head 1.1; branch 1.1.1; access; symbols FILE5_48:1.1.1.8 netbsd-11-0-RC4:1.1.1.8 netbsd-11-0-RC3:1.1.1.8 netbsd-11-0-RC2:1.1.1.8 netbsd-11-0-RC1:1.1.1.8 perseant-exfatfs-base-20250801:1.1.1.8 netbsd-11:1.1.1.8.0.6 netbsd-11-base:1.1.1.8 netbsd-10-1-RELEASE:1.1.1.8 perseant-exfatfs-base-20240630:1.1.1.8 perseant-exfatfs:1.1.1.8.0.4 perseant-exfatfs-base:1.1.1.8 netbsd-8-3-RELEASE:1.1.1.4 netbsd-9-4-RELEASE:1.1.1.6 netbsd-10-0-RELEASE:1.1.1.8 netbsd-10-0-RC6:1.1.1.8 netbsd-10-0-RC5:1.1.1.8 netbsd-10-0-RC4:1.1.1.8 netbsd-10-0-RC3:1.1.1.8 netbsd-10-0-RC2:1.1.1.8 netbsd-10-0-RC1:1.1.1.8 FILE5_45:1.1.1.8 netbsd-10:1.1.1.8.0.2 netbsd-10-base:1.1.1.8 FILE5_43:1.1.1.8 netbsd-9-3-RELEASE:1.1.1.6 cjep_sun2x-base1:1.1.1.7 cjep_sun2x:1.1.1.7.0.4 cjep_sun2x-base:1.1.1.7 cjep_staticlib_x-base1:1.1.1.7 netbsd-9-2-RELEASE:1.1.1.6 cjep_staticlib_x:1.1.1.7.0.2 cjep_staticlib_x-base:1.1.1.7 FILE5_40:1.1.1.7 netbsd-9-1-RELEASE:1.1.1.6 FILE5_39:1.1.1.6 phil-wifi-20200421:1.1.1.6 phil-wifi-20200411:1.1.1.6 is-mlppp:1.1.1.6.0.4 is-mlppp-base:1.1.1.6 phil-wifi-20200406:1.1.1.6 netbsd-8-2-RELEASE:1.1.1.4 netbsd-9-0-RELEASE:1.1.1.6 netbsd-9-0-RC2:1.1.1.6 FILE5_38:1.1.1.6 netbsd-9-0-RC1:1.1.1.6 phil-wifi-20191119:1.1.1.6 netbsd-9:1.1.1.6.0.2 netbsd-9-base:1.1.1.6 phil-wifi-20190609:1.1.1.6 netbsd-8-1-RELEASE:1.1.1.4 FILE5_37:1.1.1.6 netbsd-8-1-RC1:1.1.1.4 pgoyette-compat-merge-20190127:1.1.1.4.8.1 pgoyette-compat-20190127:1.1.1.5 pgoyette-compat-20190118:1.1.1.5 pgoyette-compat-1226:1.1.1.5 pgoyette-compat-1126:1.1.1.5 pgoyette-compat-1020:1.1.1.5 FILE5_35:1.1.1.5 pgoyette-compat-0930:1.1.1.4 pgoyette-compat-0906:1.1.1.4 netbsd-7-2-RELEASE:1.1.1.3 pgoyette-compat-0728:1.1.1.4 netbsd-8-0-RELEASE:1.1.1.4 phil-wifi:1.1.1.4.0.10 phil-wifi-base:1.1.1.4 pgoyette-compat-0625:1.1.1.4 netbsd-8-0-RC2:1.1.1.4 pgoyette-compat-0521:1.1.1.4 pgoyette-compat-0502:1.1.1.4 pgoyette-compat-0422:1.1.1.4 netbsd-8-0-RC1:1.1.1.4 FILE5_33:1.1.1.4 pgoyette-compat-0415:1.1.1.4 pgoyette-compat-0407:1.1.1.4 pgoyette-compat-0330:1.1.1.4 pgoyette-compat-0322:1.1.1.4 pgoyette-compat-0315:1.1.1.4 netbsd-7-1-2-RELEASE:1.1.1.3 pgoyette-compat:1.1.1.4.0.8 pgoyette-compat-base:1.1.1.4 netbsd-7-1-1-RELEASE:1.1.1.3 matt-nb8-mediatek:1.1.1.4.0.6 matt-nb8-mediatek-base:1.1.1.4 FILE5_32:1.1.1.4 perseant-stdc-iso10646:1.1.1.4.0.4 perseant-stdc-iso10646-base:1.1.1.4 netbsd-8:1.1.1.4.0.2 netbsd-8-base:1.1.1.4 FILE5_31:1.1.1.4 prg-localcount2-base3:1.1.1.3 prg-localcount2-base2:1.1.1.3 prg-localcount2-base1:1.1.1.3 prg-localcount2:1.1.1.3.0.16 prg-localcount2-base:1.1.1.3 pgoyette-localcount-20170426:1.1.1.3 bouyer-socketcan-base1:1.1.1.3 pgoyette-localcount-20170320:1.1.1.3 netbsd-7-1:1.1.1.3.0.14 netbsd-7-1-RELEASE:1.1.1.3 netbsd-7-1-RC2:1.1.1.3 FILE5_30:1.1.1.3 netbsd-7-nhusb-base-20170116:1.1.1.3 bouyer-socketcan:1.1.1.3.0.12 bouyer-socketcan-base:1.1.1.3 pgoyette-localcount-20170107:1.1.1.3 netbsd-7-1-RC1:1.1.1.3 pgoyette-localcount-20161104:1.1.1.3 netbsd-7-0-2-RELEASE:1.1.1.3 localcount-20160914:1.1.1.3 netbsd-7-nhusb:1.1.1.3.0.10 netbsd-7-nhusb-base:1.1.1.3 pgoyette-localcount-20160806:1.1.1.3 