ClamAV 1.4.0-rc cdb LZH

[Sanesecurity]

Describe the bug

Created a simple cdb signature to test exe blocking in LZH:

test:CL_TYPE_LHA_LZH:*:(?i)\.exe$:*:*:*:*:*:*

Seems to work fine with the LZHs I've tested, however, the attached LZH doesn't fire on the above rule.

The LZH's that work are -lh5- and the one that doesn't is -lh0-

purchase order TH.exe

I've zipped the LZH with password: infected

bad.zip

Hopefully I'm missing something obvious ;)

[micahsnyder]

Thanks for the bug report.

I just triaged the issue and see the same as you.

For this file that because there is no compression on the embedded file. ClamAV has a signature to identify MSEXE files based on the PE file header contained at an any offset into the file: https://github.com/Cisco-Talos/clamav/blob/clamav-1.4.0-rc/libclamav/filetypes_int.h#L110

I see the LZH signature matching on this file, but then the embedded PE header signature also matches. And it seems to be prioritizing embedded PE file type detection over that of LZH file type detection, even though LZH was detected first.

I will have to investigate further to find the correct solution.

[Sanesecurity]

Make sense... also noted that the ones that work show the debug lines...

LibClamAV debug: CDBNAME:CL_TYPE_LHA_LZH:689528:RFQ ML - CONTG. 0992-19-PD.exe

whereas the lh0 one doesn't.

Thanks for confirming 👍