Advanced file parameters

From SpybotWiki
Jump to: navigation, search

Description

Advanced file parameters are parameters used in certain file-related commands to scan file contents. You usually specify a comma separated list of parameters which then gets combined in an optimized AND operation, from left to right, stopping when a condition does not match. This leads to a few useful things:

  1. Put easy tests in front, to avoid heavy cost tests executed when not necessary.
    • Parameters to check the environment (regarding flow control) belong to the very beginning since they're cheapest.
    • Basic attributes and cached operations (like file hashes) are usually quite cheap.
  2. Add heavy cost and active flow control parameters to the end.
    • Add parameters to set the environment to the very end to have them set only when the file was identified by all previous parameters.
    • Parameters for Binary anywhere matching are probably the most costly operations.

The field used for advanced file parameters can often also be used for advanced build parameters, check the actual command for details.

Comparators

Standard operations usually consist of the form parametername=value, comparing whether a property equals (=) a value. Each parameters details page also lists variants that sometimes do allow other comparisons, e.g. to check whether sometimes does not equal (!=), as well as greater or equal (>=) and lesser or equal (<=) comparisons.

While versions of advcheck.dll up to 1.5.2 did have these additional comparators available only where intentionally hardcoded, 1.6 brings a more flexible advanced parameters handling system that allows the not equal comparison for all parameters, and greater or equal and lesser or equal for all numeric parameters, even those prefixed by e.g. resource names as seen size(res).

Examples

filesize=10,md5=1234567890ABCDEFFEDCBA0987654321

As soon as spaces appear, you need to put quotes around that parameter:

filesize=10,"field[ver]=CompanyName|Malware Inc."

Keep in mind that in the bigger context of the parameter list of the actual command, you need to escape quotes by doubling them:

File:"Example","<$WINDIR>\Malware.exe","filesize=10,""field[ver]=CompanyName|Malware Inc."""