1
2#------------------------------------------------------------------------------
3# fsav: file(1) magic for datafellows fsav virus definition files
4# Anthon van der Neut (anthon@mnt.org)
| 1
2#------------------------------------------------------------------------------
3# fsav: file(1) magic for datafellows fsav virus definition files
4# Anthon van der Neut (anthon@mnt.org)
|
50 beshort 0x1575 fsav (linux) macro virus
| 5
6# ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def}
70 beshort 0x1575 fsav macro virus signatures
|
6>8 leshort >0 (%d-
7>11 byte >0 \b%02d-
8>10 byte >0 \b%02d)
| 8>8 leshort >0 (%d-
9>11 byte >0 \b%02d-
10>10 byte >0 \b%02d)
|
| 11# ftp://ftp.f-prot.com/pub/sign.zip
12#10 ubyte <12
13#>9 ubyte <32
14#>>8 ubyte 0x0a
15#>>>12 ubyte 0x07
16#>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d-
17#>>>>10 byte 0 \b01-
18#>>>>10 byte 1 \b02-
19#>>>>10 byte 2 \b03-
20#>>>>10 byte 3 \b04-
21#>>>>10 byte 4 \b05-
22#>>>>10 byte 5 \b06-
23#>>>>10 byte 6 \b07-
24#>>>>10 byte 7 \b08-
25#>>>>10 byte 8 \b09-
26#>>>>10 byte 9 \b10-
27#>>>>10 byte 10 \b11-
28#>>>>10 byte 11 \b12-
29#>>>>9 ubyte >0 \b%02d)
30# ftp://ftp.f-prot.com/pub/sign2.zip
31#0 ubyte 0x62
32#>1 ubyte 0xF5
33#>>2 ubyte 0x1
34#>>>3 ubyte 0x1
35#>>>>4 ubyte 0x0e
36#>>>>>13 ubyte >0 fsav virus signatures
37#>>>>>>11 ubyte x size 0x%02x
38#>>>>>>12 ubyte x \b%02x
39#>>>>>>13 ubyte x \b%02x bytes
|
9
| 40
|
10# comment this out for now because it regognizes every file where
11# the eighth character is \n
12#8 byte 0x0a
13#>12 byte 0x07
14#>11 leshort >0 fsav (linux) virus (%d-
15#>10 byte 0 \b01-
16#>10 byte 1 \b02-
17#>10 byte 2 \b03-
18#>10 byte 3 \b04-
19#>10 byte 4 \b05-
20#>10 byte 5 \b06-
21#>10 byte 6 \b07-
22#>10 byte 7 \b08-
23#>10 byte 8 \b08-
24#>10 byte 9 \b10-
25#>10 byte 10 \b11-
26#>10 byte 11 \b12-
27#>9 byte >0 \b%02d)
| 41# Joerg Jenderek: joerg dot jenderek at web dot de
42# http://www.clamav.net/doc/latest/html/node45.html
43# .cvd files start with a 512 bytes colon separated header
44# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime
45# + gzipped tarball files
460 string ClamAV-VDB:
47>11 string >\0 Clam AntiVirus database %-.23s
48>>34 string :
49>>>35 regex [^:]+ \b, version
50>>>>35 string x \b%-.1s
51>>>>>36 string !:
52>>>>>>36 string x \b%-.1s
53>>>>>>>37 string !:
54>>>>>>>>37 string x \b%-.1s
55>>>>>>>>>38 string !:
56>>>>>>>>>>38 string x \b%-.1s
57>>>>512 string \037\213 \b, gzipped
58>>>>769 string ustar\0 \b, tared
59>512 string \037\213 \b, gzipped
60>769 string ustar\0 \b, tared
|
| |