home *** CD-ROM | disk | FTP | other *** search
/ PC World 2005 April / PCWorld_2005-04_cd.bin / software / vyzkuste / vcatch / vcsetup.exe / %SYS% / RulesFactors.xml < prev    next >
Encoding:
Extensible Markup Language  |  2005-02-04  |  24.3 KB  |  591 lines
  1. <?xml version="1.0"?>
  2. <PRULES>
  3.     <PRULE>
  4.         <RULE>
  5.             <NAME>The file contains suspicous characteristics in its structure </NAME>
  6.             <Desc>Rule_Fake_Entry_Point  </Desc>
  7.             <ID>0</ID>
  8.         </RULE>
  9.         <RISK>80</RISK>
  10.         <PRULEFACTORS>
  11.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  12.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  13.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  14.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  15.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  16.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  17.         </PRULEFACTORS>
  18.     </PRULE>
  19.     <PRULE>
  20.         <RULE>
  21.             <NAME>The file contains suspicous characteristics in its structure </NAME>    
  22.             <Desc> Rule_Writable_Sections</Desc>
  23.             <ID>1</ID>
  24.         </RULE>
  25.         <RISK>40</RISK>
  26.         <PRULEFACTORS>
  27.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  28.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  29.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE>
  30.             </PRULEFACTOR>
  31.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  32.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  33.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  34.         </PRULEFACTORS>
  35.     </PRULE>
  36.     <PRULE>
  37.         <RULE>
  38.             <NAME>The file contains suspicous characteristics in its structure </NAME>
  39.             <Desc> Too many Rule_Executable_Sections</Desc>
  40.             <ID>2</ID>
  41.         </RULE>
  42.         <RISK>60</RISK>
  43.         <PRULEFACTORS>
  44.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  45.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  46.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE>
  47.             </PRULEFACTOR>
  48.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  49.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  50.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  51.         </PRULEFACTORS>
  52.     </PRULE>
  53.     <PRULE>
  54.         <RULE>
  55.             <NAME>The file contains suspicous characteristics in its structure </NAME>
  56.             <Desc>diffrences between virtual ans phisical sizes of sections</Desc>
  57.             <ID>3</ID>
  58.         </RULE>
  59.         <RISK>60</RISK>
  60.         <PRULEFACTORS>
  61.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  62.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  63.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE>
  64.             </PRULEFACTOR>
  65.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  66.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  67.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  68.         </PRULEFACTORS>
  69.     </PRULE>
  70.     <PRULE>
  71.         <RULE>
  72.             <NAME>The file might be encrypted </NAME>
  73.             <ID>4</ID>
  74.         </RULE>
  75.         <RULE>
  76.             <NAME></NAME>
  77.             <ID>5</ID>
  78.             <VALUE>0</VALUE>
  79.         </RULE>
  80.         <RISK>60</RISK>
  81.         <PRULEFACTORS>
  82.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  83.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  84.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  85.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  86.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  87.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  88.         </PRULEFACTORS>
  89.     </PRULE>
  90.     <PRULE>
  91.         <RULE>
  92.             <NAME>The file is compressed/encrypted by known engine </NAME>
  93.             <ID>5</ID>
  94.         </RULE>
  95.         <RISK>40</RISK>
  96.         <PRULEFACTORS>
  97.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  98.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  99.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  100.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  101.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  102.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  103.         </PRULEFACTORS>
  104.     </PRULE>
  105.     <PRULE>
  106.         <RULE>
  107.             <NAME>The file contains suspicious code flow</NAME>
  108.             <ID>6</ID>
  109.         </RULE>
  110.         <RISK>40</RISK>
  111.         <PRULEFACTORS>
  112.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  113.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  114.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  115.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  116.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  117.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  118.         </PRULEFACTORS>
  119.     </PRULE>
  120.     <PRULE>
  121.         <RULE>
  122.             <NAME>The file might casue itself or other program to run after windows restart</NAME>
  123.             <ID>7</ID>
  124.         </RULE>
  125.         <RISK>70</RISK>
  126.         <PRULEFACTORS>
  127.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  128.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  129.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>40</VALUE></PRULEFACTOR>
  130.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>70</VALUE></PRULEFACTOR>
  131.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>70</VALUE></PRULEFACTOR>
