Difference between revisions of "Advanced file parameters"
(New page: ==Description== ''Advanced file parameters'' are parameters used in certain file-related commands to scan file contents. You usually specify a comma separated list of para...) |
m (→Description: type cashed/cached) |
||
Line 4: | Line 4: | ||
# Put easy tests in front, to avoid heavy cost tests executed when not necessary. | # Put easy tests in front, to avoid heavy cost tests executed when not necessary. | ||
#* Parameters to check the environment (regarding [[:Category:Advanced file parameters for Flow Control|flow control]]) belong to the very beginning since they're cheapest. | #* Parameters to check the environment (regarding [[:Category:Advanced file parameters for Flow Control|flow control]]) belong to the very beginning since they're cheapest. | ||
− | #* [[:Category:Advanced file parameters for Basic Attributes|Basic attributes]] and | + | #* [[:Category:Advanced file parameters for Basic Attributes|Basic attributes]] and cached operations (like [[:Category:Advanced file parameters for File Hashes|file hashes]]) are usually quite cheap. |
# Add heavy cost and active [[:Category:Advanced file parameters for Flow Control|flow control]] parameters to the end. | # Add heavy cost and active [[:Category:Advanced file parameters for Flow Control|flow control]] parameters to the end. | ||
#* Add parameters to set the environment to the '''very''' end to have them set only when the file was identified by all previous parameters. | #* Add parameters to set the environment to the '''very''' end to have them set only when the file was identified by all previous parameters. |
Revision as of 17:16, 24 February 2008
Description
Advanced file parameters are parameters used in certain file-related commands to scan file contents. You usually specify a comma separated list of parameters which then gets combined in an optimized AND operation, from left to right, stopping when a condition does not match. This leads to a few useful things:
- Put easy tests in front, to avoid heavy cost tests executed when not necessary.
- Parameters to check the environment (regarding flow control) belong to the very beginning since they're cheapest.
- Basic attributes and cached operations (like file hashes) are usually quite cheap.
- Add heavy cost and active flow control parameters to the end.
- Add parameters to set the environment to the very end to have them set only when the file was identified by all previous parameters.
- Parameters for Binary anywhere matching are probably the most costly operations.
The field used for advanced file parameters can often also be used for advanced build parameters, check the actual command for details.
Examples
filesize=10,md5=1234567890ABCDEFFEDCBA0987654321
As soon as spaces appear, you need to put quotes around that parameter:
filesize=10,"field[ver]=CompanyName|Malware Inc."
Keep in mind that in the bigger context of the parameter list of the actual command, you need to escape quotes by doubling them:
File:"Example","<$WINDIR>\Malware.exe","filesize=10,""field[ver]=CompanyName|Malware Inc."""