From 1cd54c4f41ccea0c48b3c79d1edc9024fd2f011e Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Mon, 22 Feb 2016 11:55:31 +0100
Subject: Remove a rule that triggered too many FP

It seems that a lot of php developers are using $__ as a legitimate
variable name.
---
 php-malware-finder/malwares.yara | 1 -
 1 file changed, 1 deletion(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 1a4b940..1fa5c22 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -119,7 +119,6 @@ rule DodgyPhp
         $udp_dos = /sockopen\s*\(['"]udp:\/\//
         $user_function = /(call_user_func|create_function)/
         $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
-        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
 
     condition:
         (any of them or CloudFlareBypass) and not IsWhitelisted
-- 
cgit v1.3