  132.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>20</VALUE></PRULEFACTOR>
  133.         </PRULEFACTORS></PRULE>
  134.     <PRULE>
  135.         <RULE>
  136.             <NAME>The file might manipulate Anti Virus programs</NAME>
  137.             <ID>8</ID>
  138.         </RULE>
  139.         <RISK>50</RISK>
  140.         <PRULEFACTORS>
  141.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  142.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  143.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  144.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  145.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  146.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  147.         </PRULEFACTORS>
  148.     </PRULE>
  149.     <PRULE>
  150.         <RULE>
  151.             <NAME>The file might try to use Internet Explorer </NAME>
  152.             <DESC> Sequence of bytes of internet explorer clsid were detected</DESC>
  153.             <ID>9</ID>
  154.         </RULE>
  155.         <RULE>
  156.             <NAME></NAME>
  157.             <DESC> COM_FUNCTIONS are used in the code</DESC>
  158.             <ID>13</ID>
  159.         </RULE>
  160.         <RISK>0</RISK>
  161.         <PRULEFACTORS>
  162.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  163.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  164.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  165.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  166.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  167.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  168.         </PRULEFACTORS>
  169.     </PRULE>
  170.     <PRULE>
  171.         <RULE>
  172.             <NAME>Anti Debug functions or libraries were detected in code</NAME>
  173.             <ID>10</ID>
  174.         </RULE>
  175.         <RISK>15</RISK>
  176.         <PRULEFACTORS>
  177.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  178.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  179.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  180.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  181.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  182.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  183.         </PRULEFACTORS>
  184.     </PRULE>
  185.     <PRULE>
  186.         <RULE>
  187.             <NAME>The file is encrypted </NAME>
  188.             <Desc> There are no refernces to the IAT functions in the code (probably due to encryption) </Desc>
  189.             <ID>11</ID>
  190.         </RULE>
  191.         <RISK>50</RISK>
  192.         <PRULEFACTORS>
  193.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  194.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  195.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE>
  196.             </PRULEFACTOR>
  197.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  198.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  199.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  200.         </PRULEFACTORS>
  201.     </PRULE>
  202.     <PRULE>
  203.         <RULE>
  204.             <NAME>The file is using VB Runtime</NAME>
  205.             <ID>12</ID>
  206.         </RULE>
  207.         <RISK>0</RISK>
  208.         <PRULEFACTORS>
  209.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  210.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>0</VALUE></PRULEFACTOR>
  211.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>0</VALUE></PRULEFACTOR>
  212.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>0</VALUE></PRULEFACTOR>
  213.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>0</VALUE></PRULEFACTOR>
  214.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>0</VALUE></PRULEFACTOR>
  215.         </PRULEFACTORS>
  216.     </PRULE>
  217.     <PRULE>
  218.         <RULE>
  219.             <NAME>The file does not contain any information on the file creator </NAME><VALUE>0</VALUE>
  220.             <ID>17</ID>
  221.         </RULE>
  222.         <RULE>
  223.             <NAME> And the file extension indicate a win32 executable file </NAME>
  224.             <ID>35</ID>
  225.         </RULE>
  226.         <RISK>20</RISK>
  227.         <PRULEFACTORS>
  228.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  229.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  230.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>50</VALUE>    </PRULEFACTOR>
  231.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  232.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  233.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  234.         </PRULEFACTORS>
  235.     </PRULE>
  236.     <PRULE>
  237.         <RULE><NAME>The file extension indicating a screen saver</NAME>
  238.             <ID>14</ID>
  239.         </RULE>
  240.         <RULE><NAME> And The file is not using the graphic library</NAME><VALUE>0</VALUE>
  241.             <ID>32</ID>
  242.         </RULE>
  243.         <RISK>80</RISK>
  244.         <PRULEFACTORS>
  245.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  246.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  247.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  248.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  249.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  250.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  251.         </PRULEFACTORS>
  252.     </PRULE>
  253.     <PRULE>
  254.         <RULE><NAME>The file is using only basic functions (No User interface)</NAME>
  255.             <ID>33</ID>
  256.             <VALUE>0</VALUE>
  257.         </RULE>
  258.         <RULE><NAME> And The file is not library file</NAME>
  259.             <ID>48</ID>
  260.             <VALUE>0</VALUE>
  261.         </RULE>
  262.         
