diff options
Diffstat (limited to 'contrib/file/Magdir/fsav')
-rw-r--r-- | contrib/file/Magdir/fsav | 71 |
1 files changed, 52 insertions, 19 deletions
diff --git a/contrib/file/Magdir/fsav b/contrib/file/Magdir/fsav index 4218936..4d61beb 100644 --- a/contrib/file/Magdir/fsav +++ b/contrib/file/Magdir/fsav @@ -2,26 +2,59 @@ #------------------------------------------------------------------------------ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org) -0 beshort 0x1575 fsav (linux) macro virus + +# ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def} +0 beshort 0x1575 fsav macro virus signatures >8 leshort >0 (%d- >11 byte >0 \b%02d- >10 byte >0 \b%02d) +# ftp://ftp.f-prot.com/pub/sign.zip +#10 ubyte <12 +#>9 ubyte <32 +#>>8 ubyte 0x0a +#>>>12 ubyte 0x07 +#>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d- +#>>>>10 byte 0 \b01- +#>>>>10 byte 1 \b02- +#>>>>10 byte 2 \b03- +#>>>>10 byte 3 \b04- +#>>>>10 byte 4 \b05- +#>>>>10 byte 5 \b06- +#>>>>10 byte 6 \b07- +#>>>>10 byte 7 \b08- +#>>>>10 byte 8 \b09- +#>>>>10 byte 9 \b10- +#>>>>10 byte 10 \b11- +#>>>>10 byte 11 \b12- +#>>>>9 ubyte >0 \b%02d) +# ftp://ftp.f-prot.com/pub/sign2.zip +#0 ubyte 0x62 +#>1 ubyte 0xF5 +#>>2 ubyte 0x1 +#>>>3 ubyte 0x1 +#>>>>4 ubyte 0x0e +#>>>>>13 ubyte >0 fsav virus signatures +#>>>>>>11 ubyte x size 0x%02x +#>>>>>>12 ubyte x \b%02x +#>>>>>>13 ubyte x \b%02x bytes -# comment this out for now because it regognizes every file where -# the eighth character is \n -#8 byte 0x0a -#>12 byte 0x07 -#>11 leshort >0 fsav (linux) virus (%d- -#>10 byte 0 \b01- -#>10 byte 1 \b02- -#>10 byte 2 \b03- -#>10 byte 3 \b04- -#>10 byte 4 \b05- -#>10 byte 5 \b06- -#>10 byte 6 \b07- -#>10 byte 7 \b08- -#>10 byte 8 \b08- -#>10 byte 9 \b10- -#>10 byte 10 \b11- -#>10 byte 11 \b12- -#>9 byte >0 \b%02d) +# Joerg Jenderek: joerg dot jenderek at web dot de +# http://www.clamav.net/doc/latest/html/node45.html +# .cvd files start with a 512 bytes colon separated header +# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime +# + gzipped tarball files +0 string ClamAV-VDB: +>11 string >\0 Clam AntiVirus database %-.23s +>>34 string : +>>>35 regex [^:]+ \b, version +>>>>35 string x \b%-.1s +>>>>>36 string !: +>>>>>>36 string x \b%-.1s +>>>>>>>37 string !: +>>>>>>>>37 string x \b%-.1s +>>>>>>>>>38 string !: +>>>>>>>>>>38 string x \b%-.1s +>>>>512 string \037\213 \b, gzipped +>>>>769 string ustar\0 \b, tared +>512 string \037\213 \b, gzipped +>769 string ustar\0 \b, tared |