xref: /dflybsd-src/contrib/file/magic/Magdir/fsav (revision 7b80531f545c7d3c51c1660130c71d01f6bccbe0) 
1327e51cbSPeter Avalos
2327e51cbSPeter Avalos#------------------------------------------------------------------------------
3*614728caSSascha Wildner# $File: fsav,v 1.22 2021/04/26 15:56:00 christos Exp $
4327e51cbSPeter Avalos# fsav:  file(1) magic for datafellows fsav virus definition files
5327e51cbSPeter Avalos# Anthon van der Neut (anthon@mnt.org)
6327e51cbSPeter Avalos
7327e51cbSPeter Avalos# ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def}
8327e51cbSPeter Avalos0	beshort		0x1575		fsav macro virus signatures
9327e51cbSPeter Avalos>8	leshort		>0		(%d-
10327e51cbSPeter Avalos>11	byte		>0		\b%02d-
11327e51cbSPeter Avalos>10	byte		>0		\b%02d)
12327e51cbSPeter Avalos# ftp://ftp.f-prot.com/pub/sign.zip
13327e51cbSPeter Avalos#10	ubyte		<12
14327e51cbSPeter Avalos#>9	ubyte		<32
15327e51cbSPeter Avalos#>>8	ubyte		0x0a
16327e51cbSPeter Avalos#>>>12	ubyte		0x07
17327e51cbSPeter Avalos#>>>>11	uleshort	>0		fsav DOS/Windows virus signatures (%d-
18327e51cbSPeter Avalos#>>>>10	byte		0		\b01-
19327e51cbSPeter Avalos#>>>>10	byte		1		\b02-
20327e51cbSPeter Avalos#>>>>10	byte		2		\b03-
21327e51cbSPeter Avalos#>>>>10	byte		3		\b04-
22327e51cbSPeter Avalos#>>>>10	byte		4		\b05-
23327e51cbSPeter Avalos#>>>>10	byte		5		\b06-
24327e51cbSPeter Avalos#>>>>10	byte		6		\b07-
25327e51cbSPeter Avalos#>>>>10	byte		7		\b08-
26327e51cbSPeter Avalos#>>>>10	byte		8		\b09-
27327e51cbSPeter Avalos#>>>>10	byte		9		\b10-
28327e51cbSPeter Avalos#>>>>10	byte		10		\b11-
29327e51cbSPeter Avalos#>>>>10	byte		11		\b12-
30327e51cbSPeter Avalos#>>>>9	ubyte		>0		\b%02d)
31327e51cbSPeter Avalos# ftp://ftp.f-prot.com/pub/sign2.zip
32327e51cbSPeter Avalos#0	ubyte		0x62
33327e51cbSPeter Avalos#>1	ubyte		0xF5
34327e51cbSPeter Avalos#>>2	ubyte		0x1
35327e51cbSPeter Avalos#>>>3	ubyte		0x1
36327e51cbSPeter Avalos#>>>>4	ubyte		0x0e
37327e51cbSPeter Avalos#>>>>>13		ubyte	>0		fsav virus signatures
38*614728caSSascha Wildner#>>>>>>11	ubyte	x		size %#02x
39327e51cbSPeter Avalos#>>>>>>12	ubyte	x		\b%02x
40327e51cbSPeter Avalos#>>>>>>13	ubyte	x		\b%02x bytes
41327e51cbSPeter Avalos
42327e51cbSPeter Avalos# Joerg Jenderek: joerg dot jenderek at web dot de
436fca56fbSSascha Wildner# clamav-0.100.2\docs\html\node60.html
446fca56fbSSascha Wildner# https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf
456fca56fbSSascha Wildner# ClamAV virus database files start with a 512 bytes colon separated header
46327e51cbSPeter Avalos# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime
476fca56fbSSascha Wildner# + gzipped (optional) tarball files
486fca56fbSSascha Wildner# output can often be verified by `sigtool --info=FILE`
496fca56fbSSascha Wildner0	string		ClamAV-VDB:	Clam AntiVirus
506fca56fbSSascha Wildner# padding spaces implies database
516fca56fbSSascha Wildner>511	ubyte		=0x20		database
526fca56fbSSascha Wildner!:mime	application/x-clamav-database
536fca56fbSSascha Wildner# empty build time
546fca56fbSSascha Wildner>>10	string		=::		(unsigned)
556fca56fbSSascha Wildner# sigtool(1) man page
566fca56fbSSascha Wildner!:ext	cud
576fca56fbSSascha Wildner# display some text to avoid error like:
586fca56fbSSascha Wildner# Magdir/fsav, 78: Warning: Current entry does not yet have a description for adding a EXTENSION type
596fca56fbSSascha Wildner# file: could not find any valid magic files! (No error)
606fca56fbSSascha Wildner>>10	default		x		(with buildtime)
616fca56fbSSascha Wildner#>>10	default		x
62970935fdSSascha Wildner# clamtmp is used for temporarily database like update process
636fca56fbSSascha Wildner# for pure tar database only cld extension found
646fca56fbSSascha Wildner!:ext	cld/cvd/clamtmp/cud
