1clamscan(1)                     Clam AntiVirus                     clamscan(1)
2
3
4

NAME

6       clamscan - scan files and directories for viruses
7

SYNOPSIS

9       clamscan [options] [file/directory/-]
10

DESCRIPTION

12       clamscan is a command line anti-virus scanner.
13

OPTIONS

15       Most  of  the  options are simple switches which enable or disable some
16       features. Options marked with [=yes/no(*)] can be  optionally  followed
17       by  =yes/=no; if they get called without the boolean argument the scan‐
18       ner will assume 'yes'. The asterisk marks the default internal  setting
19       for a given option.
20
21       -h, --help
22              Print help information and exit.
23
24       -V, --version
25              Print version number and exit.
26
27       -v, --verbose
28              Be verbose.
29
30       -a, --archive-verbose
31              Show filenames inside scanned archives
32
33       --debug
34              Display debug messages from libclamav.
35
36       --quiet
37              Be quiet (only print error messages).
38
39       --stdout
40              Write all messages (except for libclamav output) to the standard
41              output (stdout).
42
43       --no-summary
44              Do not display summary at the end of scanning.
45
46       -i, --infected
47              Only print infected files.
48
49       -o, --suppress-ok-results
50              Skip printing OK files
51
52       --bell Sound bell on virus detection.
53
54       --tempdir=DIRECTORY
55              Create temporary files in DIRECTORY. Directory must be  writable
56              for the '' user or unprivileged user running clamscan.
57
58       --leave-temps
59              Do not remove temporary files.
60
61       --gen-json
62              Generate  JSON  description  of  scanned  file(s).  JSON will be
63              printed and also dropped to the temp directory if  --leave-temps
64              is enabled.
65
66       -d FILE/DIR, --database=FILE/DIR
67              Load  virus  database from FILE or load all virus database files
68              from DIR.
69
70       --official-db-only=[yes/no(*)]
71              Only load  the  official  signatures  published  by  the  ClamAV
72              project.
73
74       -l FILE, --log=FILE
75              Save scan report to FILE.
76
77       -r, --recursive
78              Scan  directories  recursively.  All  the  subdirectories in the
79              given directory will be scanned.
80
81       -z, --allmatch
82              After a match, continue scanning within the file for  additional
83              matches.
84
85       --cross-fs=[yes(*)/no]
86              Scan files and directories on other filesystems.
87
88       --follow-dir-symlinks=[0/1(*)/2]
89              Follow directory symlinks. There are 3 options: 0 - never follow
90              directory symlinks, 1 (default) -  only  follow  directory  sym‐
91              links,  which  are  passed  as direct arguments to clamscan. 2 -
92              always follow directory symlinks.
93
94       --follow-file-symlinks=[0/1(*)/2]
95              Follow file symlinks. There are 3 options: 0 - never follow file
96              symlinks,  1  (default)  -  only follow file symlinks, which are
97              passed as direct arguments to clamscan. 2 - always  follow  file
98              symlinks.
99
100       -f FILE, --file-list=FILE
101              Scan files listed line by line in FILE.
102
103       --remove[=yes/no(*)]
104              Remove infected files. Be careful!
105
106       --move=DIRECTORY
107              Move  infected  files into DIRECTORY. Directory must be writable
108              for the '' user or unprivileged user running clamscan.
109
110       --copy=DIRECTORY
111              Copy infected files into DIRECTORY. Directory must  be  writable
112              for the '' user or unprivileged user running clamscan.
113
114       --exclude=REGEX, --exclude-dir=REGEX
115              Don't  scan  file/directory  names  matching regular expression.
116              These options can be used multiple times.
117
118       --include=REGEX, --include-dir=REGEX
119              Only scan  file/directory  matching  regular  expression.  These
120              options can be used multiple times.
121
122       --bytecode[=yes(*)/no]
123              With  this  option  enabled  ClamAV  will load bytecode from the
124              database. It is highly recommended you keep this  option  turned
125              on, otherwise you may miss detections for many new viruses.
126
127       --bytecode-unsigned[=yes/no(*)]
128              Allow  loading  bytecode  from  outside digitally signed .c[lv]d
129              files.
130
131       --bytecode-timeout=N
132              Set bytecode timeout in milliseconds (default: 5000 = 5s)
133
134       --statistics[=none(*)/bytecode/pcre]
135              Collect and print execution statistics.
136
137       --detect-pua[=yes/no(*)]
138              Detect Possibly Unwanted Applications.
139
140       --exclude-pua=CATEGORY
141              Exclude a specific PUA category. This option can be used  multi‐
142              ple   times.  See  https://www.clamav.net/documents/potentially-
143              unwanted-applications-pua for the complete list of PUA
144
145       --include-pua=CATEGORY
146              Only include a specific PUA category. This option  can  be  used
147              multiple   times.   See  https://www.clamav.net/documents/poten
148              tially-unwanted-applications-pua for the complete list of PUA
149
150       --detect-structured[=yes/no(*)]
151              Use the DLP (Data Loss Prevention)  module  to  detect  SSN  and
