- casing does not matter.
- search modifiers have to respect the case sensitivity.
- search values does not need to respect the case sensitivity.
- dates are stored as int64 (unix timestamps)
- dates are in ISO format: 2023-09-12T14:30:00
- type=pe and tag=upx // and is optional, by default, we always AND 2 search sub-expressions
- type=pe or tag=upx
- ( type=pe or tag=upx ) and avast!=locky
- size >= 1000000 // by default, it's bytes
- size < 1000KB
- size > 1MB
- fs >= 2009
- fs <= 2020-12
- fs <= 2020-01-30
- fs < 2012-08-21T1
- fs < 2012-08-21T16:59
- fs < 2012-08-21T16:59:20 // UTC
- fs < 2012-08-21T16:59:20Z // UTC explicit
- fs < 2012-08-21T16:59:20+02:00 // 2 hours ahead of UTC
- fs < 3d
- ls has the same syntax as
fs.
- size (int)
- type (string) enum { pe, elf, macho, txt}
- extension (string) enum { dll, exe, ps1 }
- name: (string)
- trid: (array)
- packer: (array)
- magic: (string)
- tag: (string)
- fs (first seen): (string date)
- ls (last scanned): (string date)
- positives: int (max = 14)
- crc32: (string)
- engines (string), search in all AntiVirus
- avast: (string)
- avira: (string)
- bitdefender: (string)
- clamav: (string)
- comodo: (string)
- drweb: (string)
- eset: (string)
- fsecure: (string)
- kaspersky: (string)
- mcafee: (string)
- sophos: (string)
- symantec: (string)
- trendmicro: (string)
- windefender: (string)