From 18b06fc48bad51230e009825e6a0312a58f25099 Mon Sep 17 00:00:00 2001
From: Gabor Gyorvari <scr34m@gmail.com>
Date: Mon, 11 Jul 2022 20:03:53 +0200
Subject: [PATCH] Whitelist update and two little pattern fix, reported in #78

---
 definitions/patterns_iraw.txt | 2 +-
 definitions/patterns_re.txt   | 2 +-
 whitelist.txt                 | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/definitions/patterns_iraw.txt b/definitions/patterns_iraw.txt
index bfa9aca..a52b943 100644
--- a/definitions/patterns_iraw.txt
+++ b/definitions/patterns_iraw.txt
@@ -16,7 +16,7 @@ opendns
 phishtank
 sophos
 surfright
-symantec
+# symantec - removed because already a TLD too so generate many false positives
 
 # SEO poison, pharmacy redirect
 dealonline.su
\ No newline at end of file
diff --git a/definitions/patterns_re.txt b/definitions/patterns_re.txt
index 57b9f4f..aa3b70d 100644
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -60,7 +60,7 @@ chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*
 
 #Detects the '_' character encoded in a string like "\x5F".  '_' is present in many functions that malware would want to hide.
 # '_' as "\x5f"
-\\[Xx](5[Ff])
+# \\[Xx](5[Ff]) - removed because generate many false positives
 
 #Detects the '_' character placed inside a call to the 'chr()' function
 # '_' as 'chr(95)' or 'chr(0x5f)'
diff --git a/whitelist.txt b/whitelist.txt
index 81fb359..2bc22d7 100644
--- a/whitelist.txt
+++ b/whitelist.txt
@@ -284,3 +284,5 @@ a54895edc1402cf1b7b5ecd3f5d85e6b wp-includes/formatting.php -> Wordpress Core 6.
 1e2d246c57d2123aa8938c8263cb1d3d wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php -> Yoast SEO plugin 19.2
 cacb5670ebb2de31976a4b2eb06cac86 wp-content/plugins/worker/src/MWP/ServiceContainer/Abstract.php -> managewp plugin 4.9.14 from managewp.com
 ffa76b9ff298702a733747521cfdee69 wp-content/plugins/worker/src/MWP/Action/GetState.php -> managewp plugin 4.9.14 from managewp.com
+ccce5f45d1ac66bd2bebe75d666b5720 wp-content/plugins/redirection/models/regex.php
+ae810d74d638c611d8bd958777c9ac6a wp-content/plugins/ssl-insecure-content-fixer/includes/nonces.php