152              Credit Card numbers inside documents/text files.
153
154       --structured-ssn-format=X
155              X=0:  search  for  valid SSNs formatted as xxx-yy-zzzz (normal);
156              X=1: search for valid SSNs formatted  as  xxxyyzzzz  (stripped);
157              X=2: search for both formats. Default is 0.
158
159       --structured-ssn-count=#n
160              This  option  sets  the lowest number of Social Security Numbers
161              found in a file to generate a detect (default: 3).
162
163       --structured-cc-count=#n
164              This option sets the lowest number of Credit Card numbers  found
165              in a file to generate a detect (default: 3).
166
167       --scan-mail[=yes(*)/no]
168              Scan mail files. If you turn off this option, the original files
169              will still be  scanned,  but  without  parsing  individual  mes‐
170              sages/attachments.
171
172       --phishing-sigs[=yes(*)/no]
173              Enable email signature-based phishing detection.
174
175       --phishing-scan-urls[=yes(*)/no]
176              Enable  URL signature-based phishing detection (Phishing.Heuris‐
177              tics.Email.*)
178
179       --heuristic-alerts[=yes(*)/no]
180              In some cases (eg. complex malware, exploits in  graphic  files,
181              and  others), ClamAV uses special algorithms to provide accurate
182              detection. This option can be used to  control  the  algorithmic
183              detection.
184
185       --heuristic-scan-precedence[=yes/no(*)]
186              Allow  heuristic  match  to  take precedence. When enabled, if a
187              heuristic  scan  (such  as  phishingScan)  detects  a   possible
188              virus/phish  it  will  stop scan immediately. Recommended, saves
189              CPU scan-time. When disabled, virus/phish detected by  heuristic
190              scans  will be reported only at the end of a scan. If an archive
191              contains both a heuristically detected  virus/phish, and a  real
192              malware, the real malware will be reported Keep this disabled if
193              you intend to handle "*.Heuristics.*" viruses  differently  from
194              "real"  malware.  If  a non-heuristically-detected virus (signa‐
195              ture-based) is found first,  the  scan  is  interrupted  immedi‐
196              ately, regardless of this config option.
197
198       --normalize[=yes(*)/no]
199              Normalize  (compress  whitespace,  downcase, etc.) html, script,
200              and text files. Use normalize=no for yara compatibility.
201
202       --scan-pe[=yes(*)/no]
203              PE stands for Portable Executable - it's an executable file for‐
204              mat used in all 32-bit versions of Windows operating systems. By
205              default ClamAV performs deeper analysis of executable files  and
206              attempts  to  decompress popular executable packers such as UPX,
207              Petite, and FSG. If you turn off this option, the original files
208              will still be scanned but without additional processing.
209
210       --scan-elf[=yes(*)/no]
211              Executable and Linking Format is a standard format for UN*X exe‐
212              cutables. This option controls the ELF support. If you  turn  it
213              off,  the original files will still be scanned but without addi‐
214              tional processing.
215
216       --scan-ole2[=yes(*)/no]
217              Scan Microsoft Office documents and .msi files. If you turn  off
218              this  option, the original files will still be scanned but with‐
219              out additional processing.
220
221       --scan-pdf[=yes(*)/no]
222              Scan within PDF files. If you turn off this option, the original
223              files will still be scanned, but without decoding and additional
224              processing.
225
226       --scan-swf[=yes(*)/no]
227              Scan SWF files. If you turn off this option, the original  files
228              will still be scanned but without additional processing.
229
230       --scan-html[=yes(*)/no]
231              Detect,  normalize/decrypt  and  scan  HTML  files  and embedded
232              scripts. If you turn off this option, the  original  files  will
233              still be scanned, but without additional processing.
234
235       --scan-xmldocs[=yes(*)/no]
236              Scan  xml-based  document  files  supported by libclamav. If you
237              turn off this option, the original files will still be  scanned,
238              but without additional processing.
239
240       --scan-hwp3[=yes(*)/no]
241              Scan HWP3 files. If you turn off this option, the original files
242              will still be scanned, but without additional processing.
243
244       --scan-archive[=yes(*)/no]
245              Scan archives supported by  libclamav.  If  you  turn  off  this
246              option,  the  original  files will still be scanned, but without
247              unpacking and additional processing.
248
249       --alert-broken[=yes/no(*)]
250              Alert on broken executable files (PE & ELF).
251
252       --alert-encrypted[=yes/no(*)]
253              Alert on  encrypted  archives  and  documents  (encrypted  .zip,
254              .7zip, .rar, .pdf).
255
256       --alert-encrypted-archive[=yes/no(*)]
257              Alert on encrypted archives (encrypted .zip, .7zip, .rar, .pdf).
258
259       --alert-encrypted-doc[=yes/no(*)]
260              Alert  on  encrypted  documents  (encrypted  .zip,  .7zip, .rar,
261              .pdf).
262
263       --alert-macros[=yes/no(*)]
