1clamscan(1)                     Clam AntiVirus                     clamscan(1)
2
3
4

NAME

6       clamscan - scan files and directories for viruses
7

SYNOPSIS

9       clamscan [options] [file/directory/-]
10

DESCRIPTION

12       clamscan is a command line anti-virus scanner.
13

OPTIONS

15       Most  of  the  options are simple switches which enable or disable some
16       features. Options marked with [=yes/no(*)] can be  optionally  followed
17       by  =yes/=no; if they get called without the boolean argument the scan‐
18       ner will assume 'yes'. The asterisk marks the default internal  setting
19       for a given option.
20
21       -h, --help
22              Print help information and exit.
23
24       -V, --version
25              Print version number and exit.
26
27       -v, --verbose
28              Be verbose.
29
30       --debug
31              Display debug messages from libclamav.
32
33       --quiet
34              Be quiet (only print error messages).
35
36       --stdout
37              Write all messages (except for libclamav output) to the standard
38              output (stdout).
39
40       -d FILE/DIR, --database=FILE/DIR
41              Load virus database from FILE or load all virus  database  files
42              from DIR.
43
44       --official-db-only=[yes/no(*)]
45              Only  load  the  official  signatures  published  by  the ClamAV
46              project.
47
48       -l FILE, --log=FILE
49              Save scan report to FILE.
50
51       --tempdir=DIRECTORY
52              Create temporary files in DIRECTORY. Directory must be  writable
53              for the '' user or unprivileged user running clamscan.
54
55       --leave-temps
56              Do not remove temporary files.
57
58       -f FILE, --file-list=FILE
59              Scan files listed line by line in FILE.
60
61       -r, --recursive
62              Scan  directories  recursively.  All  the  subdirectories in the
63              given directory will be scanned.
64
65       --cross-fs=[yes(*)/no]
66              Scan files and directories on other filesystems.
67
68       --follow-dir-symlinks=[0/1(*)/2]
69              Follow directory symlinks. There are 3 options: 0 - never follow
70              directory  symlinks,  1  (default)  - only follow directory sym‐
71              links, which are passed as direct arguments  to  clamscan.  2  -
72              always follow directory symlinks.
73
74       --follow-file-symlinks=[0/1(*)/2]
75              Follow file symlinks. There are 3 options: 0 - never follow file
76              symlinks, 1 (default) - only follow  file  symlinks,  which  are
77              passed  as  direct arguments to clamscan. 2 - always follow file
78              symlinks.
79
80       --bell Sound bell on virus detection.
81
82       --no-summary
83              Do not display summary at the end of scanning.
84
85       --exclude=REGEX, --exclude-dir=REGEX
86              Don't scan file/directory  names  matching  regular  expression.
87              These options can be used multiple times.
88
89       --include=REGEX, --include-dir=REGEX
90              Only  scan  file/directory  matching  regular  expression. These
91              options can be used multiple times.
92
93       -i, --infected
94              Only print infected files.
95
96       --remove[=yes/no(*)]
97              Remove infected files. Be careful.
98
99       --move=DIRECTORY
100              Move infected files into DIRECTORY. Directory must  be  writable
101              for the '' user or unprivileged user running clamscan.
102
103       --copy=DIRECTORY
104              Copy  infected  files into DIRECTORY. Directory must be writable
105              for the '' user or unprivileged user running clamscan.
106
107       --bytecode[=yes(*)/no]
108              With this option enabled ClamAV  will  load  bytecode  from  the
109              database.  It  is highly recommended you keep this option turned
110              on, otherwise you may miss detections for many new viruses.
111
112       --bytecode-unsigned[=yes/no(*)]
113              Allow loading bytecode from  outside  digitally  signed  .c[lv]d
114              files.
115
116       --bytecode-timeout=N
117              Set bytecode timeout in milliseconds (default: 60000 = 60s)
118
119       --detect-pua[=yes/no(*)]
120              Detect Possibly Unwanted Applications.
121
122       --exclude-pua=CATEGORY
123              Exclude  a specific PUA category. This option can be used multi‐
124              ple times. See http://www.clamav.net/support/pua  for  the  com‐
125              plete list of PUA
126
127       --include-pua=CATEGORY
128              Only  include  a  specific PUA category. This option can be used
129              multiple times. See  http://www.clamav.net/support/pua  for  the
130              complete list of PUA
131
132       --detect-structured[=yes/no(*)]
133              Use  the  DLP  (Data  Loss  Prevention) module to detect SSN and
134              Credit Card numbers inside documents/text files.
135
136       --structured-ssn-format=X
137              X=0: search for valid SSNs formatted  as  xxx-yy-zzzz  (normal);
138              X=1:  search  for  valid SSNs formatted as xxxyyzzzz (stripped);
139              X=2: search for both formats. Default is 0.
140
141       --structured-ssn-count=#n
142              This option sets the lowest number of  Social  Security  Numbers
143              found in a file to generate a detect (default: 3).
144
145       --structured-cc-count=#n
146              This  option sets the lowest number of Credit Card numbers found
147              in a file to generate a detect (default: 3).
148
149       --scan-mail[=yes(*)/no]
150              Scan mail files. If you turn off this option, the original files
151              will  still  be  scanned,  but  without  parsing individual mes‐
152              sages/attachments.
153
154       --phishing-sigs[=yes(*)/no]
