From 6f4953ad45478192144619f1b253ecb5893f5675 Mon Sep 17 00:00:00 2001
From: wmetcalf <wmetcalf@users.noreply.github.com>
Date: Mon, 9 Mar 2026 15:22:12 +0000
Subject: [PATCH 1/2] fix(analysisinfo): detect auto-selected package from
 Windows analyzer logs

The Windows analyzer logs the package selection as:
  INFO: analysis package selected: "pkg"
but get_package() only searched for the Linux format:
  INFO: Automatically selected analysis package "pkg"

This caused the package field to remain empty in reports for
Windows analyses where no package was explicitly specified.

Now searches for both log formats using len(marker) instead of
a hardcoded offset.
---
 modules/processing/analysisinfo.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/modules/processing/analysisinfo.py b/modules/processing/analysisinfo.py
index fa09d0f838f..f67919fdfde 100644
--- a/modules/processing/analysisinfo.py
+++ b/modules/processing/analysisinfo.py
@@ -68,8 +68,15 @@ def get_package(self):
                 raise CuckooProcessingError(f"Error opening {self.log_path}: {e}") from e
             else:
                 with suppress(Exception):
-                    idx = analysis_log.index('INFO: Automatically selected analysis package "')
-                    package = analysis_log[idx + 47 :].split('"', 1)[0]
+                    # Try both Windows and Linux analyzer log formats
+                    for marker in (
+                        'INFO: analysis package selected: "',
+                        'INFO: Automatically selected analysis package "',
+                    ):
+                        if marker in analysis_log:
+                            idx = analysis_log.index(marker)
+                            package = analysis_log[idx + len(marker) :].split('"', 1)[0]
+                            break
         return package
 
     def run(self):

From ca5fe67dc1713c663b190250d045e79779b53a14 Mon Sep 17 00:00:00 2001
From: wmetcalf <wmetcalf@users.noreply.github.com>
Date: Mon, 9 Mar 2026 15:30:30 +0000
Subject: [PATCH 2/2] refactor: use str.find() to avoid double scan of analysis
 log

---
 modules/processing/analysisinfo.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/processing/analysisinfo.py b/modules/processing/analysisinfo.py
index f67919fdfde..ae9666957a1 100644
--- a/modules/processing/analysisinfo.py
+++ b/modules/processing/analysisinfo.py
@@ -73,8 +73,8 @@ def get_package(self):
                         'INFO: analysis package selected: "',
                         'INFO: Automatically selected analysis package "',
                     ):
-                        if marker in analysis_log:
-                            idx = analysis_log.index(marker)
+                        idx = analysis_log.find(marker)
+                        if idx != -1:
                             package = analysis_log[idx + len(marker) :].split('"', 1)[0]
                             break
         return package