656fca56fbSSascha Wildner>511	default		x		file
666fca56fbSSascha Wildner!:mime	application/x-clamav
676fca56fbSSascha Wildner!:ext	info
686fca56fbSSascha Wildner>11	string		>\0
696fca56fbSSascha Wildner# buildDate empty or like "22 Mar 2017 12-57 -0400"; verified by `sigtool -i FILE`
706fca56fbSSascha Wildner>>11	regex		\^[^:]{0,23}	\b, %s
716fca56fbSSascha Wildner# version like 25170
726fca56fbSSascha Wildner>>>&1	regex		\^[^:]{1,6}	\b, version %s
736fca56fbSSascha Wildner# signaturesNumbers like 4566249
746fca56fbSSascha Wildner>>>>&1	regex		\^[^:]{1,10}	\b, %s signatures
756fca56fbSSascha Wildner# functionalityLevelRequired like 60
766fca56fbSSascha Wildner>>>>>&1	regex		\^[^:]{1,4}	\b, level %s
776fca56fbSSascha Wildner# X for nothing or MD5
786fca56fbSSascha Wildner#>>>>>>&1	regex	\^[^:]{1,32}	\b, MD5 "%s"
796fca56fbSSascha Wildner>>>>>>&1	regex	\^[^:]{1,32}
806fca56fbSSascha Wildner# X for nothing or digital signature starting like AIzk/LYbX
816fca56fbSSascha Wildner#>>>>>>>&1	regex	\^[^:]{1,255}	\b, signature "%s"
826fca56fbSSascha Wildner>>>>>>>&1	regex	\^[^:]{1,255}
836fca56fbSSascha Wildner# builder like neo
846fca56fbSSascha Wildner>>>>>>>>&1	regex	\^[^:]{1,32}	\b, builder %s
856fca56fbSSascha Wildner# buildTime like 1506611558
866fca56fbSSascha Wildner#>>>>>>>>>&1	regex	\^[^:]{1,10}	\b, %s
876fca56fbSSascha Wildner>>>>>>>>>&1	regex	\^[^:]{1,10}
886fca56fbSSascha Wildner# padding with spaces
89*614728caSSascha Wildner#>>>>>>>>>>&1	ubequad	x		\b, padding %#16.16llx
906fca56fbSSascha Wildner>510	ubyte		=0x20
916fca56fbSSascha Wildner# inspect real database content
92*614728caSSascha Wildner#>>512	ubeshort	x		\b, database MAGIC %#x
936fca56fbSSascha Wildner# ./archive handle pure tar archives
946fca56fbSSascha Wildner>>1012	quad		=0		\b, with
956fca56fbSSascha Wildner>>>512	use		tar-file
966fca56fbSSascha Wildner# not pure tar
976fca56fbSSascha Wildner>>1012	quad		!0
98970935fdSSascha Wildner# one space at the end of text and then handles gzipped archives by ./compress
996fca56fbSSascha Wildner>>>512	string		\037\213	\b, with
1006fca56fbSSascha Wildner>>>>512	indirect	x
10179343712SPeter Avalos
10279343712SPeter Avalos# Type: Grisoft AVG AntiVirus
10379343712SPeter Avalos# From: David Newgas <david@newgas.net>
10479343712SPeter Avalos0	string	AVG7_ANTIVIRUS_VAULT_FILE	AVG 7 Antivirus vault file data
105e8af9738SPeter Avalos
106e8af9738SPeter Avalos0	string	X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR
107e8af9738SPeter Avalos>33	string	-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*	EICAR virus test files
1086fca56fbSSascha Wildner
1096fca56fbSSascha Wildner# From: Joerg Jenderek
1106fca56fbSSascha Wildner# URL: https://www.avira.com/
1116fca56fbSSascha Wildner# Note: found in directory %ProgramData%\Avira\Antivirus\INFECTED (Windows)
1126fca56fbSSascha Wildner# tested with version 15.0.43.23 at November 2019
1136fca56fbSSascha Wildner0	string		AntiVir\ Qua	Avira AntiVir quarantined
1146fca56fbSSascha Wildner!:mime	application/x-avira-qua
1156fca56fbSSascha Wildner#!:mime	application/octet-stream
1166fca56fbSSascha Wildner!:ext	qua
1176fca56fbSSascha Wildner>156	string		SUSPICIOUS_FILE
1186fca56fbSSascha Wildner# file path of suspicious file
1196fca56fbSSascha Wildner>>220	lestring16	x		%s
1206fca56fbSSascha Wildner>156	string		!SUSPICIOUS_FILE
1216fca56fbSSascha Wildner# file path of virus file
1226fca56fbSSascha Wildner>>228	lestring16	x		%s
1236fca56fbSSascha Wildner# quarantined date
1246fca56fbSSascha Wildner>60	ldate		x		at %s
1256fca56fbSSascha Wildner# virus/danger name
1266fca56fbSSascha Wildner>156	string		!SUSPICIOUS_FILE
1276fca56fbSSascha Wildner>>156	string		x		\b, category "%s"
1286fca56fbSSascha Wildner
129