  263.         <RISK>50</RISK>
  264.         <PRULEFACTORS>
  265.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  266.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  267.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  268.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  269.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  270.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  271.         </PRULEFACTORS>
  272.     </PRULE>
  273.     <PRULE>
  274.         <RULE><NAME>The file includes hiding 'crashes' functions </NAME>
  275.             <ID>34</ID>
  276.         </RULE>
  277.         <RULE><NAME> And The file does not contain normal Windows functions</NAME>
  278.             <ID>28</ID>
  279.             <VALUE>0</VALUE>
  280.         </RULE>
  281.         <RULE><NAME> And The file does not contain Display functions</NAME>
  282.             <ID>29</ID>
  283.             <VALUE>0</VALUE>
  284.         </RULE>
  285.         <RULE><NAME> And The file is not library file</NAME>
  286.             <ID>48</ID>
  287.             <VALUE>0</VALUE>
  288.         </RULE>
  289.         <RISK>40</RISK>
  290.         <PRULEFACTORS>
  291.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  292.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  293.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  294.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  295.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  296.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>30</VALUE></PRULEFACTOR>
  297.         </PRULEFACTORS>
  298.     </PRULE>
  299.  
  300.     <PRULE>
  301.         <RULE><NAME>The file contains functions for changing or creating files</NAME>
  302.             <ID>-19</ID>
  303.         </RULE>
  304.         <RULE><NAME> And The file does not contain normal Windows functions</NAME>
  305.             <ID>28</ID>
  306.             <VALUE>0</VALUE>
  307.         </RULE>
  308.         <RULE><NAME> And The file does not contain Display functions</NAME>
  309.             <ID>29</ID>
  310.             <VALUE>0</VALUE>
  311.         </RULE>
  312.         <RULE><NAME> And The file is not library file</NAME>
  313.             <ID>48</ID>
  314.             <VALUE>0</VALUE>
  315.         </RULE>
  316.         
  317.         <RISK>40</RISK>
  318.         <PRULEFACTORS>
  319.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  320.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  321.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  322.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  323.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  324.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>30</VALUE></PRULEFACTOR>
  325.         </PRULEFACTORS>
  326.     </PRULE>
  327.     <PRULE>
  328.         <RULE><NAME>The file contains functions for changing or creating files</NAME>
  329.             <ID>-19</ID>
  330.         </RULE>
  331.         <RULE><NAME> And The file might manipulate outlook express files</NAME>
  332.             <ID>40</ID>
  333.         </RULE>
  334.         <RISK>40</RISK>
  335.         <PRULEFACTORS>
  336.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  337.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  338.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  339.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  340.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  341.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>30</VALUE></PRULEFACTOR>
  342.         </PRULEFACTORS>
  343.     </PRULE>
  344.     <PRULE>
  345.         <RULE><NAME>The file contains functions for changing or creating files</NAME>
  346.             <ID>-19</ID>
  347.         </RULE>
  348.         <RISK>20</RISK>
  349.         <PRULEFACTORS>
  350.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  351.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  352.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  353.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  354.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>50</VALUE></PRULEFACTOR>
  355.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>30</VALUE></PRULEFACTOR>
  356.         </PRULEFACTORS>
  357.     </PRULE>
  358.     <PRULE>
  359.         <RULE><NAME>The file includes functions for accessing email</NAME>
  360.             <ID>38</ID>
  361.         </RULE>
  362.         <RISK>50</RISK>
  363.         <PRULEFACTORS>
  364.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  365.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  366.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  367.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>70</VALUE></PRULEFACTOR>
  368.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  369.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>40</VALUE></PRULEFACTOR>
  370.         </PRULEFACTORS>
  371.     </PRULE>
  372.     <PRULE>
  373.         <RULE><NAME>The file includes functions for accessing email</NAME>
  374.             <ID>37</ID>
  375.         </RULE>
  376.         <RISK>40</RISK>
