php-malware-finder Rule $concat_with_spaces causes a lot of false positives

Rule $concat_with_spaces causes a lot of false positives

Open scottcwilson opened this issue 6 years ago • 3 comments

I wonder if there's a better way of doing this.

Jul 04 '19 15:07 scottcwilson

Feel free to issue a PR if you come up with a better solution :)

Jul 04 '19 20:07 jvoisin

Can you show me some true positives that this catches? I would need something to verify my work.

Jul 04 '19 20:07 scottcwilson

Something like "s". "y" ."st"."e"."m(". I guess, or $a.$b.$c.$d. $cd, or "sy" . $s . "em(" . $BinA_ry .")"

Jul 04 '19 20:07 jvoisin