Next major milestone: 0.96

Overview

The main target of the next major release is to improve malware detection by providing a new bytecode interpreter, support for additional unpackers, PE heuristics, improvements to logical signatures and the e-mail parser. Other important improvements for this release include adding support for signature debugging and performance statistics, additional unit-tests, file formats, and various scan engine improvements.

Features list

Bytecode Interpreter (See bug #1243)

Disasm hook.
Jsparser hook.
PE hooks, support for unpackers and algorithmic detection.
Lsigs hook.
Simple frontend to create bytecode, initially an internal tool.
JIT on the client, fallback to the interpreter.
Caching of results
Support for regular expressions
Web interface for the bytecode interpreter

Additional Unpackers (See bug #1571)

UPX 3.0.

Prefiltering for pattern matchers (See bug #1188)

Fix, test and merge the prefiltering branch.

Improve unit-tests (See bug #1248)

Add more unit tests for files with low coverage
Add unit tests for new code

Signature Performance Statistics (See bugs #1244 and #1246)

Signature decoding and debugging functionality for sigtool.

Logical Signatures improvements (See bugs #164, #895, #896 and #1173)

Add support for macros in signatures.
Extend target description.
LS compiler for sigmakers.

Malware statistics improvements (See bugs #1228 and #1503)

Per user statistics.

Support for additional formats (See bugs #789, #1222, #1570, #1592 and #1593)

7zip archives.
OSX universal executable files
64-bit ELF files
InstallShield
CPIO archives

Other scan engine improvements (See bugs #804, #1300, #1475, ##1547, #1576, #1577, #1578 and #1579)

Investigate possibility of using an offset matcher.
Detection of fake vendor executables and fake documents.
Improved container handling.
Improved handling of compressed databases.
Improved signature whitelisting.
Word boundary support in pattern matchers.
Moving away from mmap.