From d2bc78f9061eb931187853599de2a9977feab907 Mon Sep 17 00:00:00 2001
From: Arnim Rupp <46819580+ruppde@users.noreply.github.com>
Date: Wed, 13 Dec 2023 18:37:33 +0100
Subject: [PATCH] Update reference-analysis-tools-strings.yml

fix 2 problems:

1. fix false positive by not hitting, if there was a word character before `ida`:
```
regex: /ida[gqtuw]?(\.exe)?$/i
- "@.didat" @ file+0x2F7

405d4c2ef7419bf265edef0fe86c8ba1ed634b10dccaaa0a6c6b953645598619
```

2. regex didn't match ida64.exe because it required one of the characters in the brackets.
---
 anti-analysis/reference-analysis-tools-strings.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/anti-analysis/reference-analysis-tools-strings.yml b/anti-analysis/reference-analysis-tools-strings.yml
index 22624d9bc..aa30c7828 100644
--- a/anti-analysis/reference-analysis-tools-strings.yml
+++ b/anti-analysis/reference-analysis-tools-strings.yml
@@ -24,8 +24,8 @@ rule:
       - string: /procmon(\.exe)?/i
       - string: /regmon(\.exe)?/i
       - string: /procexp(\.exe)?/i
-      - string: /ida[gqtuw]?(\.exe)?$/i
-      - string: /ida[gqtuw]64(\.exe)?$/i
+      - string: /(?<!\w)ida[gqtuw]?(\.exe)?$/i
+      - string: /ida[gqtuw]?64(\.exe)?$/i
       - string: /ImmunityDebugger(\.exe)?/i
       - string: /Wireshark(\.exe)?/i
       - string: /dumpcap(\.exe)?/i