git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Tree: af88ea4a86
Branches Tags
file
/
magic
/
Magdir
/
fsav

fsav 4.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 
  1. 

  2. #------------------------------------------------------------------------------
    3. 

  3. # $File: fsav,v 1.19 2019/04/19 00:42:27 christos Exp $
    4. 

  4. # fsav:  file(1) magic for datafellows fsav virus definition files
    5. 

  5. # Anthon van der Neut (anthon@mnt.org)
    6. 

  6. 

  7. # ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def}
    8. 

  8. 0	beshort		0x1575		fsav macro virus signatures
    9. 

  9. >8	leshort		>0		(%d-
    10. 

  10. >11	byte		>0		\b%02d-
    11. 

  11. >10	byte		>0		\b%02d)
    12. 

  12. # ftp://ftp.f-prot.com/pub/sign.zip
    13. 

  13. #10	ubyte		<12
    14. 

  14. #>9	ubyte		<32
    15. 

  15. #>>8	ubyte		0x0a
    16. 

  16. #>>>12	ubyte		0x07
    17. 

  17. #>>>>11	uleshort	>0		fsav DOS/Windows virus signatures (%d-
    18. 

  18. #>>>>10	byte		0		\b01-
    19. 

  19. #>>>>10	byte		1		\b02-
    20. 

  20. #>>>>10	byte		2		\b03-
    21. 

  21. #>>>>10	byte		3		\b04-
    22. 

  22. #>>>>10	byte		4		\b05-
    23. 

  23. #>>>>10	byte		5		\b06-
    24. 

  24. #>>>>10	byte		6		\b07-
    25. 

  25. #>>>>10	byte		7		\b08-
    26. 

  26. #>>>>10	byte		8		\b09-
    27. 

  27. #>>>>10	byte		9		\b10-
    28. 

  28. #>>>>10	byte		10		\b11-
    29. 

  29. #>>>>10	byte		11		\b12-
    30. 

  30. #>>>>9	ubyte		>0		\b%02d)
    31. 

  31. # ftp://ftp.f-prot.com/pub/sign2.zip
    32. 

  32. #0	ubyte		0x62
    33. 

  33. #>1	ubyte		0xF5
    34. 

  34. #>>2	ubyte		0x1
    35. 

  35. #>>>3	ubyte		0x1
    36. 

  36. #>>>>4	ubyte		0x0e
    37. 

  37. #>>>>>13		ubyte	>0		fsav virus signatures
    38. 

  38. #>>>>>>11	ubyte	x		size 0x%02x
    39. 

  39. #>>>>>>12	ubyte	x		\b%02x
    40. 

  40. #>>>>>>13	ubyte	x		\b%02x bytes
    41. 

  41. 

  42. # Joerg Jenderek: joerg dot jenderek at web dot de
    43. 

  43. # clamav-0.100.2\docs\html\node60.html 
    44. 

  44. # https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf
    45. 

  45. # ClamAV virus database files start with a 512 bytes colon separated header
    46. 

  46. # ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime
    47. 

  47. # + gzipped (optional) tarball files
    48. 

  48. # output can often be verified by `sigtool --info=FILE`
    49. 

  49. 0	string		ClamAV-VDB:	Clam AntiVirus
    50. 

  50. # padding spaces implies database
    51. 

  51. >511	ubyte		=0x20		database
    52. 

  52. !:mime	application/x-clamav-database
    53. 

  53. # empty build time
    54. 

  54. >>10	string		=::		(unsigned)
    55. 

  55. # sigtool(1) man page
    56. 

  56. !:ext	cud
    57. 

  57. # display some text to avoid error like:
    58. 

  58. # Magdir/fsav, 78: Warning: Current entry does not yet have a description for adding a EXTENSION type
    59. 

  59. # file: could not find any valid magic files! (No error)
    60. 

  60. >>10	default		x		(with buildtime)
    61. 

  61. #>>10	default		x
    62. 

  62. # clamtmp is used for temporily database like update process
    63. 

  63. # for pure tar database only cld extension found
    64. 

  64. !:ext	cld/cvd/clamtmp/cud
    65. 

