fsav 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128
  1. #------------------------------------------------------------------------------
  2. # $File: fsav,v 1.22 2021/04/26 15:56:00 christos Exp $
  3. # fsav: file(1) magic for datafellows fsav virus definition files
  4. # Anthon van der Neut (anthon@mnt.org)
  5. # ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def}
  6. 0 beshort 0x1575 fsav macro virus signatures
  7. >8 leshort >0 (%d-
  8. >11 byte >0 \b%02d-
  9. >10 byte >0 \b%02d)
  10. # ftp://ftp.f-prot.com/pub/sign.zip
  11. #10 ubyte <12
  12. #>9 ubyte <32
  13. #>>8 ubyte 0x0a
  14. #>>>12 ubyte 0x07
  15. #>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d-
  16. #>>>>10 byte 0 \b01-
  17. #>>>>10 byte 1 \b02-
  18. #>>>>10 byte 2 \b03-
  19. #>>>>10 byte 3 \b04-
  20. #>>>>10 byte 4 \b05-
  21. #>>>>10 byte 5 \b06-
  22. #>>>>10 byte 6 \b07-
  23. #>>>>10 byte 7 \b08-
  24. #>>>>10 byte 8 \b09-
  25. #>>>>10 byte 9 \b10-
  26. #>>>>10 byte 10 \b11-
  27. #>>>>10 byte 11 \b12-
  28. #>>>>9 ubyte >0 \b%02d)
  29. # ftp://ftp.f-prot.com/pub/sign2.zip
  30. #0 ubyte 0x62
  31. #>1 ubyte 0xF5
  32. #>>2 ubyte 0x1
  33. #>>>3 ubyte 0x1
  34. #>>>>4 ubyte 0x0e
  35. #>>>>>13 ubyte >0 fsav virus signatures
  36. #>>>>>>11 ubyte x size %#02x
  37. #>>>>>>12 ubyte x \b%02x
  38. #>>>>>>13 ubyte x \b%02x bytes
  39. # Joerg Jenderek: joerg dot jenderek at web dot de
  40. # clamav-0.100.2\docs\html\node60.html
  41. # https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf
  42. # ClamAV virus database files start with a 512 bytes colon separated header
  43. # ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime
  44. # + gzipped (optional) tarball files
  45. # output can often be verified by `sigtool --info=FILE`
  46. 0 string ClamAV-VDB: Clam AntiVirus
  47. # padding spaces implies database
  48. >511 ubyte =0x20 database
  49. !:mime application/x-clamav-database
  50. # empty build time
  51. >>10 string =:: (unsigned)
  52. # sigtool(1) man page
  53. !:ext cud
  54. # display some text to avoid error like:
  55. # Magdir/fsav, 78: Warning: Current entry does not yet have a description for adding a EXTENSION type
  56. # file: could not find any valid magic files! (No error)
  57. >>10 default x (with buildtime)
  58. #>>10 default x
  59. # clamtmp is used for temporarily database like update process
  60. # for pure tar database only cld extension found
  61. !:ext cld/cvd/clamtmp/cud
  62. >511 default x file
  63. !:mime application/x-clamav
  64. !:ext info
  65. >11 string >\0
  66. # buildDate empty or like "22 Mar 2017 12-57 -0400"; verified by `sigtool -i FILE`
  67. >>11 regex \^[^:]{0,23} \b, %s
  68. # version like 25170
  69. >>>&1 regex \^[^:]{1,6} \b, version %s
  70. # signaturesNumbers like 4566249
  71. >>>>&1 regex \^[^:]{1,10} \b, %s signatures
  72. # functionalityLevelRequired like 60
  73. >>>>>&1 regex \^[^:]{1,4} \b, level %s
  74. # X for nothing or MD5
  75. #>>>>>>&1 regex \^[^:]{1,32} \b, MD5 "%s"
  76. >>>>>>&1 regex \^[^:]{1,32}
  77. # X for nothing or digital signature starting like AIzk/LYbX
  78. #>>>>>>>&1 regex \^[^:]{1,255} \b, signature "%s"
  79. >>>>>>>&1 regex \^[^:]{1,255}
  80. # builder like neo
  81. >>>>>>>>&1 regex \^[^:]{1,32} \b, builder %s
  82. # buildTime like 1506611558
  83. #>>>>>>>>>&1 regex \^[^:]{1,10} \b, %s
  84. >>>>>>>>>&1 regex \^[^:]{1,10}
  85. # padding with spaces
  86. #>>>>>>>>>>&1 ubequad x \b, padding %#16.16llx
  87. >510 ubyte =0x20
  88. # inspect real database content
  89. #>>512 ubeshort x \b, database MAGIC %#x
  90. # ./archive handle pure tar archives
  91. >>1012 quad =0 \b, with
  92. >>>512 use tar-file
  93. # not pure tar
  94. >>1012 quad !0
  95. # one space at the end of text and then handles gzipped archives by ./compress
  96. >>>512 string \037\213 \b, with
  97. >>>>512 indirect x
  98. # Type: Grisoft AVG AntiVirus
  99. # From: David Newgas <david@newgas.net>
  100. 0 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data
  101. 0 string X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR
  102. >33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files
  103. # From: Joerg Jenderek
  104. # URL: https://www.avira.com/
  105. # Note: found in directory %ProgramData%\Avira\Antivirus\INFECTED (Windows)
  106. # tested with version 15.0.43.23 at November 2019
  107. 0 string AntiVir\ Qua Avira AntiVir quarantined
  108. !:mime application/x-avira-qua
  109. #!:mime application/octet-stream
  110. !:ext qua
  111. >156 string SUSPICIOUS_FILE
  112. # file path of suspicious file
  113. >>220 lestring16 x %s
  114. >156 string !SUSPICIOUS_FILE
  115. # file path of virus file
  116. >>228 lestring16 x %s
  117. # quarantined date
  118. >60 ldate x at %s
  119. # virus/danger name
  120. >156 string !SUSPICIOUS_FILE
  121. >>156 string x \b, category "%s"