168349Sobrien
268349Sobrien#------------------------------------------------------------------------------
3267843Sdelphij# $File: fsav,v 1.13 2013/03/25 17:18:47 christos Exp $
468349Sobrien# fsav:  file(1) magic for datafellows fsav virus definition files
568349Sobrien# Anthon van der Neut (anthon@mnt.org)
6159764Sobrien
7159764Sobrien# ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def}
8159764Sobrien0	beshort		0x1575		fsav macro virus signatures
968349Sobrien>8	leshort		>0		(%d-
1068349Sobrien>11	byte		>0		\b%02d-
1168349Sobrien>10	byte		>0		\b%02d)
12159764Sobrien# ftp://ftp.f-prot.com/pub/sign.zip
13159764Sobrien#10	ubyte		<12
14159764Sobrien#>9	ubyte		<32
15159764Sobrien#>>8	ubyte		0x0a
16159764Sobrien#>>>12	ubyte		0x07
17159764Sobrien#>>>>11	uleshort	>0		fsav DOS/Windows virus signatures (%d-
18159764Sobrien#>>>>10	byte		0		\b01-
19159764Sobrien#>>>>10	byte		1		\b02-
20159764Sobrien#>>>>10	byte		2		\b03-
21159764Sobrien#>>>>10	byte		3		\b04-
22159764Sobrien#>>>>10	byte		4		\b05-
23159764Sobrien#>>>>10	byte		5		\b06-
24159764Sobrien#>>>>10	byte		6		\b07-
25159764Sobrien#>>>>10	byte		7		\b08-
26159764Sobrien#>>>>10	byte		8		\b09-
27159764Sobrien#>>>>10	byte		9		\b10-
28159764Sobrien#>>>>10	byte		10		\b11-
29159764Sobrien#>>>>10	byte		11		\b12-
30159764Sobrien#>>>>9	ubyte		>0		\b%02d)
31159764Sobrien# ftp://ftp.f-prot.com/pub/sign2.zip
32159764Sobrien#0	ubyte		0x62		
33159764Sobrien#>1	ubyte		0xF5		
34159764Sobrien#>>2	ubyte		0x1		
35159764Sobrien#>>>3	ubyte		0x1		
36159764Sobrien#>>>>4	ubyte		0x0e		
37159764Sobrien#>>>>>13		ubyte	>0		fsav virus signatures
38159764Sobrien#>>>>>>11	ubyte	x		size 0x%02x
39159764Sobrien#>>>>>>12	ubyte	x		\b%02x
40159764Sobrien#>>>>>>13	ubyte	x		\b%02x bytes
4168349Sobrien
42159764Sobrien# Joerg Jenderek: joerg dot jenderek at web dot de
43159764Sobrien# http://www.clamav.net/doc/latest/html/node45.html
44159764Sobrien# .cvd files start with a 512 bytes colon separated header
45159764Sobrien# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime
46159764Sobrien# + gzipped tarball files
47159764Sobrien0	string		ClamAV-VDB:	
48159764Sobrien>11	string		>\0		Clam AntiVirus database %-.23s
49159764Sobrien>>34	string		:		
50186690Sobrien>>>35		string		!:	\b, version 
51159764Sobrien>>>>35		string		x 	\b%-.1s
52159764Sobrien>>>>>36		string 		!:	
53159764Sobrien>>>>>>36	string		x 	\b%-.1s
54159764Sobrien>>>>>>>37	string		!:	
55159764Sobrien>>>>>>>>37	string		x 	\b%-.1s
56159764Sobrien>>>>>>>>>38	string		!:	
57159764Sobrien>>>>>>>>>>38	string		x 	\b%-.1s
58159764Sobrien>512	string		\037\213	\b, gzipped
59186690Sobrien>769	string		ustar\0		\b, tarred
60186690Sobrien
61186690Sobrien# Type: Grisoft AVG AntiVirus
62186690Sobrien# From: David Newgas <david@newgas.net>
63186690Sobrien0	string	AVG7_ANTIVIRUS_VAULT_FILE	AVG 7 Antivirus vault file data
64267843Sdelphij
65267843Sdelphij0	string	X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR
66267843Sdelphij>33	string	-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*	EICAR virus test files
67