1clamscan(1) Clam AntiVirus clamscan(1)
2
6 clamscan - scan files and directories for viruses
7
9 clamscan [options] [file/directory/-]
10
12 clamscan is a command line anti-virus scanner.
13
15 Most of the options are simple switches which enable or disable some
16 features. Options marked with [=yes/no(*)] can be optionally followed
17 by =yes/=no; if they get called without the boolean argument the scan‐
18 ner will assume 'yes'. The asterisk marks the default internal setting
19 for a given option.
20 -h, --help
22 Print help information and exit.
23 -V, --version
25 Print version number and exit.
26 -v, --verbose
28 Be verbose.
29 -a, --archive-verbose
31 Show filenames inside scanned archives
32 --debug
34 Display debug messages from libclamav.
35 --quiet
37 Be quiet (only print error messages).
38 --stdout
40 Write all messages (except for libclamav output) to the standard
41 output (stdout).
42 --no-summary
44 Do not display summary at the end of scanning.
45 -i, --infected
47 Only print infected files.
48 -o, --suppress-ok-results
50 Skip printing OK files
51 --bell Sound bell on virus detection.
53 --tempdir=DIRECTORY
55 Create temporary files in DIRECTORY. Directory must be writable
56 for the '' user or unprivileged user running clamscan.
57 --leave-temps
59 Do not remove temporary files.
60 --gen-json
62 Generate JSON description of scanned file(s). JSON will be
63 printed and also dropped to the temp directory if --leave-temps
64 is enabled.
65 -d FILE/DIR, --database=FILE/DIR
67 Load virus database from FILE or load all virus database files
68 from DIR.
69 --official-db-only=[yes/no(*)]
71 Only load the official signatures published by the ClamAV
72 project.
73 -l FILE, --log=FILE
75 Save scan report to FILE.
76 -r, --recursive
78 Scan directories recursively. All the subdirectories in the
79 given directory will be scanned.
80 -z, --allmatch
82 After a match, continue scanning within the file for additional
83 matches.
84 --cross-fs=[yes(*)/no]
86 Scan files and directories on other filesystems.
87 --follow-dir-symlinks=[0/1(*)/2]
89 Follow directory symlinks. There are 3 options: 0 - never follow
90 directory symlinks, 1 (default) - only follow directory sym‐
91 links, which are passed as direct arguments to clamscan. 2 -
92 always follow directory symlinks.
93 --follow-file-symlinks=[0/1(*)/2]
95 Follow file symlinks. There are 3 options: 0 - never follow file
96 symlinks, 1 (default) - only follow file symlinks, which are
97 passed as direct arguments to clamscan. 2 - always follow file
98 symlinks.
99 -f FILE, --file-list=FILE
101 Scan files listed line by line in FILE.
102 --remove[=yes/no(*)]
104 Remove infected files. Be careful!
105 --move=DIRECTORY
107 Move infected files into DIRECTORY. Directory must be writable
108 for the '' user or unprivileged user running clamscan.
109 --copy=DIRECTORY
111 Copy infected files into DIRECTORY. Directory must be writable
112 for the '' user or unprivileged user running clamscan.
113 --exclude=REGEX, --exclude-dir=REGEX
115 Don't scan file/directory names matching regular expression.
116 These options can be used multiple times.
117 --include=REGEX, --include-dir=REGEX
119 Only scan file/directory matching regular expression. These
120 options can be used multiple times.
121 --bytecode[=yes(*)/no]
123 With this option enabled ClamAV will load bytecode from the
124 database. It is highly recommended you keep this option turned
125 on, otherwise you may miss detections for many new viruses.
126 --bytecode-unsigned[=yes/no(*)]
128 Allow loading bytecode from outside digitally signed .c[lv]d
129 files.
130 --bytecode-timeout=N
132 Set bytecode timeout in milliseconds (default: 5000 = 5s)
133 --statistics[=none(*)/bytecode/pcre]
135 Collect and print execution statistics.
136 --detect-pua[=yes/no(*)]
138 Detect Possibly Unwanted Applications.
139 --exclude-pua=CATEGORY
141 Exclude a specific PUA category. This option can be used multi‐
142 ple times. See https://www.clamav.net/documents/potentially-
143 unwanted-applications-pua for the complete list of PUA
144 --include-pua=CATEGORY
146 Only include a specific PUA category. This option can be used
147 multiple times. See https://www.clamav.net/documents/poten‐
148 tially-unwanted-applications-pua for the complete list of PUA
149 --detect-structured[=yes/no(*)]
151 Use the DLP (Data Loss Prevention) module to detect SSN and
152 Credit Card numbers inside documents/text files.
153 --structured-ssn-format=X
155 X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal);
156 X=1: search for valid SSNs formatted as xxxyyzzzz (stripped);
157 X=2: search for both formats. Default is 0.
158 --structured-ssn-count=#n
160 This option sets the lowest number of Social Security Numbers
161 found in a file to generate a detect (default: 3).
