1Clam Daemon(8)                  Clam AntiVirus                  Clam Daemon(8)
2
3
4

NAME

6       clamd - an anti-virus daemon
7

SYNOPSIS

9       clamd [options]
10

DESCRIPTION

12       The  daemon  listens for incoming connections on Unix and/or TCP socket
13       and scans files or directories on demand. It  reads  the  configuration
14       from /etc/clamd.d/scan.conf
15

COMMANDS

17       It's recommended to prefix clamd commands with the letter z (eg. zSCAN)
18       to indicate that the command will be delimited by a NULL character  and
19       that  clamd should continue reading command data until a NULL character
20       is read. The null delimiter assures that the complete command  and  its
21       entire  argument  will  be processed as a single command. Alternatively
22       commands may be prefixed with the letter n (e.g. nSCAN) to use  a  new‐
23       line  character  as  the  delimiter.  Clamd  replies  will  honour  the
24       requested terminator in turn.  If clamd doesn't recognize the  command,
25       or the command doesn't follow the requirements specified below, it will
26       reply with an error message, and close the connection.
27
28       Clamd recognizes the following commands:
29
30
31       PING   Check the server's state. It should reply with "PONG".
32
33       VERSION
34              Print program and database versions.
35
36       RELOAD Reload the virus databases.
37
38       SHUTDOWN
39              Perform a clean exit.
40
41       SCAN file/directory
42              Scan a file or a directory (recursively)  with  archive  support
43              enabled  (if  not  disabled  in  clamd.conf).  A  full  path  is
44              required.
45
46       CONTSCAN file/directory
47              Scan  file  or  directory  (recursively)  with  archive  support
48              enabled and don't stop the scanning when a virus is found.
49
50       MULTISCAN file/directory
51              Scan  file  in  a  standard  way or scan directory (recursively)
52              using multiple threads (to  make  the  scanning  faster  on  SMP
53              machines).
54
55       ALLMATCHSCAN file/directory
56              ALLMATCHSCAN  works  just  like  SCAN except that it sets a mode
57              where scanning continues after finding a match within a file.
58
59       INSTREAM
60              It is mandatory to prefix this command with n or z.
61
62              Scan a stream of data. The stream is sent to  clamd  in  chunks,
63              after  INSTREAM,  on  the  same  socket on which the command was
64              sent.  This avoids the overhead of establishing new TCP  connec‐
65              tions  and  problems  with  NAT.  The  format  of  the chunk is:
66              '<length><data>' where <length> is the  size  of  the  following
67              data  in bytes expressed as a 4 byte unsigned integer in network
68              byte order and <data> is the actual chunk. Streaming  is  termi‐
69              nated  by  sending  a  zero-length  chunk.  Note:  do not exceed
70              StreamMaxLength as defined in clamd.conf, otherwise  clamd  will
71              reply  with  INSTREAM  size limit exceeded and close the connec‐
72              tion.
73
74       FILDES It is mandatory to newline terminate  this  command,  or  prefix
75              with n or z.
76
77              This  command  only  works  on UNIX domain sockets.  Scan a file
78              descriptor.  After  issuing  a  FILDES  command   a   subsequent
79              rfc2292/bsd4.4  style packet (with at least one dummy character)
80              is sent to clamd carrying the  file  descriptor  to  be  scanned
81              inside  the  ancillary  data.  Alternatively the file descriptor
82              may be sent in the same packet, including the extra character.
83
84       STATS  It is mandatory to newline terminate  this  command,  or  prefix
85              with n or z, it is recommended to only use the z prefix.
86
87              Replies  with  statistics about the scan queue, contents of scan
88              queue, and memory usage. The exact reply format  is  subject  to
89              change in future releases.
90
91       IDSESSION, END
92              It is mandatory to prefix this command with n or z, and all com‐
93              mands inside IDSESSION must be prefixed.
94
95              Start/end a clamd  session.  Within  a  session  multiple  SCAN,
96              INSTREAM,  FILDES,  VERSION,  STATS  commands can be sent on the
97              same socket without opening new connections. Replies from  clamd
98              will be in the form '<id>: <response>' where <id> is the request
99              number (in ascii, starting from 1) and <response> is  the  usual
100              clamd  reply.  The reply lines have same delimiter as the corre‐
101              sponding command had.  Clamd will  process  the  commands  asyn‐
102              chronously, and reply as soon as it has finished processing.
103
104              Clamd  requires  clients to read all the replies it sent, before
105              sending more commands to prevent send()  deadlocks.  The  recom‐
106              mended  way  to  implement  a client that uses IDSESSION is with
107              non-blocking sockets, and a select()/poll() loop: whenever  send
108              would  block,  sleep  in  select/poll until either you can write
109              more data, or read more replies.  Note that  using  non-blocking
110              sockets   without   the   select/poll   loop   and   alternating
111              recv()/send() doesn't comply with clamd's requirements.
112
113              If clamd detects that a client has deadlocked,   it  will  close
114              the  connection.  Note that clamd may close an IDSESSION connec‐
115              tion too if you don't follow the  protocol's  requirements.  The
116              client can use the PING command to keep the connection alive.
117
118       VERSIONCOMMANDS
119              It  is  mandatory to prefix this command with either n or z.  It
120              is recommended to use nVERSIONCOMMANDS.
121
122              Print program and database versions, followed by  "|  COMMANDS:"
123              and  a  space-delimited list of supported commands.  Clamd <0.95
124              will recognize this as the VERSION command, and reply only  with
125              their version, without the commands list.
126
127              This  command  can be used as an easy way to check for IDSESSION
128              support for example.
129
130       DEPRECATED COMMANDS
131
132       STREAM Scan stream - on this command clamd will  return  "PORT  number"
133              you  should  connect  to and send data to scan. (DEPRECATED, use
134              INSTREAM instead)
135
136       NOT SUPPORTED COMMANDS
137
138       SESSION, END
139              Start/end a clamd session which will allow you to  run  multiple
140              commands per TCP session. (use IDSESSION instead)
141

OPTIONS

143       -h, --help
144              Output help information and exit.
145
146       -V, --version
147              Print the version number and exit.
148
149       -F, --foreground
150              Run in foreground; do not daemonize.
151
152       --debug
153              Enable debug mode.
154
155       -c FILE, --config-file=FILE
156              Read configuration from FILE.
157

SIGNALS

159       Clamd recognizes the following signals:
160
161       SIGHUP Reopen the logfile.
162
163       SIGUSR2
164              Reload the signature databases.
165
166       SIGTERM
167              Perform a clean exit.
168

FILES

170       /etc/clamd.d/scan.conf
171

CREDITS

173       Please check the full documentation for credits.
174

AUTHOR

176       Tomasz Kojm <tkojm@clamav.net>
177

SEE ALSO

179       clamd.conf(5),   clamdscan(1),  freshclam(1),  freshclam.conf(5),  cla‐
180       mav-milter(8)
181
182
183
184ClamAV 0.103.2                 February 12, 2009                Clam Daemon(8)
Impressum