pgoyette-localcount-20160726:1.1.1.3 pgoyette-localcount:1.1.1.3.0.8 pgoyette-localcount-base:1.1.1.3 netbsd-7-0-1-RELEASE:1.1.1.3 netbsd-7-0:1.1.1.3.0.6 netbsd-7-0-RELEASE:1.1.1.3 netbsd-7-0-RC3:1.1.1.3 netbsd-7-0-RC2:1.1.1.3 netbsd-7-0-RC1:1.1.1.3 FILE5_22:1.1.1.3 FILE5_20:1.1.1.3 netbsd-6-0-6-RELEASE:1.1.1.2 netbsd-6-1-5-RELEASE:1.1.1.2 netbsd-7:1.1.1.3.0.4 netbsd-7-base:1.1.1.3 FILE5_19:1.1.1.3 yamt-pagecache-base9:1.1.1.3 yamt-pagecache-tag8:1.1.1.2 netbsd-6-1-4-RELEASE:1.1.1.2 netbsd-6-0-5-RELEASE:1.1.1.2 tls-earlyentropy:1.1.1.3.0.2 tls-earlyentropy-base:1.1.1.3 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.1.1.3 riastradh-drm2-base3:1.1.1.3 netbsd-6-1-3-RELEASE:1.1.1.2 netbsd-6-0-4-RELEASE:1.1.1.2 FILE5_16:1.1.1.3 netbsd-6-1-2-RELEASE:1.1.1.2 netbsd-6-0-3-RELEASE:1.1.1.2 netbsd-6-1-1-RELEASE:1.1.1.2 riastradh-drm2-base2:1.1.1.2 riastradh-drm2-base1:1.1.1.2 riastradh-drm2:1.1.1.2.0.14 riastradh-drm2-base:1.1.1.2 netbsd-6-1:1.1.1.2.0.20 netbsd-6-0-2-RELEASE:1.1.1.2 netbsd-6-1-RELEASE:1.1.1.2 khorben-n900:1.1.1.2.0.18 netbsd-6-1-RC4:1.1.1.2 netbsd-6-1-RC3:1.1.1.2 agc-symver:1.1.1.2.0.16 agc-symver-base:1.1.1.2 FILE5_14:1.1.1.2 netbsd-6-1-RC2:1.1.1.2 netbsd-6-1-RC1:1.1.1.2 yamt-pagecache-base8:1.1.1.2 FILE_5_12:1.1.1.2 netbsd-6-0-1-RELEASE:1.1.1.2 yamt-pagecache-base7:1.1.1.2 matt-nb6-plus-nbase:1.1.1.2 yamt-pagecache-base6:1.1.1.2 netbsd-6-0:1.1.1.2.0.12 netbsd-6-0-RELEASE:1.1.1.2 netbsd-6-0-RC2:1.1.1.2 tls-maxphys:1.1.1.2.0.10 tls-maxphys-base:1.1.1.3 matt-nb6-plus:1.1.1.2.0.8 matt-nb6-plus-base:1.1.1.2 netbsd-6-0-RC1:1.1.1.2 yamt-pagecache-base5:1.1.1.2 yamt-pagecache-base4:1.1.1.2 FILE5_11:1.1.1.2 netbsd-6:1.1.1.2.0.6 netbsd-6-base:1.1.1.2 yamt-pagecache-base3:1.1.1.2 yamt-pagecache-base2:1.1.1.2 yamt-pagecache:1.1.1.2.0.4 yamt-pagecache-base:1.1.1.2 FILE5_09:1.1.1.2 cherry-xenmp:1.1.1.2.0.2 cherry-xenmp-base:1.1.1.2 FILE5_07:1.1.1.2 bouyer-quota2-nbase:1.1.1.1 bouyer-quota2:1.1.1.1.0.4 bouyer-quota2-base:1.1.1.1 matt-mips64-premerge-20101231:1.1.1.1 matt-premerge-20091211:1.1.1.1 jym-xensuspend-base:1.1.1.1 jym-xensuspend:1.1.1.1.0.2 jym-xensuspend-nbase:1.1.1.1 FILE5_03:1.1.1.1 CHRISTOS:1.1.1; locks; strict; comment @# @; 1.1 date 2009.05.08.16.35.08; author christos; state Exp; branches 1.1.1.1; next ; 1.1.1.1 date 2009.05.08.16.35.08; author christos; state Exp; branches 1.1.1.1.2.1; next 1.1.1.2; 1.1.1.2 date 2011.05.12.20.47.00; author christos; state Exp; branches 1.1.1.2.4.1 1.1.1.2.10.1; next 1.1.1.3; 1.1.1.3 date 2013.12.01.19.28.18; author christos; state Exp; branches; next 1.1.1.4; commitid RVQIxe3FpM3lSsfx; 1.1.1.4 date 2017.05.24.23.59.57; author christos; state Exp; branches 1.1.1.4.8.1 1.1.1.4.10.1; next 1.1.1.5; commitid WbyOU2LBE5qOyHSz; 1.1.1.5 date 2018.10.18.23.54.09; author christos; state Exp; branches; next 1.1.1.6; commitid e8WctwerBeEm4vWA; 1.1.1.6 date 2019.05.22.17.19.57; author christos; state Exp; branches; next 1.1.1.7; commitid VXeNRYYruN1MWdoB; 1.1.1.7 date 2021.04.09.18.58.02; author christos; state Exp; branches; next 1.1.1.8; commitid W9ddLLbSkHHinEOC; 