162 --structured-cc-count=#n
164 This option sets the lowest number of Credit Card numbers found
165 in a file to generate a detect (default: 3).
166 --scan-mail[=yes(*)/no]
168 Scan mail files. If you turn off this option, the original files
169 will still be scanned, but without parsing individual mes‐
170 sages/attachments.
171 --phishing-sigs[=yes(*)/no]
173 Enable email signature-based phishing detection.
174 --phishing-scan-urls[=yes(*)/no]
176 Enable URL signature-based phishing detection (Phishing.Heuris‐
177 tics.Email.*)
178 --heuristic-alerts[=yes(*)/no]
180 In some cases (eg. complex malware, exploits in graphic files,
181 and others), ClamAV uses special algorithms to provide accurate
182 detection. This option can be used to control the algorithmic
183 detection.
184 --heuristic-scan-precedence[=yes/no(*)]
186 Allow heuristic match to take precedence. When enabled, if a
187 heuristic scan (such as phishingScan) detects a possible
188 virus/phish it will stop scan immediately. Recommended, saves
189 CPU scan-time. When disabled, virus/phish detected by heuristic
190 scans will be reported only at the end of a scan. If an archive
191 contains both a heuristically detected virus/phish, and a real
192 malware, the real malware will be reported Keep this disabled if
193 you intend to handle "*.Heuristics.*" viruses differently from
194 "real" malware. If a non-heuristically-detected virus (signa‐
195 ture-based) is found first, the scan is interrupted immedi‐
196 ately, regardless of this config option.
197 --normalize[=yes(*)/no]
199 Normalize (compress whitespace, downcase, etc.) html, script,
200 and text files. Use normalize=no for yara compatibility.
201 --scan-pe[=yes(*)/no]
203 PE stands for Portable Executable - it's an executable file for‐
204 mat used in all 32-bit versions of Windows operating systems. By
205 default ClamAV performs deeper analysis of executable files and
206 attempts to decompress popular executable packers such as UPX,
207 Petite, and FSG. If you turn off this option, the original files
208 will still be scanned but without additional processing.
209 --scan-elf[=yes(*)/no]
211 Executable and Linking Format is a standard format for UN*X exe‐
212 cutables. This option controls the ELF support. If you turn it
213 off, the original files will still be scanned but without addi‐
214 tional processing.
215 --scan-ole2[=yes(*)/no]
217 Scan Microsoft Office documents and .msi files. If you turn off
218 this option, the original files will still be scanned but with‐
219 out additional processing.
220 --scan-pdf[=yes(*)/no]
222 Scan within PDF files. If you turn off this option, the original
223 files will still be scanned, but without decoding and additional
224 processing.
225 --scan-swf[=yes(*)/no]
227 Scan SWF files. If you turn off this option, the original files
228 will still be scanned but without additional processing.
229 --scan-html[=yes(*)/no]
231 Detect, normalize/decrypt and scan HTML files and embedded
232 scripts. If you turn off this option, the original files will
233 still be scanned, but without additional processing.
234 --scan-xmldocs[=yes(*)/no]
236 Scan xml-based document files supported by libclamav. If you
237 turn off this option, the original files will still be scanned,
238 but without additional processing.
239 --scan-hwp3[=yes(*)/no]
241 Scan HWP3 files. If you turn off this option, the original files
242 will still be scanned, but without additional processing.
243 --scan-archive[=yes(*)/no]
245 Scan archives supported by libclamav. If you turn off this
246 option, the original files will still be scanned, but without
247 unpacking and additional processing.
248 --alert-broken[=yes/no(*)]
250 Alert on broken executable files (PE & ELF).
251 --alert-encrypted[=yes/no(*)]
253 Alert on encrypted archives and documents (encrypted .zip,
254 .7zip, .rar, .pdf).
