diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:52:51 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:52:51 +0000 |
commit | 71507ca5d2410b11889ca963fafcd1bcad5044c3 (patch) | |
tree | 17e6d07243d49e29e4b75887e0d07f24ec2b66e8 /magic/Magdir/fsav | |
parent | Initial commit. (diff) | |
download | file-71507ca5d2410b11889ca963fafcd1bcad5044c3.tar.xz file-71507ca5d2410b11889ca963fafcd1bcad5044c3.zip |
Adding upstream version 1:5.44.upstream/1%5.44upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'magic/Magdir/fsav')
-rw-r--r-- | magic/Magdir/fsav | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/magic/Magdir/fsav b/magic/Magdir/fsav new file mode 100644 index 0000000..5c1d6e2 --- /dev/null +++ b/magic/Magdir/fsav @@ -0,0 +1,128 @@ + +#------------------------------------------------------------------------------ +# $File: fsav,v 1.22 2021/04/26 15:56:00 christos Exp $ +# fsav: file(1) magic for datafellows fsav virus definition files +# Anthon van der Neut (anthon@mnt.org) + +# ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def} +0 beshort 0x1575 fsav macro virus signatures +>8 leshort >0 (%d- +>11 byte >0 \b%02d- +>10 byte >0 \b%02d) +# ftp://ftp.f-prot.com/pub/sign.zip +#10 ubyte <12 +#>9 ubyte <32 +#>>8 ubyte 0x0a +#>>>12 ubyte 0x07 +#>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d- +#>>>>10 byte 0 \b01- +#>>>>10 byte 1 \b02- +#>>>>10 byte 2 \b03- +#>>>>10 byte 3 \b04- +#>>>>10 byte 4 \b05- +#>>>>10 byte 5 \b06- +#>>>>10 byte 6 \b07- +#>>>>10 byte 7 \b08- +#>>>>10 byte 8 \b09- +#>>>>10 byte 9 \b10- +#>>>>10 byte 10 \b11- +#>>>>10 byte 11 \b12- +#>>>>9 ubyte >0 \b%02d) +# ftp://ftp.f-prot.com/pub/sign2.zip +#0 ubyte 0x62 +#>1 ubyte 0xF5 +#>>2 ubyte 0x1 +#>>>3 ubyte 0x1 +#>>>>4 ubyte 0x0e +#>>>>>13 ubyte >0 fsav virus signatures +#>>>>>>11 ubyte x size %#02x +#>>>>>>12 ubyte x \b%02x +#>>>>>>13 ubyte x \b%02x bytes + +# Joerg Jenderek: joerg dot jenderek at web dot de +# clamav-0.100.2\docs\html\node60.html +# https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf +# ClamAV virus database files start with a 512 bytes colon separated header +# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime +# + gzipped (optional) tarball files +# output can often be verified by `sigtool --info=FILE` +0 string ClamAV-VDB: Clam AntiVirus +# padding spaces implies database +>511 ubyte =0x20 database +!:mime application/x-clamav-database +# empty build time +>>10 string =:: (unsigned) +# sigtool(1) man page +!:ext cud +# display some text to avoid error like: +# Magdir/fsav, 78: Warning: Current entry does not yet have a description for adding a EXTENSION type +# file: could not find any valid magic files! (No error) +>>10 default x (with buildtime) +#>>10 default x +# clamtmp is used for temporarily database like update process +# for pure tar database only cld extension found +!:ext cld/cvd/clamtmp/cud +>511 default x file +!:mime application/x-clamav +!:ext info +>11 string >\0 +# buildDate empty or like "22 Mar 2017 12-57 -0400"; verified by `sigtool -i FILE` +>>11 regex \^[^:]{0,23} \b, %s +# version like 25170 +>>>&1 regex \^[^:]{1,6} \b, version %s +# signaturesNumbers like 4566249 +>>>>&1 regex \^[^:]{1,10} \b, %s signatures +# functionalityLevelRequired like 60 +>>>>>&1 regex \^[^:]{1,4} \b, level %s +# X for nothing or MD5 +#>>>>>>&1 regex \^[^:]{1,32} \b, MD5 "%s" +>>>>>>&1 regex \^[^:]{1,32} +# X for nothing or digital signature starting like AIzk/LYbX +#>>>>>>>&1 regex \^[^:]{1,255} \b, signature "%s" +>>>>>>>&1 regex \^[^:]{1,255} +# builder like neo +>>>>>>>>&1 regex \^[^:]{1,32} \b, builder %s +# buildTime like 1506611558 +#>>>>>>>>>&1 regex \^[^:]{1,10} \b, %s +>>>>>>>>>&1 regex \^[^:]{1,10} +# padding with spaces +#>>>>>>>>>>&1 ubequad x \b, padding %#16.16llx +>510 ubyte =0x20 +# inspect real database content +#>>512 ubeshort x \b, database MAGIC %#x +# ./archive handle pure tar archives +>>1012 quad =0 \b, with +>>>512 use tar-file +# not pure tar +>>1012 quad !0 +# one space at the end of text and then handles gzipped archives by ./compress +>>>512 string \037\213 \b, with +>>>>512 indirect x + +# Type: Grisoft AVG AntiVirus +# From: David Newgas <david@newgas.net> +0 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data + +0 string X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR +>33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files + +# From: Joerg Jenderek +# URL: https://www.avira.com/ +# Note: found in directory %ProgramData%\Avira\Antivirus\INFECTED (Windows) +# tested with version 15.0.43.23 at November 2019 +0 string AntiVir\ Qua Avira AntiVir quarantined +!:mime application/x-avira-qua +#!:mime application/octet-stream +!:ext qua +>156 string SUSPICIOUS_FILE +# file path of suspicious file +>>220 lestring16 x %s +>156 string !SUSPICIOUS_FILE +# file path of virus file +>>228 lestring16 x %s +# quarantined date +>60 ldate x at %s +# virus/danger name +>156 string !SUSPICIOUS_FILE +>>156 string x \b, category "%s" + |