From a8a09469f5c7b62431ba5c205ec108d6a341e530 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 8 Jul 2016 19:58:30 +0200
Subject: Explain why PMF rocks in the README

---
 README.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 77e9357..3371ca7 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,11 @@ Detection is performed by crawling the filesystem and testing files against a
 [set](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/php.yar)
 of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple!
 
+Instead of using an *hash-based* approach,
+PMF tries as much as possible to use semantic patterns, to detect things like
+"a `$_GET` variable is decoded two times, unziped,
+and then passed to some dangerous function like `system`".
+
 
 ## How to use it?
 
@@ -86,6 +91,16 @@ Check the [whitelist.yar](https://github.com/nbs-system/php-malware-finder/blob/
 If you're lazy, you can generate whitelists for entire folders with the
 [generate_whitelist.py](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/generate_whitelist.py) script.
 
+## Why should I use it instead of something else?
+Because:
+- It doesn't use [a single rule per sample](
+  https://github.com/Neo23x0/signature-base/blob/e264d66a8ea3be93db8482ab3d639a2ed3e9c949/yara/thor-webshells.yar
+  ), since it only cares about finding malicious patterns, not specific webshells
+- Its whitelist system doesn't rely on filenames
+- It doesn't rely on (slow) entropy calculation
+- It uses a ghetto-style static analysis, instead of relying on file hashes
+- Thanks to the aforementioned pseudo-static analysis, it works on obfuscated files too
+
 ## Licensing
 
 PHP-malware-finder is [licensed](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/LICENSE) under the GNU General Public License v3.
-- 
cgit v1.3