155              Use the signature-based phishing detection.
156
157       --phishing-scan-urls[=yes(*)/no]
158              Use the url-based heuristic phishing detection (Phishing.Heuris‐
159              tics.Email.*)
160
161       --heuristic-scan-precedence[=yes/no(*)]
162              Allow  heuristic  match  to  take precedence. When enabled, if a
163              heuristic  scan  (such  as  phishingScan)  detects  a   possible
164              virus/phish  it  will  stop scan immediately. Recommended, saves
165              CPU scan-time. When disabled, virus/phish detected by  heuristic
166              scans  will be reported only at the end of a scan. If an archive
167              contains both a heuristically detected  virus/phish, and a  real
168              malware, the real malware will be reported Keep this disabled if
169              you intend to handle "*.Heuristics.*" viruses  differently  from
170              "real"  malware.  If  a non-heuristically-detected virus (signa‐
171              ture-based) is found first,  the  scan  is  interrupted  immedi‐
172              ately, regardless of this config option.
173
174       --phishing-ssl[=yes/no(*)]
175              Block SSL mismatches in URLs (might lead to false positives!).
176
177       --phishing-cloak[=yes/no(*)]
178              Block cloaked URLs (might lead to some false positives).
179
180       --algorithmic-detection[=yes(*)/no]
181              In  some  cases (eg. complex malware, exploits in graphic files,
182              and others), ClamAV uses special algorithms to provide  accurate
183              detection.  This  option  can be used to control the algorithmic
184              detection.
185
186       --scan-pe[=yes(*)/no]
187              PE stands for Portable Executable - it's an executable file for‐
188              mat used in all 32-bit versions of Windows operating systems. By
189              default ClamAV performs deeper analysis of executable files  and
190              attempts  to  decompress popular executable packers such as UPX,
191              Petite, and FSG. If you turn off this option, the original files
192              will still be scanned but without additional processing.
193
194       --scan-elf[=yes(*)/no]
195              Executable and Linking Format is a standard format for UN*X exe‐
196              cutables. This option controls the ELF support. If you  turn  it
197              off,  the original files will still be scanned but without addi‐
198              tional processing.
199
200       --scan-ole2[=yes(*)/no]
201              Scan Microsoft Office documents and .msi files. If you turn  off
202              this  option, the original files will still be scanned but with‐
203              out additional processing.
204
205       --scan-pdf[=yes(*)/no]
206              Scan within PDF files. If you turn off this option, the original
207              files will still be scanned, but without decoding and additional
208              processing.
209
210       --scan-html[=yes(*)/no]
211              Detect, normalize/decrypt  and  scan  HTML  files  and  embedded
212              scripts.  If  you  turn off this option, the original files will
213              still be scanned, but without additional processing.
214
215       --scan-archive[=yes(*)/no]
216              Scan archives supported by  libclamav.  If  you  turn  off  this
217              option,  the  original  files will still be scanned, but without
218              unpacking and additional processing.
219
220       --detect-broken[=yes/no(*)]
221              Mark broken executables as viruses (Broken.Executable).
222
223       --block-encrypted[=yes/no(*)]
224              Mark   encrypted    archives    as    viruses    (Encrypted.Zip,
225              Encrypted.RAR).
226
227       --max-files=#n
228              Extract at most #n files from each scanned file (when this is an
229              archive, a document or another kind of container).  This  option
230              protects your system against DoS attacks (default: 10000)
231
232       --max-filesize=#n
233              Extract and scan at most #n kilobytes from each archive. You may
234              pass the value in megabytes in format xM or xm,  where  x  is  a
235              number.  This  option  protects  your system against DoS attacks
236              (default: 25 MB, max: <4 GB)
237
238       --max-scansize=#n
239              Extract and scan at most #n kilobytes from  each  scanned  file.
240              You  may pass the value in megabytes in format xM or xm, where x
241              is a number.  This  option  protects  your  system  against  DoS
242              attacks (default: 100 MB, max: <4 GB)
243
244       --max-recursion=#n
245              Set  archive  recursion  level  limit. This option protects your
246              system against DoS attacks (default: 16).
247
248       --max-dir-recursion=#n
249              Maximum depth directories are scanned at (default: 15).
250

EXAMPLES

252       (0) Scan a single file:
253
254              clamscan file
255
256       (1) Scan a current working directory:
257
258              clamscan
259
260       (2) Scan all files (and subdirectories) in /home:
261
262              clamscan -r /home
263
264       (3) Load database from a file:
265
266              clamscan -d /tmp/newclamdb -r /tmp
267
268       (4) Scan a data stream:
269
270              cat testfile | clamscan -
271
272       (5) Scan a mail spool directory:
273
274              clamscan -r /var/spool/mail
275

RETURN CODES

277       0 : No virus found.
278
279       1 : Virus(es) found.
280
281       2 : Some error(s) occured.
282

CREDITS

284       Please check the full documentation for credits.
285

AUTHOR

287       Tomasz Kojm <tkojm@clamav.net>
288

SEE ALSO

290       clamdscan(1), freshclam(1), freshclam.conf(5)
291
292
293
294ClamAV 0.97.3                  December 30, 2008                   clamscan(1)
Impressum