1 2#------------------------------------------------------------------------------ 3# fsav: file(1) magic for datafellows fsav virus definition files 4# Anthon van der Neut (anthon@mnt.org) 5 6# ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def} 70 beshort 0x1575 fsav macro virus signatures 8>8 leshort >0 (%d- 9>11 byte >0 \b%02d- 10>10 byte >0 \b%02d) 11# ftp://ftp.f-prot.com/pub/sign.zip 12#10 ubyte <12 13#>9 ubyte <32 14#>>8 ubyte 0x0a 15#>>>12 ubyte 0x07 16#>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d- 17#>>>>10 byte 0 \b01- 18#>>>>10 byte 1 \b02- 19#>>>>10 byte 2 \b03- 20#>>>>10 byte 3 \b04- 21#>>>>10 byte 4 \b05- 22#>>>>10 byte 5 \b06- 23#>>>>10 byte 6 \b07- 24#>>>>10 byte 7 \b08- 25#>>>>10 byte 8 \b09- 26#>>>>10 byte 9 \b10- 27#>>>>10 byte 10 \b11- 28#>>>>10 byte 11 \b12- 29#>>>>9 ubyte >0 \b%02d) 30# ftp://ftp.f-prot.com/pub/sign2.zip 31#0 ubyte 0x62 32#>1 ubyte 0xF5 33#>>2 ubyte 0x1 34#>>>3 ubyte 0x1 35#>>>>4 ubyte 0x0e 36#>>>>>13 ubyte >0 fsav virus signatures 37#>>>>>>11 ubyte x size 0x%02x 38#>>>>>>12 ubyte x \b%02x 39#>>>>>>13 ubyte x \b%02x bytes 40 41# Joerg Jenderek: joerg dot jenderek at web dot de 42# http://www.clamav.net/doc/latest/html/node45.html 43# .cvd files start with a 512 bytes colon separated header 44# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime 45# + gzipped tarball files 460 string ClamAV-VDB: 47>11 string >\0 Clam AntiVirus database %-.23s 48>>34 string : 49>>>35 string !: \b, version 50>>>>35 string x \b%-.1s 51>>>>>36 string !: 52>>>>>>36 string x \b%-.1s 53>>>>>>>37 string !: 54>>>>>>>>37 string x \b%-.1s 55>>>>>>>>>38 string !: 56>>>>>>>>>>38 string x \b%-.1s 57>512 string \037\213 \b, gzipped 58>769 string ustar\0 \b, tarred 59 60# Type: Grisoft AVG AntiVirus 61# From: David Newgas <david@newgas.net> 620 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data 63