cdb debug name format

[Sanesecurity]

Low priority

I've only just spotted this oddity and easy to work around...

Scanning a file with --debug gives you a CDBNAME, for example:

LibClamAV debug: CDBNAMECL_TYPE_LHA_LZH:456899:Swift Copy.exe:456899:488448:0:1:3190126450

Test.cdb sig:

Sanesecurity.Foxhole.Lzh_fs3597:CL_TYPE_LHA_LZH::(?i)^swift copy.exe$:::::

If I use the above sig you get this:

LibClamAV Error: Problem parsing database at line 1 LibClamAV Error: Can't load lzhtest.cdb: Malformed database ERROR: Malformed database

working test.cdb sig:

Sanesecurity.Foxhole.Lzh_fs3597:CL_TYPE_LHA_LZH::(?i)^swift copy.exe$::::::*

The only difference is the extra :* at the end.

Looking at the documents:

Docs:

ContainerSize: size of the container file itself (eg. size of the zip archive) specified in bytes as absolute value or range x-y. FileNameREGEX: regular expression describing name of the target file

FileSizeInContainer: usually compressed size; for MAIL, TAR and CPIO == FileSizeReal; specified in bytes as absolute value or range. FileSizeReal: usually uncompressed size; for MAIL, TAR and CPIO == FileSizeInContainer; absolute value or range. IsEncrypted: 1 if the target file is encrypted, 0 if it’s not and * to ignore FilePos: file position in container (counting from 1); absolute value or range. Res1: when ContainerType is CL_TYPE_ZIP or CL_TYPE_RAR this field is treated as a CRC sum of the target file specified in hexadecimal format; for other container types it’s ignored.

Res2: not used as of ClamAV 0.96.

So, I've always has Res2 at the end of the signature, i.e.. :* and the sig works fine.

The CDBNAME given by debug, doesn't have the Res2 field shown, even though it's sill needed when creating a CDB signature, even if it's not used since ClamAV 0.96