  377.         <PRULEFACTORS>
  378.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  379.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  380.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  381.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>70</VALUE></PRULEFACTOR>
  382.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  383.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>40</VALUE></PRULEFACTOR>
  384.         </PRULEFACTORS>
  385.     </PRULE>
  386.     <PRULE>
  387.         <RULE><NAME>The file includes identifiers of objects for accessing email</NAME>
  388.             <ID>36</ID>
  389.         </RULE>
  390.         <RISK>40</RISK>
  391.         <PRULEFACTORS>
  392.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  393.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  394.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  395.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>70</VALUE></PRULEFACTOR>
  396.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  397.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>40</VALUE></PRULEFACTOR>
  398.         </PRULEFACTORS>
  399.     </PRULE>
  400.     <PRULE>
  401.         <RULE><NAME>The file includes evidence indicating possible access to address book</NAME>
  402.             <ID>39</ID>
  403.         </RULE>
  404.         <RISK>40</RISK>
  405.         <PRULEFACTORS>
  406.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  407.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  408.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  409.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>70</VALUE></PRULEFACTOR>
  410.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  411.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>40</VALUE></PRULEFACTOR>
  412.         </PRULEFACTORS>
  413.     </PRULE>
  414.     <PRULE>
  415.         <RULE><NAME> The file includes data related to internet accounts information(email,web)</NAME>
  416.             <ID>41</ID>
  417.         </RULE>
  418.         <RISK>40</RISK>
  419.         <PRULEFACTORS>
  420.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  421.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  422.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  423.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>70</VALUE></PRULEFACTOR>
  424.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  425.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>40</VALUE></PRULEFACTOR>
  426.         </PRULEFACTORS>
  427.     </PRULE>
  428.     <PRULE>
  429.         <RULE><NAME>The file contains network functions</NAME>
  430.             <ID>25</ID>
  431.         </RULE>
  432.         <RISK>30</RISK>
  433.         <PRULEFACTORS>
  434.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  435.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  436.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  437.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>70</VALUE></PRULEFACTOR>
  438.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  439.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>40</VALUE></PRULEFACTOR>
  440.         </PRULEFACTORS>
  441.     </PRULE>
  442.     <PRULE>
  443.         <RULE><NAME>The file contains functions for accessing and changing the registry </NAME>
  444.             <ID>-21</ID>
  445.         </RULE>
  446.         <RISK>30</RISK>
  447.         <PRULEFACTORS>
  448.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  449.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  450.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  451.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>70</VALUE></PRULEFACTOR>
  452.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  453.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>40</VALUE></PRULEFACTOR>
  454.         </PRULEFACTORS>
  455.     </PRULE>
  456.     <PRULE>
  457.         <RULE><NAME>The file contains functions for mapping others files to memory </NAME>
  458.             <ID>42</ID>
  459.         </RULE>
  460.         <RISK>30</RISK>
  461.         <PRULEFACTORS>
  462.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  463.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  464.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  465.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>70</VALUE></PRULEFACTOR>
  466.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>60</VALUE></PRULEFACTOR>
  467.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>40</VALUE></PRULEFACTOR>
  468.         </PRULEFACTORS>
  469.     </PRULE>
  470.     <PRULE>
  471.         <RULE><NAME>The file has suspicous rate between malicious and innocent functions</NAME>
  472.             <ID>43</ID>
  473.         </RULE>
  474.         <RISK>40</RISK>
  475.         <PRULEFACTORS>
  476.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  477.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>90</VALUE></PRULEFACTOR>
  478.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  479.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>90</VALUE></PRULEFACTOR>
