\x09-\x0d are no-rintable chars, but aren't malicious.

This close #44, thanks to @DrTyrell for spotting this issue ♥
author: jvoisin 2016-12-30 13:50:11 +0100
committer: jvoisin 2016-12-30 13:50:11 +0100
commit: be0b64f9bc936c459a6b32e76c6365bc54591b81 (patch)
tree: fad565c6b9532411a28215cb2141b34fbb360fff
parent: 61cd78ef5e973173529b6b7a8084e74e66042904 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index c3e115a..9b7cf2d 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -41,7 +41,7 @@ rule NonPrintableChars
                so we have to use atoms (https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7)
                to get an acceptable speed.
                */
-                $non_printables = /(function|return|base64_decode).{,256}[^\x20-\x7E]{3}/
+                $non_printables = /(function|return|base64_decode).{,256}[^\x09-\x0d\x20-\x7E]{3}/
        condition:
        (any of them) and not IsWhitelisted
author	jvoisin	2016-12-30 13:50:11 +0100
committer	jvoisin	2016-12-30 13:50:11 +0100
commit	be0b64f9bc936c459a6b32e76c6365bc54591b81 (patch)
tree	fad565c6b9532411a28215cb2141b34fbb360fff
parent	61cd78ef5e973173529b6b7a8084e74e66042904 (diff)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index c3e115a..9b7cf2d 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -41,7 +41,7 @@ rule NonPrintableChars
41	so we have to use atoms (https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7)	41	so we have to use atoms (https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7)
42	to get an acceptable speed.	42	to get an acceptable speed.
43	*/	43	*/
44	$non_printables = /(function\|return\|base64_decode).{,256}[^\x20-\x7E]{3}/	44	$non_printables = /(function\|return\|base64_decode).{,256}[^\x09-\x0d\x20-\x7E]{3}/
45		45
46	condition:	46	condition:
47	(any of them) and not IsWhitelisted	47	(any of them) and not IsWhitelisted