1.1.1.8 date 2022.09.24.20.07.54; author christos; state Exp; branches; next ; commitid Nf6F9kcpc0EPC9VD; 1.1.1.1.2.1 date 2009.05.08.16.35.08; author jym; state dead; branches; next 1.1.1.1.2.2; 1.1.1.1.2.2 date 2009.05.13.18.51.56; author jym; state Exp; branches; next ; 1.1.1.2.4.1 date 2014.05.22.15.44.59; author yamt; state Exp; branches; next ; commitid tYJXbWAuFvTh7yBx; 1.1.1.2.10.1 date 2014.08.19.23.46.47; author tls; state Exp; branches; next ; commitid jTnpym9Qu0o4R1Nx; 1.1.1.4.8.1 date 2018.10.20.06.58.20; author pgoyette; state Exp; branches; next ; commitid mTSoqZEZ4arHnFWA; 1.1.1.4.10.1 date 2019.06.10.21.44.46; author christos; state Exp; branches; next ; commitid jtc8rnCzWiEEHGqB; desc @@ 1.1 log @Initial revision @ text @ #------------------------------------------------------------------------------ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@@mnt.org) # ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def} 0 beshort 0x1575 fsav macro virus signatures >8 leshort >0 (%d- >11 byte >0 \b%02d- >10 byte >0 \b%02d) # ftp://ftp.f-prot.com/pub/sign.zip #10 ubyte <12 #>9 ubyte <32 #>>8 ubyte 0x0a #>>>12 ubyte 0x07 #>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d- #>>>>10 byte 0 \b01- #>>>>10 byte 1 \b02- #>>>>10 byte 2 \b03- #>>>>10 byte 3 \b04- #>>>>10 byte 4 \b05- #>>>>10 byte 5 \b06- #>>>>10 byte 6 \b07- #>>>>10 byte 7 \b08- #>>>>10 byte 8 \b09- #>>>>10 byte 9 \b10- #>>>>10 byte 10 \b11- #>>>>10 byte 11 \b12- #>>>>9 ubyte >0 \b%02d) # ftp://ftp.f-prot.com/pub/sign2.zip #0 ubyte 0x62 #>1 ubyte 0xF5 #>>2 ubyte 0x1 #>>>3 ubyte 0x1 #>>>>4 ubyte 0x0e #>>>>>13 ubyte >0 fsav virus signatures #>>>>>>11 ubyte x size 0x%02x #>>>>>>12 ubyte x \b%02x #>>>>>>13 ubyte x \b%02x bytes # Joerg Jenderek: joerg dot jenderek at web dot de # http://www.clamav.net/doc/latest/html/node45.html # .cvd files start with a 512 bytes colon separated header # ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime # + gzipped tarball files 0 string ClamAV-VDB: >11 string >\0 Clam AntiVirus database %-.23s >>34 string : >>>35 string !: \b, version >>>>35 string x \b%-.1s >>>>>36 string !: >>>>>>36 string x \b%-.1s >>>>>>>37 string !: >>>>>>>>37 string x \b%-.1s >>>>>>>>>38 string !: >>>>>>>>>>38 string x \b%-.1s >512 string \037\213 \b, gzipped >769 string ustar\0 \b, tarred # Type: Grisoft AVG AntiVirus # From: David Newgas 0 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data @ 1.1.1.1 log @from ftp.astron.com @ text @@ 1.1.1.2 log @from ftp.astron.com. - many security related fixes - no MAXPATHLEN limits - fixed missing text specification on ascii magic - new ``pascal'' style string formats - whitespace comparison fix - more magic @ text @a2 1 # $File: fsav,v 1.11 2009/09/19 16:28:09 christos Exp $ @ 1.1.1.2.10.1 log @Rebase to HEAD as of a few days ago. @ text @d3 1 a3 1 # $File: fsav,v 1.13 2013/03/25 17:18:47 christos Exp $ a63 3 0 string X5O!P%@@AP[4\\PZX54(P^)7CC)7}$EICAR >33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files @ 1.1.1.2.4.1 log @sync with head. for a reference, the