Difference between revisions of "Advanced file parameters"
m (→Description: type cashed/cached) |
(added information about comparators) |
||
Line 10: | Line 10: | ||
The field used for ''advanced file parameters'' can often also be used for [[Advanced build parameters|advanced build parameters]], check the actual [[SBI Commands|command]] for details. | The field used for ''advanced file parameters'' can often also be used for [[Advanced build parameters|advanced build parameters]], check the actual [[SBI Commands|command]] for details. | ||
+ | |||
+ | ==Comparators== | ||
+ | Standard operations usually consist of the form ''parametername=value'', comparing whether a property ''equals'' (=) a value. Each parameters details page also lists variants that sometimes do allow other comparisons, e.g. to check whether sometimes does ''not equal'' (!=), as well as ''greater or equal'' (>=) and ''lesser or equal'' (<=) comparisons. | ||
+ | |||
+ | While versions of [[advcheck.dll]] up to 1.5.2 did have these additional comparators available only where intentionally hardcoded, 1.6 brings a more flexible advanced parameters handling system that allows the ''not equal'' comparison for all parameters, and ''greater or equal'' and ''lesser or equal'' for all numeric parameters, even those prefixed by e.g. resource names as seen [[size(res)]]. | ||
==Examples== | ==Examples== |
Latest revision as of 18:18, 25 May 2008
Description
Advanced file parameters are parameters used in certain file-related commands to scan file contents. You usually specify a comma separated list of parameters which then gets combined in an optimized AND operation, from left to right, stopping when a condition does not match. This leads to a few useful things:
- Put easy tests in front, to avoid heavy cost tests executed when not necessary.
- Parameters to check the environment (regarding flow control) belong to the very beginning since they're cheapest.
- Basic attributes and cached operations (like file hashes) are usually quite cheap.
- Add heavy cost and active flow control parameters to the end.
- Add parameters to set the environment to the very end to have them set only when the file was identified by all previous parameters.
- Parameters for Binary anywhere matching are probably the most costly operations.
The field used for advanced file parameters can often also be used for advanced build parameters, check the actual command for details.
Comparators
Standard operations usually consist of the form parametername=value, comparing whether a property equals (=) a value. Each parameters details page also lists variants that sometimes do allow other comparisons, e.g. to check whether sometimes does not equal (!=), as well as greater or equal (>=) and lesser or equal (<=) comparisons.
While versions of advcheck.dll up to 1.5.2 did have these additional comparators available only where intentionally hardcoded, 1.6 brings a more flexible advanced parameters handling system that allows the not equal comparison for all parameters, and greater or equal and lesser or equal for all numeric parameters, even those prefixed by e.g. resource names as seen size(res).
Examples
filesize=10,md5=1234567890ABCDEFFEDCBA0987654321
As soon as spaces appear, you need to put quotes around that parameter:
filesize=10,"field[ver]=CompanyName|Malware Inc."
Keep in mind that in the bigger context of the parameter list of the actual command, you need to escape quotes by doubling them:
File:"Example","<$WINDIR>\Malware.exe","filesize=10,""field[ver]=CompanyName|Malware Inc."""