malware_lodarat_filepath query fails

[johnosn]

malware_lodarat_filepath query fails with the message "near "AND": syntax error"
The query has a ";" character midway in the WHERE clause causing the failure.

A Query like the one below would be able to return results.

SELECT
	f.path,
	f.directory,
	f.filename,
	h.sha256,
	f.uid,
	f.gid,
	f.mode,
	f.size,
	DATETIME(f.atime, "unixepoch","UTC") AS last_access_time,
	DATETIME(f.mtime, "unixepoch", "UTC") AS last_modified,
	DATETIME(f.ctime, "unixepoch", "UTC")  AS last_status_change_time,
	DATETIME(f.btime, "unixepoch", "UTC")  AS creation_time 
FROM file f 
	JOIN hash h ON f.path=h.path  
WHERE 
	f.path LIKE "C:\Users\%\AppData\Roaming\Windata\%.exe"
	AND f.filename LIKE regex_match(f.filename, "([a-zA-Z]{6}|svchost)\.exe", 0);

Or this query

WITH ud AS (
	SELECT directory || '\AppData\Roaming\Windata' AS directory
	FROM users WHERE directory LIKE "%\Users\%")
SELECT
	f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size,
	DATETIME(f.atime, "unixepoch", "UTC") AS last_access_time,
	DATETIME(f.mtime, "unixepoch", "UTC") AS last_modified,
	DATETIME(f.ctime, "unixepoch", "UTC") AS last_status_change_time,
	DATETIME(f.btime, "unixepoch", "UTC") AS creation_time,
	f.type
FROM ud
	JOIN file f ON ud.directory = f.directory
	LEFT JOIN hash h ON f.path = h.path 
WHERE
	(f.filename LIKE "%.exe" AND LENGTH(f.filename) = 10)
	OR f.filename = "svchost.exe";

[johnosn]

Screenshot showing the location of the extra semi-colon.

[cmarczewski]

Resolved via ab19faa.

Thanks for opening this issue.