Explain features: Deep & Heuristic mode #232
Replies: 4 comments 1 reply
-
Some signatures use "isDeepScan()" and "isHeuristicScan()" functions. It works if we use the checkboxes or flags |
Beta Was this translation helpful? Give feedback.
-
Example: Detect-It-Easy/db/PE/ASM_Guard.2.sg Line 11 in 6cba6b3 Example: |
Beta Was this translation helpful? Give feedback.
-
Here's the way I've come to be using these... There are some files whose signature you just can't be sure about. And if the user chooses to HeuristicScan, you can see they want you to maybe be a bit more lenient in detection, in case the format has a good amount of outliers that don't strictly follow the expected format descriptions. if (File.isHeuristicScan() && File.compare("'MZ'"))
_setResult("~executable", "MSDOS/Windows executable (.EXE)", "", ""); (where the starting tilde means you're not sure about this detection; DIE parses that) In addition, isAggressiveScan() could allow you to have a clear conscience for even more, like you could unpack a custom LZX in the file and extract some details, all without the user having to launch the software. It would take much more CPU time, but is it worth it? The user says so! |
Beta Was this translation helpful? Give feedback.
-
Source of DiE PE heuristic analyzer -> click |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Are there any documentations about these features? I can't find any info on how they work. I'm just curious on the high level if signatures work differently or DIE scans somehow differently or what else?
Thank you! :)
Beta Was this translation helpful? Give feedback.
All reactions