Hello,
I'm receiving a warning message like this: "warning: $badstuff is slowing
down scanning". The rule is similar to:
rule Testing {
strings:
$badstuff = { 00 00 00 00 aa bb cc dd }
condition:
$badstuff at 0x8000
}
I do not think this would be a performance hit due to the positional
limitation. I see in atoms.c the positional modifiers are not accounted for
when considering the quality of an atom. But, does the detection engine
consider the at offset prior to scanning the whole file for $badstuff?
Thanks,
Harley
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
