xref: /freebsd/contrib/file/magic/Magdir/fsav (revision edca4938f74db18d091868237592abbf7e718669)
1
2#------------------------------------------------------------------------------
3# $File: fsav,v 1.15 2018/07/16 12:30:41 christos Exp $
4# fsav:  file(1) magic for datafellows fsav virus definition files
5# Anthon van der Neut (anthon@mnt.org)
6
7# ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def}
80	beshort		0x1575		fsav macro virus signatures
9>8	leshort		>0		(%d-
10>11	byte		>0		\b%02d-
11>10	byte		>0		\b%02d)
12# ftp://ftp.f-prot.com/pub/sign.zip
13#10	ubyte		<12
14#>9	ubyte		<32
15#>>8	ubyte		0x0a
16#>>>12	ubyte		0x07
17#>>>>11	uleshort	>0		fsav DOS/Windows virus signatures (%d-
18#>>>>10	byte		0		\b01-
19#>>>>10	byte		1		\b02-
20#>>>>10	byte		2		\b03-
21#>>>>10	byte		3		\b04-
22#>>>>10	byte		4		\b05-
23#>>>>10	byte		5		\b06-
24#>>>>10	byte		6		\b07-
25#>>>>10	byte		7		\b08-
26#>>>>10	byte		8		\b09-
27#>>>>10	byte		9		\b10-
28#>>>>10	byte		10		\b11-
29#>>>>10	byte		11		\b12-
30#>>>>9	ubyte		>0		\b%02d)
31# ftp://ftp.f-prot.com/pub/sign2.zip
32#0	ubyte		0x62
33#>1	ubyte		0xF5
34#>>2	ubyte		0x1
35#>>>3	ubyte		0x1
36#>>>>4	ubyte		0x0e
37#>>>>>13		ubyte	>0		fsav virus signatures
38#>>>>>>11	ubyte	x		size 0x%02x
39#>>>>>>12	ubyte	x		\b%02x
40#>>>>>>13	ubyte	x		\b%02x bytes
41
42# Joerg Jenderek: joerg dot jenderek at web dot de
43# http://www.clamav.net/doc/latest/html/node45.html
44# .cvd files start with a 512 bytes colon separated header
45# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime
46# + gzipped tarball files
470	string		ClamAV-VDB:
48>11	string		>\0		Clam AntiVirus database %-.23s
49>>34	string		:
50>>>35		string		!:	\b, version
51>>>>35		string		x 	\b %-.1s
52>>>>>36		string		!:
53>>>>>>36	string		x 	\b%-.1s
54>>>>>>>37	string		!:
55>>>>>>>>37	string		x 	\b%-.1s
56>>>>>>>>>38	string		!:
57>>>>>>>>>>38	string		x 	\b%-.1s
58>>>>>>>>>>>39	string		!:
59>>>>>>>>>>>>39	string		x 	\b%-.1s
60>512	string		\037\213	\b, gzipped
61>769	string		ustar\0		\b, tarred
62
63# Type: Grisoft AVG AntiVirus
64# From: David Newgas <david@newgas.net>
650	string	AVG7_ANTIVIRUS_VAULT_FILE	AVG 7 Antivirus vault file data
66
670	string	X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR
68>33	string	-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*	EICAR virus test files
69