1 2#------------------------------------------------------------------------------ 3# $File: fsav,v 1.22 2021/04/26 15:56:00 christos Exp $ 4# fsav: file(1) magic for datafellows fsav virus definition files 5# Anthon van der Neut (anthon@mnt.org) 6 7# ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def} 80 beshort 0x1575 fsav macro virus signatures 9>8 leshort >0 (%d- 10>11 byte >0 \b%02d- 11>10 byte >0 \b%02d) 12# ftp://ftp.f-prot.com/pub/sign.zip 13#10 ubyte <12 14#>9 ubyte <32 15#>>8 ubyte 0x0a 16#>>>12 ubyte 0x07 17#>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d- 18#>>>>10 byte 0 \b01- 19#>>>>10 byte 1 \b02- 20#>>>>10 byte 2 \b03- 21#>>>>10 byte 3 \b04- 22#>>>>10 byte 4 \b05- 23#>>>>10 byte 5 \b06- 24#>>>>10 byte 6 \b07- 25#>>>>10 byte 7 \b08- 26#>>>>10 byte 8 \b09- 27#>>>>10 byte 9 \b10- 28#>>>>10 byte 10 \b11- 29#>>>>10 byte 11 \b12- 30#>>>>9 ubyte >0 \b%02d) 31# ftp://ftp.f-prot.com/pub/sign2.zip 32#0 ubyte 0x62 33#>1 ubyte 0xF5 34#>>2 ubyte 0x1 35#>>>3 ubyte 0x1 36#>>>>4 ubyte 0x0e 37#>>>>>13 ubyte >0 fsav virus signatures 38#>>>>>>11 ubyte x size %#02x 39#>>>>>>12 ubyte x \b%02x 40#>>>>>>13 ubyte x \b%02x bytes 41 42# Joerg Jenderek: joerg dot jenderek at web dot de 43# clamav-0.100.2\docs\html\node60.html 44# https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf 45# ClamAV virus database files start with a 512 bytes colon separated header 46# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime 47# + gzipped (optional) tarball files 48# output can often be verified by `sigtool --info=FILE` 490 string ClamAV-VDB: Clam AntiVirus 50# padding spaces implies database 51>511 ubyte =0x20 database 52!:mime application/x-clamav-database 53# empty build time 54>>10 string =:: (unsigned) 55# sigtool(1) man page 56!:ext cud 57# display some text to avoid error like: 58# Magdir/fsav, 78: Warning: Current entry does not yet have a description for adding a EXTENSION type 59# file: could not find any valid magic files! (No error) 60>>10 default x (with buildtime) 61#>>10 default x 62# clamtmp is used for temporarily database like update process 63# for pure tar database only cld extension found 64!:ext cld/cvd/clamtmp/cud 65>511 default x file 66!:mime application/x-clamav 67!:ext info 68>11 string >\0 69# buildDate empty or like "22 Mar 2017 12-57 -0400"; verified by `sigtool -i FILE` 70>>11 regex \^[^:]{0,23} \b, %s 71# version like 25170 72>>>&1 regex \^[^:]{1,6} \b, version %s 73# signaturesNumbers like 4566249 74>>>>&1 regex \^[^:]{1,10} \b, %s signatures 75# functionalityLevelRequired like 60 76>>>>>&1 regex \^[^:]{1,4} \b, level %s 77# X for nothing or MD5 78#>>>>>>&1 regex \^[^:]{1,32} \b, MD5 "%s" 79>>>>>>&1 regex \^[^:]{1,32} 80# X for nothing or digital signature starting like AIzk/LYbX 81#>>>>>>>&1 regex \^[^:]{1,255} \b, signature "%s" 82>>>>>>>&1 regex \^[^:]{1,255} 83# builder like neo 84>>>>>>>>&1 regex \^[^:]{1,32} \b, builder %s 85# buildTime like 1506611558 86#>>>>>>>>>&1 regex \^[^:]{1,10} \b, %s 87>>>>>>>>>&1 regex \^[^:]{1,10} 88# padding with spaces 89#>>>>>>>>>>&1 ubequad x \b, padding %#16.16llx 90>510 ubyte =0x20 91# inspect real database content 92#>>512 ubeshort x \b, database MAGIC %#x 93# ./archive handle pure tar archives 94>>1012 quad =0 \b, with 95>>>512 use tar-file 96# not pure tar 97>>1012 quad !0 98# one space at the end of text and then handles gzipped archives by ./compress 99>>>512 string \037\213 \b, with 100>>>>512 indirect x 101 102# Type: Grisoft AVG AntiVirus 103# From: David Newgas <david@newgas.net> 1040 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data 105 1060 string X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR 107>33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files 108 109# From: Joerg Jenderek 110# URL: https://www.avira.com/ 111# Note: found in directory %ProgramData%\Avira\Antivirus\INFECTED (Windows) 112# tested with version 15.0.43.23 at November 2019 1130 string AntiVir\ Qua Avira AntiVir quarantined 114!:mime application/x-avira-qua 115#!:mime application/octet-stream 116!:ext qua 117>156 string SUSPICIOUS_FILE 118# file path of suspicious file 119>>220 lestring16 x %s 120>156 string !SUSPICIOUS_FILE 121# file path of virus file 122>>228 lestring16 x %s 123# quarantined date 124>60 ldate x at %s 125# virus/danger name 126>156 string !SUSPICIOUS_FILE 127>>156 string x \b, category "%s" 128 129