NAME¶
clamscan - scan files and directories for viruses
SYNOPSIS¶
clamscan [options] [file/directory/-]
DESCRIPTION¶
clamscan is a command line anti-virus scanner.
OPTIONS¶
Most of the options are simple switches which enable or disable some features.
Options marked with [=yes/no(*)] can be optionally followed by =yes/=no; if
they get called without the boolean argument the scanner will assume 'yes'.
The asterisk marks the default internal setting for a given option.
- -h, --help
- Print help information and exit.
- -V, --version
- Print version number and exit.
- -v, --verbose
- Be verbose.
- -a, --archive-verbose
- Show filenames inside scanned archives
- --debug
- Display debug messages from libclamav.
- --quiet
- Be quiet (only print error messages).
- --stdout
- Write all messages (except for libclamav output) to the
standard output (stdout).
- --no-summary
- Do not display summary at the end of scanning.
- -i, --infected
- Only print infected files.
- -o, --suppress-ok-results
- Skip printing OK files
- --bell
- Sound bell on virus detection.
- --tempdir=DIRECTORY
- Create temporary files in DIRECTORY. Directory must be
writable for the '' user or unprivileged user running clamscan.
- --leave-temps
- Do not remove temporary files.
- -d FILE/DIR, --database=FILE/DIR
- Load virus database from FILE or load all virus database
files from DIR.
- --official-db-only=[yes/no(*)]
- Only load the official signatures published by the ClamAV
project.
- -l FILE, --log=FILE
- Save scan report to FILE.
- -r, --recursive
- Scan directories recursively. All the subdirectories in the
given directory will be scanned.
- -z, --allmatch
- After a match, continue scanning within the file for
additional matches.
- --cross-fs=[yes(*)/no]
- Scan files and directories on other filesystems.
- --follow-dir-symlinks=[0/1(*)/2]
- Follow directory symlinks. There are 3 options: 0 - never
follow directory symlinks, 1 (default) - only follow directory symlinks,
which are passed as direct arguments to clamscan. 2 - always follow
directory symlinks.
- --follow-file-symlinks=[0/1(*)/2]
- Follow file symlinks. There are 3 options: 0 - never follow
file symlinks, 1 (default) - only follow file symlinks, which are passed
as direct arguments to clamscan. 2 - always follow file symlinks.
- -f FILE, --file-list=FILE
- Scan files listed line by line in FILE.
- --remove[=yes/no(*)]
- Remove infected files. Be careful!
- --move=DIRECTORY
- Move infected files into DIRECTORY. Directory must be
writable for the '' user or unprivileged user running clamscan.
- --copy=DIRECTORY
- Copy infected files into DIRECTORY. Directory must be
writable for the '' user or unprivileged user running clamscan.
- --exclude=REGEX, --exclude-dir=REGEX
- Don't scan file/directory names matching regular
expression. These options can be used multiple times.
- --include=REGEX, --include-dir=REGEX
- Only scan file/directory matching regular expression. These
options can be used multiple times.
- --bytecode[=yes(*)/no]
- With this option enabled ClamAV will load bytecode from the
database. It is highly recommended you keep this option turned on,
otherwise you may miss detections for many new viruses.
- --bytecode-unsigned[=yes/no(*)]
- Allow loading bytecode from outside digitally signed
.c[lv]d files.
- --bytecode-timeout=N
- Set bytecode timeout in milliseconds (default: 60000 =
60s)
- --statistics[=none(*)/bytecode/pcre]
- Collect and print execution statistics.
- --detect-pua[=yes/no(*)]
- Detect Possibly Unwanted Applications.
- --exclude-pua=CATEGORY
- Exclude a specific PUA category. This option can be used
multiple times. See http://www.clamav.net/doc/pua.html for the complete
list of PUA
- --include-pua=CATEGORY
- Only include a specific PUA category. This option can be
used multiple times. See http://www.clamav.net/doc/pua.html for the
complete list of PUA
- --detect-structured[=yes/no(*)]
- Use the DLP (Data Loss Prevention) module to detect SSN and
Credit Card numbers inside documents/text files.
