Tighten PE heuristic thresholds

Reduce the allowed NumberOfSections upper bound from 96 to 48 to tighten PE header validation and reduce false positives. Increase the targeted resource payload threshold from 0x300 (768 bytes) to 0x1000 (4096 bytes) so the heuristic focuses on larger payloads; the comment was updated accordingly. Changes made in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg.
2026-06-24 01:54:08 +00:00 · 2026-06-18 09:23:28 +03:00 · 2026-06-18 09:23:28 +03:00 · 123c8e1eb3
commit 123c8e1eb3
parent 00603c95ef
1 changed files with 3 additions and 3 deletions
--- a/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
+++ b/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
@ -7835,7 +7835,7 @@ function scanForMaliciousCode_NET_and_Native() {
                // 3. Verify NumberOfSections (IMAGE_FILE_HEADER)
                // Offset 0x06 from PE signature
                var numSections = getDecrypted(peHeaderOffset + 0x06) | (getDecrypted(peHeaderOffset + 0x07) << 8);
-                if (numSections === 0 || numSections > 96) return false;
+                if (numSections === 0 || numSections > 48) return false;

                // 4. Verify Characteristics (IMAGE_FILE_HEADER)
                // Offset 0x16 from PE signature. 0x0002 is IMAGE_FILE_EXECUTABLE_IMAGE
@ -7853,8 +7853,8 @@ function scanForMaliciousCode_NET_and_Native() {
        var resourceOffset = PE.getResourceOffsetByNumber(i),
            resourceSize = PE.getResourceSizeByNumber(i);

-        // Target actual payloads (> 768 bytes) and skip bitmaps
-        if (resourceOffset > 0 && resourceSize > 0x300 && !PE.compare("28 00 00 00 ?? ?? 00 00 ?? ?? 00 00 01 00 ?? 00", resourceOffset)) {
+        // Target actual payloads (> 4 KB) and skip bitmaps
+        if (resourceOffset > 0 && resourceSize > 0x1000 && !PE.compare("28 00 00 00 ?? ?? 00 00 ?? ?? 00 00 01 00 ?? 00", resourceOffset)) {

            var maxScanSize = Math.min(resourceSize, 0x2000),
                hexSignature = PE.getSignature(resourceOffset, maxScanSize),