123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 |
- #------------------------------------------------------------------------------
- # $File: fsav,v 1.22 2021/04/26 15:56:00 christos Exp $
- # fsav: file(1) magic for datafellows fsav virus definition files
- # Anthon van der Neut (anthon@mnt.org)
- # ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def}
- 0 beshort 0x1575 fsav macro virus signatures
- >8 leshort >0 (%d-
- >11 byte >0 \b%02d-
- >10 byte >0 \b%02d)
- # ftp://ftp.f-prot.com/pub/sign.zip
- #10 ubyte <12
- #>9 ubyte <32
- #>>8 ubyte 0x0a
- #>>>12 ubyte 0x07
- #>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d-
- #>>>>10 byte 0 \b01-
- #>>>>10 byte 1 \b02-
- #>>>>10 byte 2 \b03-
- #>>>>10 byte 3 \b04-
- #>>>>10 byte 4 \b05-
- #>>>>10 byte 5 \b06-
- #>>>>10 byte 6 \b07-
- #>>>>10 byte 7 \b08-
- #>>>>10 byte 8 \b09-
- #>>>>10 byte 9 \b10-
- #>>>>10 byte 10 \b11-
- #>>>>10 byte 11 \b12-
- #>>>>9 ubyte >0 \b%02d)
- # ftp://ftp.f-prot.com/pub/sign2.zip
- #0 ubyte 0x62
- #>1 ubyte 0xF5
- #>>2 ubyte 0x1
- #>>>3 ubyte 0x1
- #>>>>4 ubyte 0x0e
- #>>>>>13 ubyte >0 fsav virus signatures
- #>>>>>>11 ubyte x size %#02x
- #>>>>>>12 ubyte x \b%02x
- #>>>>>>13 ubyte x \b%02x bytes
- # Joerg Jenderek: joerg dot jenderek at web dot de
- # clamav-0.100.2\docs\html\node60.html
- # https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf
- # ClamAV virus database files start with a 512 bytes colon separated header
- # ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime
- # + gzipped (optional) tarball files
- # output can often be verified by `sigtool --info=FILE`
- 0 string ClamAV-VDB: Clam AntiVirus
- # padding spaces implies database
- >511 ubyte =0x20 database
- !:mime application/x-clamav-database
- # empty build time
- >>10 string =:: (unsigned)
- # sigtool(1) man page
- !:ext cud
- # display some text to avoid error like:
- # Magdir/fsav, 78: Warning: Current entry does not yet have a description for adding a EXTENSION type
- # file: could not find any valid magic files! (No error)
- >>10 default x (with buildtime)
- #>>10 default x
- # clamtmp is used for temporarily database like update process
- # for pure tar database only cld extension found
- !:ext cld/cvd/clamtmp/cud
- >511 default x file
- !:mime application/x-clamav
- !:ext info
- >11 string >\0
- # buildDate empty or like "22 Mar 2017 12-57 -0400"; verified by `sigtool -i FILE`
- >>11 regex \^[^:]{0,23} \b, %s
- # version like 25170
- >>>&1 regex \^[^:]{1,6} \b, version %s
- # signaturesNumbers like 4566249
- >>>>&1 regex \^[^:]{1,10} \b, %s signatures
- # functionalityLevelRequired like 60
- >>>>>&1 regex \^[^:]{1,4} \b, level %s
- # X for nothing or MD5
- #>>>>>>&1 regex \^[^:]{1,32} \b, MD5 "%s"
- >>>>>>&1 regex \^[^:]{1,32}
- # X for nothing or digital signature starting like AIzk/LYbX
- #>>>>>>>&1 regex \^[^:]{1,255} \b, signature "%s"
- >>>>>>>&1 regex \^[^:]{1,255}
- # builder like neo
- >>>>>>>>&1 regex \^[^:]{1,32} \b, builder %s
- # buildTime like 1506611558
- #>>>>>>>>>&1 regex \^[^:]{1,10} \b, %s
- >>>>>>>>>&1 regex \^[^:]{1,10}
- # padding with spaces
- #>>>>>>>>>>&1 ubequad x \b, padding %#16.16llx
- >510 ubyte =0x20
- # inspect real database content
- #>>512 ubeshort x \b, database MAGIC %#x
- # ./archive handle pure tar archives
- >>1012 quad =0 \b, with
- >>>512 use tar-file
- # not pure tar
- >>1012 quad !0
- # one space at the end of text and then handles gzipped archives by ./compress
- >>>512 string \037\213 \b, with
- >>>>512 indirect x
- # Type: Grisoft AVG AntiVirus
- # From: David Newgas <david@newgas.net>
- 0 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data
- 0 string X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR
- >33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files
- # From: Joerg Jenderek
- # URL: https://www.avira.com/
- # Note: found in directory %ProgramData%\Avira\Antivirus\INFECTED (Windows)
- # tested with version 15.0.43.23 at November 2019
- 0 string AntiVir\ Qua Avira AntiVir quarantined
- !:mime application/x-avira-qua
- #!:mime application/octet-stream
- !:ext qua
- >156 string SUSPICIOUS_FILE
- # file path of suspicious file
- >>220 lestring16 x %s
- >156 string !SUSPICIOUS_FILE
- # file path of virus file
- >>228 lestring16 x %s
- # quarantined date
- >60 ldate x at %s
- # virus/danger name
- >156 string !SUSPICIOUS_FILE
- >>156 string x \b, category "%s"
|