Add basic documentation for HandlerType logical signatures

val-ms · web-flow · commit eec7d998a325 · 2025-03-31T12:32:01.000-04:00
diff --git a/src/manual/Signatures/FileTypeMagic.md b/src/manual/Signatures/FileTypeMagic.md
@@ -31,3 +31,7 @@ Where:
 `min_flevel`: (optional) The minimum ClamAV engine that the file type signature works with. See the [FLEVEL reference](../../appendix/FunctionalityLevels.md) for details. To be used in the event that file type support has been recently added.
 
 `max_flevel`: (optional, requires `min_flevel` field, though the `min_flevel` number itself can be left empty) The maximum ClamAV engine that the file type signature works with. To be used in the event that file type support has been recently removed or replaced.
+
+> _Note_: It is likely that `magictype` `0` is insufficient to identify a file and so type `1` may be necessary.
+>
+> If type `1` is also insufficient, you may have luck using a [logical signature with the `HandlerType` option](./LogicalSignatures.md). Be warned that `HandlerType` signatures are very inefficient as the given file will be scanned twice.
diff --git a/src/manual/Signatures/LogicalSignatures.md b/src/manual/Signatures/LogicalSignatures.md
@@ -46,6 +46,15 @@ Keywords used in `TargetDescriptionBlock`:
 
 - `IconGroup2`: Icon group name 2 from .idb signature Required engine functionality (range; 0.96)
 
+- `HandlerType:CL_TYPE_*`: If used, the logical signature will not cause an alert and will instead re-scan the file as a different file type, treating it as a child (contained) file.
+
+  For example, this signature will look for a selection of components with any file (because of `Target:0`). If found, it will rescan the file as a PDF:
+  ```
+  Filetype.PDF;Engine:54-255,Target:0,HandlerType:CL_TYPE_PDF;(0|1)&2&3;0:255044462d??2e;0:257064662d??2e;737461727478726566;2525454f46
+  ```
+
+  > _Note_: This is an inefficient approach to file type identification, though it is more versatile than traditional [File Type Magic (`.ftm`) signatures](./FileTypeMagic.md).
+
 Modifiers for subexpressions:
 
 - `A=X`: If the SUB-EXPRESSION A refers to a single signature then this signature must get matched exactly X times; if it refers to a (logical) block of signatures then this block must generate exactly X matches (with any of its sigs).