- --structured-ssn-format=X
- X=0: search for valid SSNs formatted as xxx-yy-zzzz
(normal); X=1: search for valid SSNs formatted as xxxyyzzzz (stripped);
X=2: search for both formats. Default is 0.
- --structured-ssn-count=#n
- This option sets the lowest number of Social Security
Numbers found in a file to generate a detect (default: 3).
- --structured-cc-count=#n
- This option sets the lowest number of Credit Card numbers
found in a file to generate a detect (default: 3).
- --scan-mail[=yes(*)/no]
- Scan mail files. If you turn off this option, the original
files will still be scanned, but without parsing individual
messages/attachments.
- --phishing-sigs[=yes(*)/no]
- Use the signature-based phishing detection.
- --phishing-scan-urls[=yes(*)/no]
- Use the url-based heuristic phishing detection
(Phishing.Heuristics.Email.*)
- --heuristic-scan-precedence[=yes/no(*)]
- Allow heuristic match to take precedence. When enabled, if
a heuristic scan (such as phishingScan) detects a possible virus/phish it
will stop scan immediately. Recommended, saves CPU scan-time. When
disabled, virus/phish detected by heuristic scans will be reported only at
the end of a scan. If an archive contains both a heuristically detected
virus/phish, and a real malware, the real malware will be reported Keep
this disabled if you intend to handle "*.Heuristics.*" viruses
differently from "real" malware. If a non-heuristically-detected
virus (signature-based) is found first, the scan is interrupted
immediately, regardless of this config option.
- --phishing-ssl[=yes/no(*)]
- Block SSL mismatches in URLs (might lead to false
positives!).
- --phishing-cloak[=yes/no(*)]
- Block cloaked URLs (might lead to some false
positives).
- --partition-intersection[=yes/no(*)]
- Detect partition intersections in raw disk images using
heuristics.
- --algorithmic-detection[=yes(*)/no]
- In some cases (eg. complex malware, exploits in graphic
files, and others), ClamAV uses special algorithms to provide accurate
detection. This option can be used to control the algorithmic
detection.
- --scan-pe[=yes(*)/no]
- PE stands for Portable Executable - it's an executable file
format used in all 32-bit versions of Windows operating systems. By
default ClamAV performs deeper analysis of executable files and attempts
to decompress popular executable packers such as UPX, Petite, and FSG. If
you turn off this option, the original files will still be scanned but
without additional processing.
- --scan-elf[=yes(*)/no]
- Executable and Linking Format is a standard format for UN*X
executables. This option controls the ELF support. If you turn it off, the
original files will still be scanned but without additional
processing.
- --scan-ole2[=yes(*)/no]
- Scan Microsoft Office documents and .msi files. If you turn
off this option, the original files will still be scanned but without
additional processing.
- --scan-pdf[=yes(*)/no]
- Scan within PDF files. If you turn off this option, the
original files will still be scanned, but without decoding and additional
processing.
- --scan-swf[=yes(*)/no]
- Scan SWF files. If you turn off this option, the original
files will still be scanned but without additional processing.
- --scan-html[=yes(*)/no]
- Detect, normalize/decrypt and scan HTML files and embedded
scripts. If you turn off this option, the original files will still be
scanned, but without additional processing.
- --scan-archive[=yes(*)/no]
- Scan archives supported by libclamav. If you turn off this
option, the original files will still be scanned, but without unpacking
and additional processing.
- --detect-broken[=yes/no(*)]
- Mark broken executables as viruses
(Broken.Executable).
- --block-encrypted[=yes/no(*)]
- Mark encrypted archives as viruses (Encrypted.Zip,
Encrypted.RAR).
