1clamscan(1) Clam AntiVirus clamscan(1)
2
6 clamscan - scan files and directories for viruses
7
9 clamscan [options] [file/directory/-]
10
12 clamscan is a command line anti-virus scanner.
13
15 Most of the options are simple switches which enable or disable some
16 features. Options marked with [=yes/no(*)] can be optionally followed
17 by =yes/=no; if they get called without the boolean argument the scan‐
18 ner will assume 'yes'. The asterisk marks the default internal setting
19 for a given option.
20 -h, --help
22 Print help information and exit.
23 -V, --version
25 Print version number and exit.
26 -v, --verbose
28 Be verbose.
29 --debug
31 Display debug messages from libclamav.
32 --quiet
34 Be quiet (only print error messages).
35 --stdout
37 Write all messages (except for libclamav output) to the standard
38 output (stdout).
39 -d FILE/DIR, --database=FILE/DIR
41 Load virus database from FILE or load all virus database files
42 from DIR.
43 --official-db-only=[yes/no(*)]
45 Only load the official signatures published by the ClamAV
46 project.
47 -l FILE, --log=FILE
49 Save scan report to FILE.
50 --tempdir=DIRECTORY
52 Create temporary files in DIRECTORY. Directory must be writable
53 for the '' user or unprivileged user running clamscan.
54 --leave-temps
56 Do not remove temporary files.
57 -f FILE, --file-list=FILE
59 Scan files listed line by line in FILE.
60 -r, --recursive
62 Scan directories recursively. All the subdirectories in the
63 given directory will be scanned.
64 --cross-fs=[yes(*)/no]
66 Scan files and directories on other filesystems.
67 --follow-dir-symlinks=[0/1(*)/2]
69 Follow directory symlinks. There are 3 options: 0 - never follow
70 directory symlinks, 1 (default) - only follow directory sym‐
71 links, which are passed as direct arguments to clamscan. 2 -
72 always follow directory symlinks.
73 --follow-file-symlinks=[0/1(*)/2]
75 Follow file symlinks. There are 3 options: 0 - never follow file
76 symlinks, 1 (default) - only follow file symlinks, which are
77 passed as direct arguments to clamscan. 2 - always follow file
78 symlinks.
79 --bell Sound bell on virus detection.
81 --no-summary
83 Do not display summary at the end of scanning.
84 --exclude=REGEX, --exclude-dir=REGEX
86 Don't scan file/directory names matching regular expression.
87 These options can be used multiple times.
88 --include=REGEX, --include-dir=REGEX
90 Only scan file/directory matching regular expression. These
91 options can be used multiple times.
92 -i, --infected
94 Only print infected files.
95 --remove[=yes/no(*)]
97 Remove infected files. Be careful.
98 --move=DIRECTORY
100 Move infected files into DIRECTORY. Directory must be writable
101 for the '' user or unprivileged user running clamscan.
102 --copy=DIRECTORY
104 Copy infected files into DIRECTORY. Directory must be writable
105 for the '' user or unprivileged user running clamscan.
106 --bytecode[=yes(*)/no]
108 With this option enabled ClamAV will load bytecode from the
109 database. It is highly recommended you keep this option turned
110 on, otherwise you may miss detections for many new viruses.
111 --bytecode-unsigned[=yes/no(*)]
113 Allow loading bytecode from outside digitally signed .c[lv]d
114 files.
115 --bytecode-timeout=N
117 Set bytecode timeout in milliseconds (default: 60000 = 60s)
118 --detect-pua[=yes/no(*)]
120 Detect Possibly Unwanted Applications.
121 --exclude-pua=CATEGORY
123 Exclude a specific PUA category. This option can be used multi‐
124 ple times. See http://www.clamav.net/support/pua for the com‐
125 plete list of PUA
126 --include-pua=CATEGORY
128 Only include a specific PUA category. This option can be used
129 multiple times. See http://www.clamav.net/support/pua for the
130 complete list of PUA
131 --detect-structured[=yes/no(*)]
133 Use the DLP (Data Loss Prevention) module to detect SSN and
134 Credit Card numbers inside documents/text files.
135 --structured-ssn-format=X
137 X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal);
138 X=1: search for valid SSNs formatted as xxxyyzzzz (stripped);
139 X=2: search for both formats. Default is 0.
140 --structured-ssn-count=#n
142 This option sets the lowest number of Social Security Numbers
143 found in a file to generate a detect (default: 3).
144 --structured-cc-count=#n
146 This option sets the lowest number of Credit Card numbers found
147 in a file to generate a detect (default: 3).
148 --scan-mail[=yes(*)/no]
150 Scan mail files. If you turn off this option, the original files
151 will still be scanned, but without parsing individual mes‐
152 sages/attachments.