  65. >511	default		x		file
    66. 

  66. !:mime	application/x-clamav
    67. 

  67. !:ext	info
    68. 

  68. >11	string		>\0
    69. 

  69. # buildDate empty or like "22 Mar 2017 12-57 -0400"; verified by `sigtool -i FILE`
    70. 

  70. >>11	regex		\^[^:]{0,23}	\b, %s
    71. 

  71. # version like 25170
    72. 

  72. >>>&1	regex		\^[^:]{1,6}	\b, version %s
    73. 

  73. # signaturesNumbers like 4566249
    74. 

  74. >>>>&1	regex		\^[^:]{1,10}	\b, %s signatures
    75. 

  75. # functionalityLevelRequired like 60
    76. 

  76. >>>>>&1	regex		\^[^:]{1,4}	\b, level %s
    77. 

  77. # X for nothing or MD5
    78. 

  78. #>>>>>>&1	regex	\^[^:]{1,32}	\b, MD5 "%s"
    79. 

  79. >>>>>>&1	regex	\^[^:]{1,32}
    80. 

  80. # X for nothing or digital signature starting like AIzk/LYbX
    81. 

  81. #>>>>>>>&1	regex	\^[^:]{1,255}	\b, signature "%s"
    82. 

  82. >>>>>>>&1	regex	\^[^:]{1,255}
    83. 

  83. # builder like neo
    84. 

  84. >>>>>>>>&1	regex	\^[^:]{1,32}	\b, builder %s
    85. 

  85. # buildTime like 1506611558
    86. 

  86. #>>>>>>>>>&1	regex	\^[^:]{1,10}	\b, %s
    87. 

  87. >>>>>>>>>&1	regex	\^[^:]{1,10}	
    88. 

  88. # padding with spaces
    89. 

  89. #>>>>>>>>>>&1	ubequad	x		\b, padding 0x%16.16llx
    90. 

  90. >510	ubyte		=0x20
    91. 

  91. # inspect real database content
    92. 

  92. #>>512	ubeshort	x		\b, database MAGIC 0x%x
    93. 

  93. # ./archive handle pure tar archives
    94. 

  94. >>1012	quad		=0		\b, with
    95. 

  95. >>>512	use		tar-file
    96. 

  96. # not pure tar
    97. 

  97. >>1012	quad		!0
    98. 

  98. # one space at the end of text and then handles gziped archives by ./compress
    99. 

  99. >>>512	string		\037\213	\b, with 
    100. 

  100. >>>>512	indirect	x
    101. 

  101. 

  102. # Type: Grisoft AVG AntiVirus
    103. 

  103. # From: David Newgas <david@newgas.net>
    104. 

  104. 0	string	AVG7_ANTIVIRUS_VAULT_FILE	AVG 7 Antivirus vault file data
    105. 

  105. 

  106. 0	string	X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR
    107. 

  107. >33	string	-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*	EICAR virus test files
    108. 

  108. 

  109. # From: Joerg Jenderek
    110. 

  110. # URL: https://www.avira.com/
    111. 

  111. # Note: found in directory %ProgramData%\Avira\Antivirus\INFECTED (Windows)
    112. 

  112. # tested with version 15.0.43.23 at November 2019
    113. 

  113. 0	string		AntiVir\ Qua	Avira AntiVir quarantined
    114. 

  114. !:mime	application/x-avira-qua
    115. 

  115. #!:mime	application/octet-stream
    116. 

  116. !:ext	qua
    117. 

  117. >156	string		SUSPICIOUS_FILE
    118. 

  118. # file path of suspicious file
    119. 

  119. >>220	lestring16	x		%s
    120. 

  120. >156	string		!SUSPICIOUS_FILE
    121. 

  121. # file path of virus file
    122. 

  122. >>228	lestring16	x		%s
    123. 

  123. # quarantined date
    124. 

  124. >60	ldate		x		at %s
    125. 

  125. # virus/danger name
    126. 

  126. >156	string		!SUSPICIOUS_FILE
    127. 

  127. >>156	string		x		\b, category "%s"
    128. 

  128.