n[1],n[2]);
|
| 360 | 360 |
/* rules based on J48 tree */ |
| 361 |
- if (n[0] <= 945 || !n[1]) |
|
| 361 |
+ if (n[0] <= 961 || !n[1]) |
|
| 362 | 362 |
return 0; |
| 363 | 363 |
if (n[0] <= 1006) |
| 364 | 364 |
return (n[2] > 0 && n[2] <= 6); |
| 365 | 365 |
else |
| 366 |
- return n[1] <= 10; |
|
| 366 |
+ return n[1] <= 10 && n[2]; |
|
| 367 | 367 |
} |
| 368 | 368 |
|
| 369 | 369 |
void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob) |
| ... | ... |
@@ -429,7 +429,7 @@ void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_s |
| 429 | 429 |
ngram_cnts[i] = (v<<10)/all; |
| 430 | 430 |
} |
| 431 | 431 |
ret = swizz_j48(ngram_cnts) ? CL_VIRUS : CL_CLEAN; |
| 432 |
- if (!words) ret = CL_CLEAN; |
|
| 432 |
+ if (words < 3) ret = CL_CLEAN; |
|
| 433 | 433 |
cli_dbgmsg("cli_detect_swizz_str: %s, %u words\n", ret == CL_VIRUS ? "suspicious" : "ok", words);
|
| 434 | 434 |
if (ret == CL_VIRUS) {
|
| 435 | 435 |
stats->suspicious += j; |