tree before this commit was tagged as yamt-pagecache-tag8. this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments") @ text @d3 1 a3 1 # $File: fsav,v 1.13 2013/03/25 17:18:47 christos Exp $ a63 3 0 string X5O!P%@@AP[4\\PZX54(P^)7CC)7}$EICAR >33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files @ 1.1.1.3 log @from ftp.astron.com, this is a bug fix release: * always leave magic file loaded, don't unload for magic_check, etc. * fix default encoding to binary instead of unknown which broke recently * handle empty and one byte files, less specially so that --mime-encoding does not break completely. * fix erroneous non-zero exit code from non-existant file and message * add CDF MSI file detection (Guy Helmer) @ text @d3 1 a3 1 # $File: fsav,v 1.13 2013/03/25 17:18:47 christos Exp $ a63 3 0 string X5O!P%@@AP[4\\PZX54(P^)7CC)7}$EICAR >33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files @ 1.1.1.4 log @Import file-5.31; mostly oss-fuzz found bugs. @ text @d3 1 a3 1 # $File: fsav,v 1.14 2017/03/17 21:35:28 christos Exp $ d32 5 a36 5 #0 ubyte 0x62 #>1 ubyte 0xF5 #>>2 ubyte 0x1 #>>>3 ubyte 0x1 #>>>>4 ubyte 0x0e d47 1 a47 1 0 string ClamAV-VDB: d49 2 a50 2 >>34 string : >>>35 string !: \b, version d52 1 a52 1 >>>>>36 string !: d54 1 a54 1 >>>>>>>37 string !: d56 1 a56 1 >>>>>>>>>38 string !: @ 1.1.1.4.10.1 log @Sync with HEAD @ text @d3 1 a3 1 # $File: fsav,v 1.19 2019/04/19 00:42:27 christos Exp $ d43 2 a44 3 # clamav-0.100.2\docs\html\node60.html # https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf # ClamAV virus database files start with a 512 bytes colon separated header d46 14 a59 54 # + gzipped (optional) tarball files # output can often be verified by `sigtool --info=FILE` 0 string ClamAV-VDB: Clam AntiVirus # padding spaces implies database >511 ubyte =0x20 database !:mime application/x-clamav-database # empty build time >>10 string =:: (unsigned) # sigtool(1) man page !:ext cud # display some text to avoid error like: # Magdir/fsav, 78: Warning: Current entry does not yet have a description for adding a EXTENSION type # file: could not find any valid magic files! (No error) >>10 default x (with buildtime) #>>10 default x # clamtmp is used for temporily database like update process # for pure tar database only cld extension found !:ext cld/cvd/clamtmp/cud >511 default x file !:mime application/x-clamav !:ext info >11 string >\0 # buildDate empty or like "22 Mar 2017 12-57 -0400"; verified by `sigtool -i FILE` >>11 regex \^[^:]{0,23} \b, %s # version like 25170 >>>&1 regex \^[^:]{1,6} \b, version %s # signaturesNumbers like 4566249 >>>>&1 regex \^[^:]{1,10} \b, %s signatures # functionalityLevelRequired like 60 >>>>>&1 regex \^[^:]{1,4} \b, level %s # X for nothing or MD5 #>>>>>>&1 regex \^[^:]{1,32} \b, MD5 "%s" >>>>>>&1 regex \^[^:]{1,32} # X for nothing or digital signature starting like AIzk/LYbX #>>>>>>>&1 regex \^[^:]{1,255} \b, signature "%s" >>>>>>>&1 regex \^[^:]{1,255} # builder like neo >>>>>>>>&1 regex \^[^:]{1,32} \b, builder %s # buildTime like 1506611558 #>>>>>>>>>&1 regex \^[^:]{1,10} \b, %s >>>>>>>>>&1 regex \^[^:]{1,10} # padding with spaces #>>>>>>>>>>&1 ubequad x \b, padding 0x%16.16llx >510 ubyte =0x20 # inspect real database content #>>512 ubeshort x \b, database MAGIC 0x%x # ./archive handle pure tar archives >>1012 quad =0 \b, with >>>512 use tar-file # not pure tar >>1012 quad !0 # one space at the end of text and then handles gziped archives by ./compress >>>512 string \037\213 \b, with >>>>512 indirect x a66 21 # From: Joerg Jenderek # URL: https://www.avira.com/ # Note: found in directory %ProgramData%\Avira\Antivirus\INFECTED (Windows) # tested with version 15.0.43.23 at November 2019 0 string AntiVir\ Qua Avira AntiVir quarantined !:mime application/x-avira-qua #!:mime application/octet-stream !:ext qua >156 string SUSPICIOUS_FILE # file path of suspicious file >>220 lestring16 x %s >156 string !SUSPICIOUS_FILE # file path of virus file >>228 lestring16 x %s # quarantined date >60 ldate x at %s # virus/danger name >156 string !SUSPICIOUS_FILE >>156 string x \b, category "%s" @ 1.1.1.4.8.1 log @Sync with head @ text @d3 1 a3 1 # $File: fsav,v 1.15 2018/07/16 12:30:41 christos Exp $ d51 2 a52 2 >>>>35 string x \b %-.1s >>>>>36 string !: a57 2 >>>>>>>>>>>39 string !: >>>>>>>>>>>>39 string x \b%-.1s @ 1.1.1.5 log @2018-10-18 19:32 Christos Zoulas * release 5.35 2018-09-10 20:38 Christos Zoulas * Add FreeBSD ELF core file support (John Baldwin) 2018-08-20 18:40 Christos Zoulas * PR/30: Allow all parameter values to be set (don't treat 0 specially) * handle default annotations on the softmagic match instead at the end. 2018-07-25 10:17 Christos Zoulas * PR/23: Recognize JSON files 2018-07-25 10:17 Christos Zoulas * PR/18: file --mime-encoding should not print mime-type 2018-07-25 8:50 Christos Zoulas * release 5.34 2018-06-22 16:38 Christos Zoulas * Add Quad indirect offsets 2018-05-24 14:10 Christos Zoulas * Enable parsing of ELF dynamic sections to handle PIE better @ text @d3 1 a3 1 # $File: fsav,v 1.15 2018/07/16 12:30:41 christos Exp $ d51 2 a52 2 >>>>35 string x \b %-.1s >>>>>36 string !: a57 2 >>>>>>>>>>>39 string !: >>>>>>>>>>>>39 string x \b%-.1s @ 1.1.1.6 log @2019-05-14 22:26 Christos Zoulas * release 5.37 2019-05-09 22:27 Christos Zoulas * Make sure that continuation separators are printed with -k within softmagic 2019-05-06 22:27 Christos Zoulas * Change SIGPIPE saving and restoring during compression to use sigaction(2) instead of signal(3) and cache it. (Denys Vlasenko) * Cache stat(2) calls more to reduce number of calls (Denys Vlasenko) 2019-05-06 17:25 Christos Zoulas * PR/77: Handle --mime-type and -k correctly. 