SBI file format

From SpybotWiki
Jump to: navigation, search

SBI files are detection databases than can be used to tell Spybot - Search & Destroy where and how to look for malware.

This document describes the OpenSBI format, which is a plain text format that can be used by anyone.

Usage

Inside the Spybot - Search & Destroy program files folder, you'll find a subfolder named Includes. This folder contains the standard detection databases distributed by Safer Networking Ltd., but you can also create your own files in here. Every file here will be shown inside the application on the Filesets page (you may have to switch to Advanced Mode to see this).

Example

// info: This is an example fileset
// info|Deutsch: Dies ist ein Beispiel-Datensatz
// date: 2008-02-17 (1.5)
 
:: IAmSpyware|This is just an invented bot
// {Cat:Test}{Cnt:1}
// {Det:myname,2008-02-17}
File:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize>=10"
File:"<$FILE_DATA>","<$SYSDIR>\WayTooSmall.txt","filesize=5"
// this is just for fun
 
:: SecondProduct
// {Cat:Test}{Cnt:0}
// {Det:myname,2008-02-17}
NoOp:"setenv=silly:example"

Description

The first thing you'll notice in the example above are the comment lines; every line beginning with two dashes are comment lines, and may appear everywhere in the file. These are the only lines that you can freely use, along with empty lines as fillers to make the text easier to read. There are a few special comment lines:

File information

// info: This is an example fileset
// info|Deutsch: Dies ist ein Beispiel-Datensatz

The first comment in every file should be of the info type, which is the information shown inside the application on the Filesets page. These are localizable as shown in the second line, where Deutsch is the localized name of the German language.

Timestamp

// date: 2008-02-17 (1.5)

Specifiying a date, optionally with a minimum Spybot-S&D version in brackets behind it, is also recommended. We use the date format yyyy-mm-dd ('yyyy being the year in four digits, 'mm the month and dd the day, both with trailing zeros where necessary to make them two digits long) wherever possible.

Products

:: IAmSpyware|This is just an invented bot

Each product is started with two colons followed by a space, then the product name, which may, but should not, contain spaces.

An upright line can be used to add an optional description shown on the Ignore Products page inside the application. This description may be used for adding alternative names, in case a malware is known under various other names as well.

Detection blocks

// {Cat:Test}{Cnt:1}
// {Det:myname,2008-02-17}

Inside a product, various blocks can be defines, as seen by the first two comment lines in the examples products. These blocks list a category, the number of samples analyzed to write this block (Cnt), the name of the detective creating this block, and the date.

Whenever you add additional detection code at a later point under the same product name, it is recommended you add another such block header.

// this is just for fun

Regular comments can be used anywhere in the file to allow you to write down details that might not be apparent by reading just the code.

//i: this is just information
//e: this is an erroneous line
//fp: this line did cause a false positive

If you use many comments, it might make sense to use the above formats to indicate the type of comment; these will also be highlighted differently in the code editor for a quicker overview.

File:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize>=10"
File:"<$FILE_DATA>","<$SYSDIR>\WayTooSmall.txt","filesize=5"

All other lines are intepreted as SBI Commands, defining what exactly is to be detected.

Categories
  • Adware
  • Cookie (used for defining pseudo-blocks for cookie domains actually defined in Cookies.sbs)
  • Dialer
  • Hijacker
  • Keylogger
  • Malware
  • PUPS (Possibly UnPopular Software)
  • Security (for changing dangerous official system settings even if they were not caused by malware)
  • Spyware
  • Test
  • Tracks
  • Trojan
  • Worm