1Clam Daemon(8) Clam AntiVirus Clam Daemon(8)
2
6 clamd - an anti-virus daemon
7
9 clamd [options]
10
12 The daemon listens for incoming connections on Unix and/or TCP socket
13 and scans files or directories on demand. It reads the configuration
14 from /etc/clamd.conf
15
17 It's recommended to prefix clamd commands with the letter z (eg. zSCAN)
18 to indicate that the command will be delimited by a NULL character and
19 that clamd should continue reading command data until a NULL character
20 is read. The null delimiter assures that the complete command and its
21 entire argument will be processed as a single command. Alternatively
22 commands may be prefixed with the letter n (e.g. nSCAN) to use a new‐
23 line character as the delimiter. Clamd replies will honour the
24 requested terminator in turn. If clamd doesn't recognize the command,
25 or the command doesn't follow the requirements specified below, it will
26 reply with an error message, and close the connection.
27 Clamd recognizes the following commands:
29 PING Check the server's state. It should reply with "PONG".
32 VERSION
34 Print program and database versions.
35 RELOAD Reload the virus databases.
37 SHUTDOWN
39 Perform a clean exit.
40 SCAN file/directory
42 Scan a file or a directory (recursively) with archive support
43 enabled (if not disabled in clamd.conf). A full path is
44 required.
45 CONTSCAN file/directory
47 Scan file or directory (recursively) with archive support
48 enabled and don't stop the scanning when a virus is found.
49 MULTISCAN file/directory
51 Scan file in a standard way or scan directory (recursively)
52 using multiple threads (to make the scanning faster on SMP
53 machines).
54 INSTREAM
56 It is mandatory to prefix this command with n or z.
57 Scan a stream of data. The stream is sent to clamd in chunks,
59 after INSTREAM, on the same socket on which the command was
60 sent. This avoids the overhead of establishing new TCP connec‐
61 tions and problems with NAT. The format of the chunk is:
62 '<length><data>' where <length> is the size of the following
63 data in bytes expressed as a 4 byte unsigned integer in network
64 byte order and <data> is the actual chunk. Streaming is termi‐
65 nated by sending a zero-length chunk. Note: do not exceed
66 StreamMaxLength as defined in clamd.conf, otherwise clamd will
67 reply with INSTREAM size limit exceeded and close the connec‐
68 tion.
69 FILDES It is mandatory to newline terminate this command, or prefix
71 with n or z.
72 This command only works on UNIX domain sockets. Scan a file
74 descriptor. After issuing a FILDES command a subsequent
75 rfc2292/bsd4.4 style packet (with at least one dummy character)
76 is sent to clamd carrying the file descriptor to be scanned
77 inside the ancillary data. Alternatively the file descriptor
78 may be sent in the same packet, including the extra character.
79 STATS IIt is mandatory to newline terminate this command, or prefix
81 with n or z, it is recommended to only use the z prefix.
82 Replies with statistics about the scan queue, contents of scan
84 queue, and memory usage. The exact reply format is subject to
85 change in future releases.
86 IDSESSION, END
88 It is mandatory to prefix this command with n or z, and all com‐
89 mands inside IDSESSION must be prefixed.
90 Start/end a clamd session. Within a session multiple SCAN,
92 INSTREAM, FILDES, VERSION, STATS commands can be sent on the
93 same socket without opening new connections. Replies from clamd
94 will be in the form '<id>: <response>' where <id> is the request
95 number (in ascii, starting from 1) and <response> is the usual
96 clamd reply. The reply lines have same delimiter as the corre‐
97 sponding command had. Clamd will process the commands asyn‐
98 chronously, and reply as soon as it has finished processing.
99 Clamd requires clients to read all the replies it sent, before
101 sending more commands to prevent send() deadlocks. The recom‐
102 mended way to implement a client that uses IDSESSION is with
103 non-blocking sockets, and a select()/poll() loop: whenever send
104 would block, sleep in select/poll until either you can write
105 more data, or read more replies. Note that using non-blocking
106 sockets without the select/poll loop and alternating
107 recv()/send() doesn't comply with clamd's requirements.
108 If clamd detects that a client has deadlocked, it will close
110 the connection. Note that clamd may close an IDSESSION connec‐
111 tion too if you don't follow the protocol's requirements. The
112 client can use the PING command to keep the connection alive.
113 VERSIONCOMMANDS
115 It is mandatory to prefix this command with either n or z. It
116 is recommended to use nVERSIONCOMMANDS.
117 Print program and database versions, followed by "| COMMANDS:"
119 and a space-delimited list of supported commands. Clamd <0.95
120 will recognize this as the VERSION command, and reply only with
121 their version, without the commands list.
122 This command can be used as an easy way to check for IDSESSION
124 support for example.
125 DEPRECATED COMMANDS
127 STREAM Scan stream - on this command clamd will return "PORT number"
129 you should connect to and send data to scan. (DEPRECATED, use
130 INSTREAM instead)
131 NOT SUPPORTED COMMANDS
133 SESSION, END
135 Start/end a clamd session which will allow you to run multiple
136 commands per TCP session. (use IDSESSION instead)
137
139 -h, --help
140 Output help information and exit.
141 -V, --version
143 Print the version number and exit.
144 -c FILE, --config-file=FILE
146 Read configuration from FILE.
147
149 Clamd recognizes the following signals:
150 SIGHUP Reopen the logfile.
152 SIGUSR2
154 Reload the signature databases.
155 SIGTERM
157 Perform a clean exit.
158
160 /etc/clamd.conf
161
163 Please check the full documentation for credits.
164
166 Tomasz Kojm <tkojm@clamav.net>
167
169 clamd.conf(5), clamdscan(1), freshclam(1), freshclam.conf(5), cla‐
170 mav-milter(8)
171ClamAV 0.97.3 February 12, 2009 Clam Daemon(8)