2019-05-03 15:26 Christos Zoulas * Switch decompression code to use vfork() because tools like rpmdiff and rpmbuild call libmagic with large process footprints (Denys Vlasenko) 2019-04-07 14:05 Christos Zoulas * PR/75: --enable-zlib, did not work. 2019-02-27 11:54 Christos Zoulas * Improve regex efficiency (Michael Schroeder) by: 1. Prefixing regex searches with regular search for keywords where possible 2. Using memmem(3) where available @ text @d3 1 a3 1 # $File: fsav,v 1.19 2019/04/19 00:42:27 christos Exp $ d43 2 a44 3 # clamav-0.100.2\docs\html\node60.html # https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf # ClamAV virus database files start with a 512 bytes colon separated header d46 16 a61 54 # + gzipped (optional) tarball files # output can often be verified by `sigtool --info=FILE` 0 string ClamAV-VDB: Clam AntiVirus # padding spaces implies database >511 ubyte =0x20 database !:mime application/x-clamav-database # empty build time >>10 string =:: (unsigned) # sigtool(1) man page !:ext cud # display some text to avoid error like: # Magdir/fsav, 78: Warning: Current entry does not yet have a description for adding a EXTENSION type # file: could not find any valid magic files! (No error) >>10 default x (with buildtime) #>>10 default x # clamtmp is used for temporily database like update process # for pure tar database only cld extension found !:ext cld/cvd/clamtmp/cud >511 default x file !:mime application/x-clamav !:ext info >11 string >\0 # buildDate empty or like "22 Mar 2017 12-57 -0400"; verified by `sigtool -i FILE` >>11 regex \^[^:]{0,23} \b, %s # version like 25170 >>>&1 regex \^[^:]{1,6} \b, version %s # signaturesNumbers like 4566249 >>>>&1 regex \^[^:]{1,10} \b, %s signatures # functionalityLevelRequired like 60 >>>>>&1 regex \^[^:]{1,4} \b, level %s # X for nothing or MD5 #>>>>>>&1 regex \^[^:]{1,32} \b, MD5 "%s" >>>>>>&1 regex \^[^:]{1,32} # X for nothing or digital signature starting like AIzk/LYbX #>>>>>>>&1 regex \^[^:]{1,255} \b, signature "%s" >>>>>>>&1 regex \^[^:]{1,255} # builder like neo >>>>>>>>&1 regex \^[^:]{1,32} \b, builder %s # buildTime like 1506611558 #>>>>>>>>>&1 regex \^[^:]{1,10} \b, %s >>>>>>>>>&1 regex \^[^:]{1,10} # padding with spaces #>>>>>>>>>>&1 ubequad x \b, padding 0x%16.16llx >510 ubyte =0x20 # inspect real database content #>>512 ubeshort x \b, database MAGIC 0x%x # ./archive handle pure tar archives >>1012 quad =0 \b, with >>>512 use tar-file # not pure tar >>1012 quad !0 # one space at the end of text and then handles gziped archives by ./compress >>>512 string \037\213 \b, with >>>>512 indirect x a68 21 # From: Joerg Jenderek # URL: https://www.avira.com/ # Note: found in directory %ProgramData%\Avira\Antivirus\INFECTED (Windows) # tested with version 15.0.43.23 at November 2019 0 string AntiVir\ Qua Avira AntiVir quarantined !:mime application/x-avira-qua #!:mime application/octet-stream !:ext qua >156 string SUSPICIOUS_FILE # file path of suspicious file >>220 lestring16 x %s >156 string !SUSPICIOUS_FILE # file path of virus file >>228 lestring16 x %s # quarantined date >60 ldate x at %s # virus/danger name >156 string !SUSPICIOUS_FILE >>156 string x \b, category "%s" @ 1.1.1.7 log @2021-03-30 20:21 Christos Zoulas * release 5.40 2021-02-05 16:31 Christos Zoulas * PR/234: Add limit to the number of bytes to scan for encoding * PR/230: Fix /T (trim flag) for regex 2021-02-01 12:31 Christos Zoulas * PR/77: Trim trailing separator. 