file_ex/magic/Magdir/fsav

129 lines
4.1 KiB
Text
Raw Normal View History

2023-08-06 16:12:15 +00:00
#------------------------------------------------------------------------------
# $File: fsav,v 1.22 2021/04/26 15:56:00 christos Exp $
# fsav: file(1) magic for datafellows fsav virus definition files
# Anthon van der Neut (anthon@mnt.org)
# ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def}
0 beshort 0x1575 fsav macro virus signatures
>8 leshort >0 (%d-
>11 byte >0 \b%02d-
>10 byte >0 \b%02d)
# ftp://ftp.f-prot.com/pub/sign.zip
#10 ubyte <12
#>9 ubyte <32
#>>8 ubyte 0x0a
#>>>12 ubyte 0x07
#>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d-
#>>>>10 byte 0 \b01-
#>>>>10 byte 1 \b02-
#>>>>10 byte 2 \b03-
#>>>>10 byte 3 \b04-
#>>>>10 byte 4 \b05-
#>>>>10 byte 5 \b06-
#>>>>10 byte 6 \b07-
#>>>>10 byte 7 \b08-
#>>>>10 byte 8 \b09-
#>>>>10 byte 9 \b10-
#>>>>10 byte 10 \b11-
#>>>>10 byte 11 \b12-
#>>>>9 ubyte >0 \b%02d)
# ftp://ftp.f-prot.com/pub/sign2.zip
#0 ubyte 0x62
#>1 ubyte 0xF5
#>>2 ubyte 0x1
#>>>3 ubyte 0x1
#>>>>4 ubyte 0x0e
#>>>>>13 ubyte >0 fsav virus signatures
#>>>>>>11 ubyte x size %#02x
#>>>>>>12 ubyte x \b%02x
#>>>>>>13 ubyte x \b%02x bytes
# Joerg Jenderek: joerg dot jenderek at web dot de
# clamav-0.100.2\docs\html\node60.html
# https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf
# ClamAV virus database files start with a 512 bytes colon separated header
# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime
# + gzipped (optional) tarball files
# output can often be verified by `sigtool --info=FILE`
0 string ClamAV-VDB: Clam AntiVirus
# padding spaces implies database
>511 ubyte =0x20 database
!:mime application/x-clamav-database
# empty build time
>>10 string =:: (unsigned)
# sigtool(1) man page
!:ext cud
# display some text to avoid error like:
# Magdir/fsav, 78: Warning: Current entry does not yet have a description for adding a EXTENSION type
# file: could not find any valid magic files! (No error)
>>10 default x (with buildtime)
#>>10 default x
# clamtmp is used for temporarily database like update process
# for pure tar database only cld extension found
!:ext cld/cvd/clamtmp/cud
>511 default x file
!:mime application/x-clamav
!:ext info
>11 string >\0
# buildDate empty or like "22 Mar 2017 12-57 -0400"; verified by `sigtool -i FILE`
>>11 regex \^[^:]{0,23} \b, %s
# version like 25170
>>>&1 regex \^[^:]{1,6} \b, version %s
# signaturesNumbers like 4566249
>>>>&1 regex \^[^:]{1,10} \b, %s signatures
# functionalityLevelRequired like 60
>>>>>&1 regex \^[^:]{1,4} \b, level %s
# X for nothing or MD5
#>>>>>>&1 regex \^[^:]{1,32} \b, MD5 "%s"
>>>>>>&1 regex \^[^:]{1,32}
# X for nothing or digital signature starting like AIzk/LYbX
#>>>>>>>&1 regex \^[^:]{1,255} \b, signature "%s"
>>>>>>>&1 regex \^[^:]{1,255}
# builder like neo
>>>>>>>>&1 regex \^[^:]{1,32} \b, builder %s
# buildTime like 1506611558
#>>>>>>>>>&1 regex \^[^:]{1,10} \b, %s
>>>>>>>>>&1 regex \^[^:]{1,10}
# padding with spaces
#>>>>>>>>>>&1 ubequad x \b, padding %#16.16llx
>510 ubyte =0x20
# inspect real database content
#>>512 ubeshort x \b, database MAGIC %#x
# ./archive handle pure tar archives
>>1012 quad =0 \b, with
>>>512 use tar-file
# not pure tar
>>1012 quad !0
# one space at the end of text and then handles gzipped archives by ./compress
>>>512 string \037\213 \b, with
>>>>512 indirect x
# Type: Grisoft AVG AntiVirus
# From: David Newgas <david@newgas.net>
0 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data
0 string X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR
>33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files
# From: Joerg Jenderek
# URL: https://www.avira.com/
# Note: found in directory %ProgramData%\Avira\Antivirus\INFECTED (Windows)
# tested with version 15.0.43.23 at November 2019
0 string AntiVir\ Qua Avira AntiVir quarantined
!:mime application/x-avira-qua
#!:mime application/octet-stream
!:ext qua
>156 string SUSPICIOUS_FILE
# file path of suspicious file
>>220 lestring16 x %s
>156 string !SUSPICIOUS_FILE
# file path of virus file
>>228 lestring16 x %s
# quarantined date
>60 ldate x at %s
# virus/danger name
>156 string !SUSPICIOUS_FILE
>>156 string x \b, category "%s"