Increase default section scan size to 0x3000

Adjust the maxScanSize calculation in scanForMaliciousCode_NET_and_Native so non-.rdata PE sections are scanned up to 0x3000 bytes (was 0x2500). .rdata sections remain capped at 0x6000. This expands the scan window to improve detection coverage for larger sections.
2026-06-24 01:54:08 +00:00 · 2026-06-18 18:29:01 +03:00 · 2026-06-18 18:29:01 +03:00 · 85f36dee0a
commit 85f36dee0a
parent 4c582a4ef1
1 changed files with 1 additions and 1 deletions
--- a/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
+++ b/db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg
@ -7945,7 +7945,7 @@ function scanForMaliciousCode_NET_and_Native() {
            }

            if (sectionOffset > 0 && sectionSize > 0x2500) {
-                var maxScanSize = Math.min(sectionSize, PE.section[i].Name.match(/^\.(?:r)?data$/i) ? 0x6000 : 0x2500),
+                var maxScanSize = Math.min(sectionSize, PE.section[i].Name.match(/^\.(?:r)?data$/i) ? 0x6000 : 0x3000),
                    dataBuffer = getDecodedBuffer(sectionOffset, maxScanSize);

                if (scanBuffer(dataBuffer, maxScanSize, sectionOffset)) isEncPePresent = true;