Difference between revisions of "SBI file format"

From SpybotWiki
Jump to: navigation, search
m (Example: added block header comments)
m (Description: added block header comment info)
Line 32: Line 32:
  
 
Each product is started with two colons followed by a space, then the product name, which may, but should not, contain spaces. An upright line can be used to add an optional description shown on the ''Ignore Products'' page inside the application.
 
Each product is started with two colons followed by a space, then the product name, which may, but should not, contain spaces. An upright line can be used to add an optional description shown on the ''Ignore Products'' page inside the application.
 +
 +
Inside a product, various blocks can be defines, as seen by the first two comment lines in the examples products. These blocks list a ''category'' (TODO: list them), the number of samples analyzed to write this block (''Cnt''), the name of the ''detective'' creating this block, and the date.
  
 
All other lines are intepreted as [[SBI Commands]], defining what exactly is to be detected.
 
All other lines are intepreted as [[SBI Commands]], defining what exactly is to be detected.

Revision as of 08:31, 28 May 2008

SBI files are detection databases than can be used to tell Spybot - Search & Destroy where and how to look for malware.

This document describes the OpenSBI format, which is a plain text format that can be used by anyone.

Usage

Inside the Spybot - Search & Destroy program files folder, you'll find a subfolder named Includes. This folder contains the standard detection databases distributed by Safer Networking Ltd., but you can also create your own files in here. Every file here will be shown inside the application on the Filesets page (you may have to switch to Advanced Mode to see this).

Example

// info: This is an example fileset
// info|Deutsch: Dies ist ein Beispiel-Datensatz
// date: 2008-02-17 (1.5)
 
:: IAmSpyware|This is just an invented bot
// {Cat:Test}{Cnt:1}
// {Det:myname,2008-02-17}
File:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize>=10"
File:"<$FILE_DATA>","<$SYSDIR>\WayTooSmall.txt","filesize=5"
 
:: SecondProduct
// {Cat:Test}{Cnt:0}
// {Det:myname,2008-02-17}
NoOp:"setenv=silly:example"

Description

The first thing you'll notice in the example above are the comment lines; every line beginning with two dashes are comment lines, and may appear everywhere in the file. These are the only lines that you can freely use, along with empty lines as fillers to make the text easier to read. There are a few special comment lines:

  • First comment in every file should be of the info type above, which is the information shown inside the application on the Filesets page.
  • These are localizable as shown in the second line, where Deutsch is the localized name of the German language.
  • Specifiying a date, in yyyy-mm-dd format, optionally with a minimum Spybot-S&D version in brackets behind it, is also recommended.
  • ...

Each product is started with two colons followed by a space, then the product name, which may, but should not, contain spaces. An upright line can be used to add an optional description shown on the Ignore Products page inside the application.

Inside a product, various blocks can be defines, as seen by the first two comment lines in the examples products. These blocks list a category (TODO: list them), the number of samples analyzed to write this block (Cnt), the name of the detective creating this block, and the date.

All other lines are intepreted as SBI Commands, defining what exactly is to be detected.