Hi, Using a cdb sig in this format:
Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for quotation.{0,30}\.exe$:*:*:*:2:*:* The above sig will work on a Rar pre v5 format file, to catch a *single* exe in a rar file. In ClamAV 0.101.0 beta (which has Rar v5 support), the above wasn't decting anything, but should have. According to the documents... CDB signature: FilePos : file position in container (counting from *1*); absolute value or range In a Rar v3 archive, with a SINGLE exe inside using Clamav-0.99.4: LibClamAV debug: CDBNAME:CL_TYPE_RAR:182253:request for quotation:182253:378880:0:2:1173764330 :00000000 (note: the :2: part for FilePos) In a Rar v3 archive, with a SINGLE exe inside using ClamAV 0.101.0 beta: LibClamAV debug: CDBNAME:CL_TYPE_RAR:182253:request for quotation:182253:378880:0:1:1173764330 :00000000 (note: the :1: part for FilePos) In a Rar v5 archive, with a SINGLE exe inside, using ClamAV 0.101.0 beta: LibClamAV debug: CDBNAME:CL_TYPE_RAR:402906:Request For Quotation 142537.exe:402906:3851480:0:1:4067430729:00000000 (note: the :1: part for FilePos) So, Clamav-0.99.4 on a Rar v3 file reports the *first* file as 2 for the FilePos. ClamAV 0.101.0 beta on a Rar v3 or v5 arhive... reports the *first* file as 1 for the FilePos. Which is a bit of an issue for backwards compatibility... I could change Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for quotation.{0,30}\.exe$:*:*:*:2:*:* to match any file position....eg: Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for quotation.{0,30}\.exe$:*:*:*:*:*:* but might have a higher FP rate. I guess the old rar unpacker starts at filepos 2, the new one, starts at filepos 1, which matched the documentation. I guess the new unpacker could be changed to just add a +1 to the filepos and then adjust the documents ? The above was tested using: clamav-0.101.0-beta-win-x86-portable -- Cheers, Steve Twitter: @sanesecurity _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml