Kaspersky report file
The Kaspersky Anti-Virus report files are stored in a propriety file format.
The following information is based on the current understanding of the Kaspersky Report File format.
Overview
A Kaspersky Report File consists of:
- file header
- log record index
- array of log records
File header
The file header is 80 bytes of size and consists of:
Offset |
Size |
Value |
Description |
|---|---|---|---|
0 |
4 |
"RPD2" |
Signature |
4 |
4 |
2 |
Unknown, version? |
8 |
8 |
Unknown (empty values?) |
|
16 |
4 |
Unknown A |
|
20 |
4 |
0x1000 |
Unknown (record index size?) |
24 |
4 |
Unknown (Record offset?) |
|
28 |
4 |
Unknown (empty value) |
|
32 |
4 |
File size |
|
36 |
4 |
Unknown (empty value) |
|
40 |
8 |
Unknown timestamp |
|
48 |
8 |
Unknown timestamp |
|
56 |
8 |
Unknown timestamp |
|
64 |
8 |
Unknown (empty values?) |
|
72 |
4 |
Next available record number? |
|
76 |
4 |
Unknown (empty value) |
Log records index
Log records index entry
The file header is 80 bytes of size and consists of:
Offset |
Size |
Value |
Description |
|---|---|---|---|
0 |
4 |
Record offset |
|
4 |
4 |
Unknown (empty value) |
|
8 |
4 |
Record number |
|
12 |
4 |
Unknown (empty value) |
|
Log records
Log record header
Offset |
Size |
Value |
Description |
|---|---|---|---|
0 |
4 |
Log record data size |
|
4 |
8 |
Unknown timestamp |
|
12 |
... |
Log record data |
|
Log record data
The record data contains some types, followed by the data. Currently it is assumed that the record data format is (partially) dependent on the subsystem, e.g. on-access scan (oas), that generated the log record data.
Date and time values
The date and time values are stored in intervals of 10 ns since January 1, 1 00:00:00 local time.
E.g. the timestamp: 0x582db22720fb9bc9
import datetime
print datetime.datetime(1, 1, 1) + datetime.timedelta(microseconds=0x582db22720fb9bc9 / 100)
2014-06-25 15:01:44.164668