@@ -25,7 +25,8 @@ import (
2525const NAME string = "malcontent"
2626
2727const (
28- HARMLESS int = iota
28+ INVALID int = iota + - 1
29+ HARMLESS
2930 LOW
3031 MEDIUM
3132 HIGH
@@ -34,11 +35,12 @@ const (
3435
3536// Map to handle RiskScore -> RiskLevel conversions.
3637var RiskLevels = map [int ]string {
37- 0 : "NONE" , // harmless: common to all executables, no system impact
38- 1 : "LOW" , // undefined: low impact, common to good and bad executables
39- 2 : "MEDIUM" , // notable: may have impact, but common
40- 3 : "HIGH" , // suspicious: uncommon, but could be legit
41- 4 : "CRITICAL" , // critical: certainly malware
38+ INVALID : "NONE" , // inalid: unmodified initial value which should not happen
39+ HARMLESS : "NONE" , // harmless: common to all executables, no system impact
40+ LOW : "LOW" , // undefined: low impact, common to good and bad executables
41+ MEDIUM : "MEDIUM" , // notable: may have impact, but common
42+ HIGH : "HIGH" , // suspicious: uncommon, but could be legit
43+ CRITICAL : "CRITICAL" , // critical: certainly malware
4244}
4345
4446// yaraForge has some very, very long rule names.
@@ -88,17 +90,17 @@ var (
8890
8991// Map to handle RiskLevel -> RiskScore conversions.
9092var Levels = map [string ]int {
91- "ignore" : - 1 ,
92- "none" : - 1 ,
93- "harmless" : 0 ,
94- "low" : 1 ,
95- "notable" : 2 ,
96- "medium" : 2 ,
97- "suspicious" : 3 ,
98- "weird" : 3 ,
99- "high" : 3 ,
100- "crit" : 4 ,
101- "critical" : 4 ,
93+ "ignore" : INVALID ,
94+ "none" : INVALID ,
95+ "harmless" : HARMLESS ,
96+ "low" : LOW ,
97+ "notable" : MEDIUM ,
98+ "medium" : MEDIUM ,
99+ "suspicious" : HIGH ,
100+ "weird" : HIGH ,
101+ "high" : HIGH ,
102+ "crit" : CRITICAL ,
103+ "critical" : CRITICAL ,
102104}
103105
104106func thirdPartyKey (path string , rule string ) string {
@@ -203,29 +205,29 @@ func ignoreMatch(tags []string, ignoreTags map[string]bool) bool {
203205}
204206
205207func behaviorRisk (ns string , rule string , tags []string ) int {
206- risk := 1
208+ risk := LOW
207209
208210 if thirdParty (ns ) {
209- risk = 3
211+ risk = HIGH
210212 src := strings .Split (ns , "/" )[1 ]
211213
212214 switch src {
213215 case "JPCERT" , "YARAForge" , "bartblaze" , "huntress" , "elastic" :
214- risk = 4
216+ risk = CRITICAL
215217 if strings .Contains (strings .ToLower (ns ), "generic" ) ||
216218 strings .Contains (strings .ToLower (rule ), "generic" ) {
217- risk = 3
219+ risk = HIGH
218220 }
219221 }
220222
221223 if strings .Contains (strings .ToLower (ns ), "keyword" ) ||
222224 strings .Contains (strings .ToLower (rule ), "keyword" ) {
223- risk = 2
225+ risk = MEDIUM
224226 }
225227 }
226228
227229 if strings .Contains (ns , "combo/" ) {
228- risk = 2
230+ risk = MEDIUM
229231 }
230232
231233 for _ , tag := range tags {
@@ -380,7 +382,7 @@ func fileMatchesRule(meta []yarax.Metadata, ext string) bool {
380382// skipMatch determines whether to avoid processing a rule match.
381383func skipMatch (ignoreMalcontent , override , scan bool , risk , threshold , highestRisk int ) bool {
382384 switch {
383- case risk == - 1 :
385+ case risk == INVALID :
384386 return true
385387 // The malcontent rule is classified as harmless
386388 // A !ignoreMalcontent condition will prevent the rule from being filtered
@@ -737,10 +739,10 @@ func updateBehavior(fr *malcontent.FileReport, b *malcontent.Behavior, key strin
737739
738740// upgradeRisk determines whether to upgrade risk based on finding density.
739741func upgradeRisk (ctx context.Context , riskScore int , riskCounts map [int ]int , size int64 ) bool {
740- if riskScore != 3 {
742+ if riskScore != HIGH {
741743 return false
742744 }
743- highCount := riskCounts [3 ]
745+ highCount := riskCounts [HIGH ]
744746 sizeMB := size / 1024 / 1024
745747 upgrade := false
746748
0 commit comments