2020-12-17 15:44 Christos Zoulas * PR/211: Convert system read errors from corrupt ELF files into human readable error messages 2020-12-08 16:24 Christos Zoulas * fix multithreaded decompression file descriptor issue by using close-on-exec (Denys Vlasenko) 2020-06-27 11:58 Christos Zoulas * Exclude surrogate pairs from utf-8 detection (Michael Liu) 2020-06-25 12:53 Christos Zoulas * Include # to the list of ignored format chars (Werner Fink) @ text @d3 1 a3 1 # $File: fsav,v 1.21 2021/02/23 00:51:10 christos Exp $ d62 1 a62 1 # clamtmp is used for temporarily database like update process d98 1 a98 1 # one space at the end of text and then handles gzipped archives by ./compress @ 1.1.1.8 log @Import file-5.43+; last was file-5.40 2022-09-20 17:12 Christos Zoulas * fixed various clustefuzz issues 2022-09-19 15:54 Christos Zoulas * Fix error detection for decompression code (Vincent Mihalkovic) 2022-09-15 13:50 Christos Zoulas * Add MAGIC_NO_COMPRESS_FORK and use it to produce a more meaningful error message if we are sandboxing. 2022-09-15 10:45 Christos Zoulas * Add built-in lzip decompression support (Michal Gorny) 2022-09-14 10:35 Christos Zoulas * Add built-in zstd decompression support (Martin Rodriguez Reboredo) 2022-09-13 14:55 Christos Zoulas * release 5.43 2022-09-10 9:17 Christos Zoulas * Add octal indirect magic (Michal Gorny) 2022-08-17 11:43 Christos Zoulas * PR/374: avoid infinite loop in non-wide code (piru) * PR/373: Obey MAGIC_CONTINUE with multiple magic files (vismarli) 2022-07-26 11:10 Christos Zoulas * Fix bug with large flist (Florian Weimer) 2022-07-07 13:21 Christos Zoulas * PR/364: Detect non-nul-terminated core filenames from QEMU (mam-ableton) 2022-07-04 15:45 Christos Zoulas * PR/359: Add support for http://ndjson.org/ (darose) * PR/362: Fix wide printing (ro-ee) * PR/358: Fix width for -f - (jpalus) * PR/356: Fix JSON constant parsing (davewhite) 2022-06-10 9:40 Christos Zoulas * release 5.42 2022-05-31 14:50 Christos Zoulas * PR/348: add missing cases to prevent file from aborting on random magic files. 2022-05-27 21:05 Christos Zoulas * PR/351: octalify filenames when not raw before printing. 2022-04-18 17:51 Christos Zoulas * fix regex cacheing bug (Dirk Mueller) * merge file_regcomp and file_regerror() to simplify the code and reduce memory requirements for storing regexes (Dirk Mueller) 2022-03-19 12:56 Christos Zoulas * cache regex (Dirk Mueller) * detect filesystem full by flushing output (Dirk Mueller) 2021-11-19 12:36 Christos Zoulas * implement running decompressor programs using posix_spawnp(2) instead of vfork(2) 2021-10-24 11:51 Christos Zoulas * Add support for msdos dates and times 2021-10-20 9:55 Christos Zoulas * use the system byte swapping functions if available (Werner Fink) 2021-10-18 11:57 Christos Zoulas * release 5.41 2021-09-23 03:51 Christos Zoulas * Avinash Sonawane: Fix tzname detection 2021-09-03 09:17 Christos Zoulas * Fix relationship tests with "search" magic, don't short circuit logic 2021-07-13 01:06 Christos Zoulas * Fix memory leak in compile mode 2021-07-01 03:51 Christos Zoulas * PR/272: kiefermat: Only set returnval = 1 when we printed something (in all cases print or !print). This simplifies the logic and fixes the issue in the PR with -k and --mime-type there was no continuation printed before the default case. 2021-06-30 13:07 Christos Zoulas * PR/270: Don't translate unprintable characters in %s magic formats when -r * PR/269: Avoid undefined behavior with clang (adding offset to NULL) 2021-05-09 18:38 Christos Zoulas * Add a new flag (f) that requires that the match is a full word, not a partial word match. * Add varint types (unused) 2021-04-19 17:17 Christos Zoulas * PR/256: mutableVoid: If the file is less than 3 bytes, use the file length to determine type * PR/259: aleksandr.v.novichkov: mime printing through indirect magic is not taken into account, use match directly so that it does. 2021-04-04 17:02 Christos Zoulas * count the total bytes found not the total byte positions in order to determine encoding (Anatol Belski) @ text @d3 1 a3 1 # $File: fsav,v 1.22 2021/04/26 15:56:00 christos Exp $ d38 1 a38 1 #>>>>>>11 ubyte x size %#02x d89 1 a89 1 #>>>>>>>>>>&1 ubequad x \b, padding %#16.16llx d92 1 a92 1 #>>512 ubeshort x \b, database MAGIC %#x @ 1.1.1.1.2.1 log @file fsav was added on branch jym-xensuspend on 2009-05-13 18:51:56 +0000 @ text @d1 62 @ 1.1.1.1.2.2 log @Sync with HEAD. Second commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html @ text @a0 62 #------------------------------------------------------------------------------ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@@mnt.org) # ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def} 0 beshort 0x1575 fsav macro virus signatures >8 leshort >0 (%d- >11 byte >0 \b%02d- >10 byte >0 \b%02d) # ftp://ftp.f-prot.com/pub/sign.zip #10 ubyte <12 #>9 ubyte <32 #>>8 ubyte 0x0a #>>>12 ubyte 0x07 #>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d- #>>>>10 byte 0 \b01- #>>>>10 byte 1 \b02- #>>>>10 byte 2 \b03- #>>>>10 byte 3 \b04- #>>>>10 byte 4 \b05- #>>>>10 byte 5 \b06- #>>>>10 byte 6 \b07- #>>>>10 byte 7 \b08- #>>>>10 byte 8 \b09- #>>>>10 byte 9 \b10- #>>>>10 byte 10 \b11- #>>>>10 byte 11 \b12- #>>>>9 ubyte >0 \b%02d) # ftp://ftp.f-prot.com/pub/sign2.zip #0 ubyte 0x62 #>1 ubyte 0xF5 #>>2 ubyte 0x1 #>>>3 ubyte 0x1 #>>>>4 ubyte 0x0e #>>>>>13 ubyte >0 fsav virus signatures #>>>>>>11 ubyte x size 0x%02x #>>>>>>12 ubyte x \b%02x #>>>>>>13 ubyte x \b%02x bytes # Joerg Jenderek: joerg dot jenderek at web dot de # http://www.clamav.net/doc/latest/html/node45.html # .cvd files start with a 512 bytes colon separated header # ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime # + gzipped tarball files 0 string ClamAV-VDB: >11 string >\0 Clam AntiVirus database %-.23s >>34 string : >>>35 string !: \b, version >>>>35 string x \b%-.1s >>>>>36 string !: >>>>>>36 string x \b%-.1s >>>>>>>37 string !: >>>>>>>>37 string x \b%-.1s >>>>>>>>>38 string !: >>>>>>>>>>38 string x \b%-.1s >512 string \037\213 \b, gzipped >769 string ustar\0 \b, tarred # Type: Grisoft AVG AntiVirus # From: David Newgas 0 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data @