- --max-filesize=#n
- Extract and scan at most #n bytes from each archive. You
may pass the value in kilobytes in format xK or xk, or megabytes in format
xM or xm, where x is a number. This option protects your system against
DoS attacks (default: 25 MB, max: <4 GB)
- --max-scansize=#n
- Extract and scan at most #n bytes from each archive. The
size the archive plus the sum of the sizes of all files within archive
count toward the scan size. For example, a 1M uncompressed archive
containing a single 1M inner file counts as 2M toward max-scansize. You
may pass the value in kilobytes in format xK or xk, or megabytes in format
xM or xm, where x is a number. This option protects your system against
DoS attacks (default: 100 MB, max: <4 GB)
- --max-files=#n
- Extract at most #n files from each scanned file (when this
is an archive, a document or another kind of container). This option
protects your system against DoS attacks (default: 10000)
- --max-recursion=#n
- Set archive recursion level limit. This option protects
your system against DoS attacks (default: 16).
- --max-dir-recursion=#n
- Maximum depth directories are scanned at (default: 15).
- --max-embeddedpe=#n
- Maximum size file to check for embedded PE. You may pass
the value in kilobytes in format xK or xk, or megabytes in format xM or
xm, where x is a number (default: 10 MB, max: <4 GB).
- --max-htmlnormalize=#n
- Maximum size of HTML file to normalize. You may pass the
value in kilobytes in format xK or xk, or megabytes in format xM or xm,
where x is a number (default: 10 MB, max: <4 GB).
- --max-htmlnotags=#n
- Maximum size of normalized HTML file to scan. You may pass
the value in kilobytes in format xK or xk, or megabytes in format xM or
xm, where x is a number (default: 2 MB, max: <4 GB).
- --max-scriptnormalize=#n
- Maximum size of script file to normalize. You may pass the
value in kilobytes in format xK or xk, or megabytes in format xM or xm,
where x is a number (default: 5 MB, max: <4 GB).
- --max-ziptypercg=#n
- Maximum size zip to type reanalyze. You may pass the value
in kilobytes in format xK or xk, or megabytes in format xM or xm, where x
is a number (default: 1 MB, max: <4 GB).
- --max-partitions=#n
- This option sets the maximum number of partitions of a raw
disk image to be scanned. This must be a positive integer (default:
50).
- --max-iconspe=#n
- This option sets the maximum number of icons within a PE to
be scanned. This must be a positive integer (default: 100).
- --pcre-match-limit=#n
- Maximum calls to the PCRE match function (default:
10000).
- --pcre-recmatch-limit=#n
- Maximum recursive calls to the PCRE match function
(default: 5000).
- --pcre-max-filesize=#n
- Maximum size file to perform PCRE subsig matching (default:
25 MB, max: <4 GB).
- --enable-stats
- This option enables submission of statistical data.
(Default: stats submissions disabled)
- --stats-host-id
- This option sets the HostID, in the form of an UUID, to use
when submitting statistical information.
- --disable-pe-stats
- This option disables the submission of PE section data.
(Default: submitting of PE section data enabled if stats submissions as a
whole is enabled).
- --stats-timeout=#n
- This option sets the timeout in seconds to wait for
communication back from the stats server. (Default: 10).
EXAMPLES¶
- (0) Scan a single file:
-
clamscan file
- (1) Scan a current working directory:
-
clamscan
- (2) Scan all files (and subdirectories) in /home:
-
clamscan -r /home
- (3) Load database from a file:
-
clamscan -d /tmp/newclamdb -r /tmp
- (4) Scan a data stream:
-
cat testfile | clamscan -
- (5) Scan a mail spool directory:
-
clamscan -r /var/spool/mail
RETURN CODES¶
0 : No virus found.
- 1 : Virus(es) found.
- 2 : Some error(s) occured.
CREDITS¶
Please check the full documentation for credits.
AUTHOR¶
Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>
SEE ALSO¶
clamdscan(1),
freshclam(1),
freshclam.conf(5)