264              Alert on OLE2 files containing VBA macros  (Heuristics.OLE2.Con‐
265              tainsMacros).
266
267       --alert-exceeds-max[=yes/no(*)]
268              Alert  on files that exceed max file size, max scan size, or max
269              recursion limit (Heuristics.Limits.Exceeded).
270
271       --alert-phishing-ssl[=yes/no(*)]
272              Alert on emails containing SSL mismatches in URLs (might lead to
273              false positives!).
274
275       --alert-phishing-cloak[=yes/no(*)]
276              Alert  on  emails  containing  cloaked  URLs (might lead to some
277              false positives).
278
279       --alert-partition-intersection[=yes/no(*)]
280              Detect partition intersections in raw disk images using  heuris‐
281              tics.
282
283       --max-filesize=#n
284              Extract  and  scan  at  most #n bytes from each archive. You may
285              pass the value in kilobytes in format xK or xk, or megabytes  in
286              format  xM or xm, where x is a number. This option protects your
287              system against DoS attacks (default: 25 MB, max: <4 GB)
288
289       --max-scansize=#n
290              Extract and scan at most #n bytes from each  archive.  The  size
291              the  archive  plus  the sum of the sizes of all files within ar‐
292              chive count toward the scan size. For example, a 1M uncompressed
293              archive  containing  a  single 1M inner file counts as 2M toward
294              max-scansize. You may pass the value in kilobytes in  format  xK
295              or  xk,  or  megabytes  in format xM or xm, where x is a number.
296              This option protects your system against DoS  attacks  (default:
297              100 MB, max: <4 GB)
298
299       --max-files=#n
300              Extract at most #n files from each scanned file (when this is an
301              archive, a document or another kind of container).  This  option
302              protects your system against DoS attacks (default: 10000)
303
304       --max-recursion=#n
305              Set  archive  recursion  level  limit. This option protects your
306              system against DoS attacks (default: 16).
307
308       --max-dir-recursion=#n
309              Maximum depth directories are scanned at (default: 15).
310
311
312       --max-embeddedpe=#n
313              Maximum size file to check for embedded PE.  You  may  pass  the
314              value in kilobytes in format xK or xk, or megabytes in format xM
315              or xm, where x is a number (default: 10 MB, max: <4 GB).
316
317       --max-htmlnormalize=#n
318              Maximum size of HTML file to normalize. You may pass  the  value
319              in  kilobytes  in  format xK or xk, or megabytes in format xM or
320              xm, where x is a number (default: 10 MB, max: <4 GB).
321
322       --max-htmlnotags=#n
323              Maximum size of normalized HTML file to scan. You may  pass  the
324              value in kilobytes in format xK or xk, or megabytes in format xM
325              or xm, where x is a number (default: 2 MB, max: <4 GB).
326
327       --max-scriptnormalize=#n
328              Maximum size of script file to normalize. You may pass the value
329              in  kilobytes  in  format xK or xk, or megabytes in format xM or
330              xm, where x is a number (default: 5 MB, max: <4 GB).
331
332       --max-ziptypercg=#n
333              Maximum size zip to type reanalyze. You may pass  the  value  in
334              kilobytes  in  format xK or xk, or megabytes in format xM or xm,
335              where x is a number (default: 1 MB, max: <4 GB).
336
337       --max-partitions=#n
338              This option sets the maximum number of partitions of a raw  disk
339              image  to  be scanned. This must be a positive integer (default:
340              50).
341
342       --max-iconspe=#n
343              This option sets the maximum number of icons within a PE  to  be
344              scanned. This must be a positive integer (default: 100).
345
346       --max-rechwp3=#n
347              This  option  sets  the  maximum recursive calls to HWP3 parsing
348              function (default: 16).
349
350       --pcre-match-limit=#n
351              Maximum calls to the PCRE match function (default: 100000).
352
353       --pcre-recmatch-limit=#n
354              Maximum recursive calls to the  PCRE  match  function  (default:
355              2000).
356
357       --pcre-max-filesize=#n
358              Maximum  size  file to perform PCRE subsig matching (default: 25
359              MB, max: <4 GB).
360
361       --disable-cache
362              Disable caching and cache checks for hash sums of scanned files.
363

EXAMPLES

365       (0) Scan a single file:
366
367              clamscan file
368
369       (1) Scan a current working directory:
370
371              clamscan
372
373       (2) Scan all files (and subdirectories) in /home:
374
375              clamscan -r /home
376
377       (3) Load database from a file:
378
379              clamscan -d /tmp/newclamdb -r /tmp
380
381       (4) Scan a data stream:
382
383              cat testfile | clamscan -
384
385       (5) Scan a mail spool directory:
386
387              clamscan -r /var/spool/mail
388

RETURN CODES

390       0 : No virus found.
391
392       1 : Virus(es) found.
393
394       2 : Some error(s) occurred.
395

CREDITS

397       Please check the full documentation for credits.
398

AUTHOR

400       Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>
401

SEE ALSO

403       clamdscan(1), freshclam(1), freshclam.conf(5)
404
405
406
407ClamAV 0.101.2                 December 4, 2013                    clamscan(1)
Impressum