summaryrefslogtreecommitdiff
path: root/usr.bin/file/magdir/fsav
blob: 799e19872d782e5a40e1bfb9776e80b76bdeecb6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#	$OpenBSD: fsav,v 1.2 2008/05/08 01:40:57 chl Exp $

#------------------------------------------------------------------------------
# fsav:  file(1) magic for datafellows fsav virus definition files
# Anthon van der Neut (anthon@mnt.org)

# ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def}
0	beshort		0x1575		fsav macro virus signatures
>8	leshort		>0		(%d-
>11	byte		>0		\b%02d-
>10	byte		>0		\b%02d)
# ftp://ftp.f-prot.com/pub/sign.zip
#10	ubyte		<12
#>9	ubyte		<32
#>>8	ubyte		0x0a
#>>>12	ubyte		0x07
#>>>>11	uleshort	>0		fsav DOS/Windows virus signatures (%d-
#>>>>10	byte		0		\b01-
#>>>>10	byte		1		\b02-
#>>>>10	byte		2		\b03-
#>>>>10	byte		3		\b04-
#>>>>10	byte		4		\b05-
#>>>>10	byte		5		\b06-
#>>>>10	byte		6		\b07-
#>>>>10	byte		7		\b08-
#>>>>10	byte		8		\b09-
#>>>>10	byte		9		\b10-
#>>>>10	byte		10		\b11-
#>>>>10	byte		11		\b12-
#>>>>9	ubyte		>0		\b%02d)
# ftp://ftp.f-prot.com/pub/sign2.zip
#0	ubyte		0x62		
#>1	ubyte		0xF5		
#>>2	ubyte		0x1		
#>>>3	ubyte		0x1		
#>>>>4	ubyte		0x0e		
#>>>>>13		ubyte	>0		fsav virus signatures
#>>>>>>11	ubyte	x		size 0x%02x
#>>>>>>12	ubyte	x		\b%02x
#>>>>>>13	ubyte	x		\b%02x bytes

# Joerg Jenderek: joerg dot jenderek at web dot de
# http://www.clamav.net/doc/latest/html/node45.html
# .cvd files start with a 512 bytes colon separated header
# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime
# + gzipped tarball files
0	string		ClamAV-VDB:	
>11	string		>\0		Clam AntiVirus database %-.23s
>>34	string		:		
>>>35	regex		[^:]+		\b, version 
>>>>35		string		x 	\b%-.1s
>>>>>36		string 		!:	
>>>>>>36	string		x 	\b%-.1s
>>>>>>>37	string		!:	
>>>>>>>>37	string		x 	\b%-.1s
>>>>>>>>>38	string		!:	
>>>>>>>>>>38	string		x 	\b%-.1s
>>>>512	string		\037\213	\b, gzipped
>>>>769	string		ustar\0		\b, tared
>512	string		\037\213	\b, gzipped
>769	string		ustar\0		\b, tared