1 2#------------------------------------------------------------------------------ 3# $File: fsav,v 1.15 2018/07/16 12:30:41 christos Exp $ 4# fsav: file(1) magic for datafellows fsav virus definition files 5# Anthon van der Neut (anthon@mnt.org) 6 7# ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def} 80 beshort 0x1575 fsav macro virus signatures 9>8 leshort >0 (%d- 10>11 byte >0 \b%02d- 11>10 byte >0 \b%02d) 12# ftp://ftp.f-prot.com/pub/sign.zip 13#10 ubyte <12 14#>9 ubyte <32 15#>>8 ubyte 0x0a 16#>>>12 ubyte 0x07 17#>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d- 18#>>>>10 byte 0 \b01- 19#>>>>10 byte 1 \b02- 20#>>>>10 byte 2 \b03- 21#>>>>10 byte 3 \b04- 22#>>>>10 byte 4 \b05- 23#>>>>10 byte 5 \b06- 24#>>>>10 byte 6 \b07- 25#>>>>10 byte 7 \b08- 26#>>>>10 byte 8 \b09- 27#>>>>10 byte 9 \b10- 28#>>>>10 byte 10 \b11- 29#>>>>10 byte 11 \b12- 30#>>>>9 ubyte >0 \b%02d) 31# ftp://ftp.f-prot.com/pub/sign2.zip 32#0 ubyte 0x62 33#>1 ubyte 0xF5 34#>>2 ubyte 0x1 35#>>>3 ubyte 0x1 36#>>>>4 ubyte 0x0e 37#>>>>>13 ubyte >0 fsav virus signatures 38#>>>>>>11 ubyte x size 0x%02x 39#>>>>>>12 ubyte x \b%02x 40#>>>>>>13 ubyte x \b%02x bytes 41 42# Joerg Jenderek: joerg dot jenderek at web dot de 43# http://www.clamav.net/doc/latest/html/node45.html 44# .cvd files start with a 512 bytes colon separated header 45# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime 46# + gzipped tarball files 470 string ClamAV-VDB: 48>11 string >\0 Clam AntiVirus database %-.23s 49>>34 string : 50>>>35 string !: \b, version 51>>>>35 string x \b %-.1s 52>>>>>36 string !: 53>>>>>>36 string x \b%-.1s 54>>>>>>>37 string !: 55>>>>>>>>37 string x \b%-.1s 56>>>>>>>>>38 string !: 57>>>>>>>>>>38 string x \b%-.1s 58>>>>>>>>>>>39 string !: 59>>>>>>>>>>>>39 string x \b%-.1s 60>512 string \037\213 \b, gzipped 61>769 string ustar\0 \b, tarred 62 63# Type: Grisoft AVG AntiVirus 64# From: David Newgas <david@newgas.net> 650 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data 66 670 string X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR 68>33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files 69