#------------------------------------------------------------------------------ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org) # ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def} 0 beshort 0x1575 fsav macro virus signatures >8 leshort >0 (%d- >11 byte >0 \b%02d- >10 byte >0 \b%02d) # ftp://ftp.f-prot.com/pub/sign.zip #10 ubyte <12 #>9 ubyte <32 #>>8 ubyte 0x0a #>>>12 ubyte 0x07 #>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d- #>>>>10 byte 0 \b01- #>>>>10 byte 1 \b02- #>>>>10 byte 2 \b03- #>>>>10 byte 3 \b04- #>>>>10 byte 4 \b05- #>>>>10 byte 5 \b06- #>>>>10 byte 6 \b07- #>>>>10 byte 7 \b08- #>>>>10 byte 8 \b09- #>>>>10 byte 9 \b10- #>>>>10 byte 10 \b11- #>>>>10 byte 11 \b12- #>>>>9 ubyte >0 \b%02d) # ftp://ftp.f-prot.com/pub/sign2.zip #0 ubyte 0x62 #>1 ubyte 0xF5 #>>2 ubyte 0x1 #>>>3 ubyte 0x1 #>>>>4 ubyte 0x0e #>>>>>13 ubyte >0 fsav virus signatures #>>>>>>11 ubyte x size 0x%02x #>>>>>>12 ubyte x \b%02x #>>>>>>13 ubyte x \b%02x bytes # Joerg Jenderek: joerg dot jenderek at web dot de # http://www.clamav.net/doc/latest/html/node45.html # .cvd files start with a 512 bytes colon separated header # ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime # + gzipped tarball files 0 string ClamAV-VDB: >11 string >\0 Clam AntiVirus database %-.23s >>34 string : >>>35 string !: \b, version >>>>35 string x \b%-.1s >>>>>36 string !: >>>>>>36 string x \b%-.1s >>>>>>>37 string !: >>>>>>>>37 string x \b%-.1s >>>>>>>>>38 string !: >>>>>>>>>>38 string x \b%-.1s >>>>512 string \037\213 \b, gzipped >>>>769 string ustar\0 \b, tarred >512 string \037\213 \b, gzipped >769 string ustar\0 \b, tarred # Type: Grisoft AVG AntiVirus # From: David Newgas 0 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data