153 --phishing-sigs[=yes(*)/no]
155 Use the signature-based phishing detection.
156 --phishing-scan-urls[=yes(*)/no]
158 Use the url-based heuristic phishing detection (Phishing.Heuris‐
159 tics.Email.*)
160 --heuristic-scan-precedence[=yes/no(*)]
162 Allow heuristic match to take precedence. When enabled, if a
163 heuristic scan (such as phishingScan) detects a possible
164 virus/phish it will stop scan immediately. Recommended, saves
165 CPU scan-time. When disabled, virus/phish detected by heuristic
166 scans will be reported only at the end of a scan. If an archive
167 contains both a heuristically detected virus/phish, and a real
168 malware, the real malware will be reported Keep this disabled if
169 you intend to handle "*.Heuristics.*" viruses differently from
170 "real" malware. If a non-heuristically-detected virus (signa‐
171 ture-based) is found first, the scan is interrupted immedi‐
172 ately, regardless of this config option.
173 --phishing-ssl[=yes/no(*)]
175 Block SSL mismatches in URLs (might lead to false positives!).
176 --phishing-cloak[=yes/no(*)]
178 Block cloaked URLs (might lead to some false positives).
179 --algorithmic-detection[=yes(*)/no]
181 In some cases (eg. complex malware, exploits in graphic files,
182 and others), ClamAV uses special algorithms to provide accurate
183 detection. This option can be used to control the algorithmic
184 detection.
185 --scan-pe[=yes(*)/no]
187 PE stands for Portable Executable - it's an executable file for‐
188 mat used in all 32-bit versions of Windows operating systems. By
189 default ClamAV performs deeper analysis of executable files and
190 attempts to decompress popular executable packers such as UPX,
191 Petite, and FSG. If you turn off this option, the original files
192 will still be scanned but without additional processing.
193 --scan-elf[=yes(*)/no]
195 Executable and Linking Format is a standard format for UN*X exe‐
196 cutables. This option controls the ELF support. If you turn it
197 off, the original files will still be scanned but without addi‐
198 tional processing.
199 --scan-ole2[=yes(*)/no]
201 Scan Microsoft Office documents and .msi files. If you turn off
202 this option, the original files will still be scanned but with‐
203 out additional processing.
204 --scan-pdf[=yes(*)/no]
206 Scan within PDF files. If you turn off this option, the original
207 files will still be scanned, but without decoding and additional
208 processing.
209 --scan-html[=yes(*)/no]
211 Detect, normalize/decrypt and scan HTML files and embedded
212 scripts. If you turn off this option, the original files will
213 still be scanned, but without additional processing.
214 --scan-archive[=yes(*)/no]
216 Scan archives supported by libclamav. If you turn off this
217 option, the original files will still be scanned, but without
218 unpacking and additional processing.
219 --detect-broken[=yes/no(*)]
221 Mark broken executables as viruses (Broken.Executable).
222 --block-encrypted[=yes/no(*)]
224 Mark encrypted archives as viruses (Encrypted.Zip,
225 Encrypted.RAR).
226 --max-files=#n
228 Extract at most #n files from each scanned file (when this is an
229 archive, a document or another kind of container). This option
230 protects your system against DoS attacks (default: 10000)
231 --max-filesize=#n
233 Extract and scan at most #n kilobytes from each archive. You may
234 pass the value in megabytes in format xM or xm, where x is a
235 number. This option protects your system against DoS attacks
236 (default: 25 MB, max: <4 GB)
237 --max-scansize=#n
239 Extract and scan at most #n kilobytes from each scanned file.
240 You may pass the value in megabytes in format xM or xm, where x
241 is a number. This option protects your system against DoS
242 attacks (default: 100 MB, max: <4 GB)
243 --max-recursion=#n
245 Set archive recursion level limit. This option protects your
246 system against DoS attacks (default: 16).
247 --max-dir-recursion=#n
249 Maximum depth directories are scanned at (default: 15).
250
252 (0) Scan a single file:
253 clamscan file
255 (1) Scan a current working directory:
257 clamscan
259 (2) Scan all files (and subdirectories) in /home:
261 clamscan -r /home
263 (3) Load database from a file:
265 clamscan -d /tmp/newclamdb -r /tmp
267 (4) Scan a data stream:
269 cat testfile | clamscan -
271 (5) Scan a mail spool directory:
273 clamscan -r /var/spool/mail
275
277 0 : No virus found.
278 1 : Virus(es) found.
280 2 : Some error(s) occured.
282
284 Please check the full documentation for credits.
285
287 Tomasz Kojm <tkojm@clamav.net>
288
290 clamdscan(1), freshclam(1), freshclam.conf(5)
291ClamAV 0.97.3 December 30, 2008 clamscan(1)