  480.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>90</VALUE></PRULEFACTOR>
  481.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>70</VALUE></PRULEFACTOR>
  482.         </PRULEFACTORS>
  483.     </PRULE>
  484.     <PRULE>
  485.         <RULE><NAME>The file contains internet addresses data</NAME>
  486.             <ID>44</ID>
  487.         </RULE>
  488.         <RISK>30</RISK>
  489.         <PRULEFACTORS>
  490.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  491.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>90</VALUE></PRULEFACTOR>
  492.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  493.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>90</VALUE></PRULEFACTOR>
  494.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>90</VALUE></PRULEFACTOR>
  495.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>70</VALUE></PRULEFACTOR>
  496.         </PRULEFACTORS>
  497.     </PRULE>
  498.     <PRULE>
  499.         <RULE><NAME></NAME>
  500.             <ID>16</ID>
  501.         </RULE>
  502.         <RISK>-50</RISK>
  503.         <PRULEFACTORS>
  504.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>40</VALUE></PRULEFACTOR>
  505.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>80</VALUE></PRULEFACTOR>
  506.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  507.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  508.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  509.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  510.         </PRULEFACTORS>
  511.     </PRULE>
  512.     <PRULE>
  513.         <RULE><NAME></NAME>
  514.             <ID>16</ID>
  515.         </RULE>
  516.         <RULE><NAME></NAME>
  517.             <ID>45</ID>
  518.         </RULE>
  519.         <RISK>-4000</RISK>
  520.         <PRULEFACTORS>
  521.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  522.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  523.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  524.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  525.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  526.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  527.         </PRULEFACTORS>
  528.     </PRULE>
  529.     <PRULE>
  530.         <RULE><NAME>The file is very similar to a known malicious application</NAME>
  531.             <ID>46</ID>
  532.             
  533.         </RULE>
  534.         <RISK>0</RISK>
  535.         <TOTALRISK>95</TOTALRISK>
  536.         <PRULEFACTORS>
  537.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  538.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  539.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  540.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  541.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  542.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  543.         </PRULEFACTORS>
  544.     </PRULE>
  545.     <PRULE>
  546.         <RULE><NAME>The file is very similar to a known application</NAME>
  547.             <ID>47</ID>
  548.         </RULE>
  549.         <RISK>0</RISK>
  550.         <TOTALRISK>10</TOTALRISK>
  551.         <PRULEFACTORS>
  552.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  553.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  554.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  555.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  556.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  557.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  558.         </PRULEFACTORS>
  559.     </PRULE>
  560.     <PRULE>
  561.         <RULE><NAME>The file is an antivirus test file</NAME>
  562.             <ID>49</ID>
  563.         </RULE>
  564.         <RISK>0</RISK>
  565.         <TOTALRISK>0</TOTALRISK>
  566.         <PRULEFACTORS>
  567.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  568.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  569.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  570.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  571.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  572.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  573.         </PRULEFACTORS>
  574.     </PRULE>
  575.     <PRULE>
  576.         
  577.         <RULE><NAME>The file is a library file</NAME>
  578.             <ID>48</ID>
  579.         </RULE>
  580.         <RISK>-900</RISK>
  581.         <PRULEFACTORS>
  582.             <PRULEFACTOR><CONTEXT>MAIL</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  583.             <PRULEFACTOR><CONTEXT>WEB</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  584.             <PRULEFACTOR><CONTEXT>LOCAL_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  585.             <PRULEFACTOR><CONTEXT>LOCAL_NETWORK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  586.             <PRULEFACTOR><CONTEXT>FLOPPY_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  587.             <PRULEFACTOR><CONTEXT>CD_DISK</CONTEXT><VALUE>100</VALUE></PRULEFACTOR>
  588.         </PRULEFACTORS>
  589.     </PRULE>
  590. </PRULES>
  591.