255 --alert-encrypted-archive[=yes/no(*)]
257 Alert on encrypted archives (encrypted .zip, .7zip, .rar, .pdf).
258 --alert-encrypted-doc[=yes/no(*)]
260 Alert on encrypted documents (encrypted .zip, .7zip, .rar,
261 .pdf).
262 --alert-macros[=yes/no(*)]
264 Alert on OLE2 files containing VBA macros (Heuristics.OLE2.Con‐
265 tainsMacros).
266 --alert-exceeds-max[=yes/no(*)]
268 Alert on files that exceed max file size, max scan size, or max
269 recursion limit (Heuristics.Limits.Exceeded).
270 --alert-phishing-ssl[=yes/no(*)]
272 Alert on emails containing SSL mismatches in URLs (might lead to
273 false positives!).
274 --alert-phishing-cloak[=yes/no(*)]
276 Alert on emails containing cloaked URLs (might lead to some
277 false positives).
278 --alert-partition-intersection[=yes/no(*)]
280 Detect partition intersections in raw disk images using heuris‐
281 tics.
282 --max-filesize=#n
284 Extract and scan at most #n bytes from each archive. You may
285 pass the value in kilobytes in format xK or xk, or megabytes in
286 format xM or xm, where x is a number. This option protects your
287 system against DoS attacks (default: 25 MB, max: <4 GB)
288 --max-scansize=#n
290 Extract and scan at most #n bytes from each archive. The size
291 the archive plus the sum of the sizes of all files within ar‐
292 chive count toward the scan size. For example, a 1M uncompressed
293 archive containing a single 1M inner file counts as 2M toward
294 max-scansize. You may pass the value in kilobytes in format xK
295 or xk, or megabytes in format xM or xm, where x is a number.
296 This option protects your system against DoS attacks (default:
297 100 MB, max: <4 GB)
298 --max-files=#n
300 Extract at most #n files from each scanned file (when this is an
301 archive, a document or another kind of container). This option
302 protects your system against DoS attacks (default: 10000)
303 --max-recursion=#n
305 Set archive recursion level limit. This option protects your
306 system against DoS attacks (default: 16).
307 --max-dir-recursion=#n
309 Maximum depth directories are scanned at (default: 15).
310 --max-embeddedpe=#n
313 Maximum size file to check for embedded PE. You may pass the
314 value in kilobytes in format xK or xk, or megabytes in format xM
315 or xm, where x is a number (default: 10 MB, max: <4 GB).
316 --max-htmlnormalize=#n
318 Maximum size of HTML file to normalize. You may pass the value
319 in kilobytes in format xK or xk, or megabytes in format xM or
320 xm, where x is a number (default: 10 MB, max: <4 GB).
321 --max-htmlnotags=#n
323 Maximum size of normalized HTML file to scan. You may pass the
324 value in kilobytes in format xK or xk, or megabytes in format xM
325 or xm, where x is a number (default: 2 MB, max: <4 GB).
326 --max-scriptnormalize=#n
328 Maximum size of script file to normalize. You may pass the value
329 in kilobytes in format xK or xk, or megabytes in format xM or
330 xm, where x is a number (default: 5 MB, max: <4 GB).
331 --max-ziptypercg=#n
333 Maximum size zip to type reanalyze. You may pass the value in
334 kilobytes in format xK or xk, or megabytes in format xM or xm,
335 where x is a number (default: 1 MB, max: <4 GB).
336 --max-partitions=#n
338 This option sets the maximum number of partitions of a raw disk
339 image to be scanned. This must be a positive integer (default:
340 50).
341 --max-iconspe=#n
343 This option sets the maximum number of icons within a PE to be
344 scanned. This must be a positive integer (default: 100).
345 --max-rechwp3=#n
347 This option sets the maximum recursive calls to HWP3 parsing
348 function (default: 16).
349 --pcre-match-limit=#n
351 Maximum calls to the PCRE match function (default: 100000).
352 --pcre-recmatch-limit=#n
354 Maximum recursive calls to the PCRE match function (default:
355 2000).
356 --pcre-max-filesize=#n
358 Maximum size file to perform PCRE subsig matching (default: 25
359 MB, max: <4 GB).
360 --disable-cache
362 Disable caching and cache checks for hash sums of scanned files.
363
365 (0) Scan a single file:
366 clamscan file
368 (1) Scan a current working directory:
370 clamscan
372 (2) Scan all files (and subdirectories) in /home:
374 clamscan -r /home
376 (3) Load database from a file:
378 clamscan -d /tmp/newclamdb -r /tmp
380 (4) Scan a data stream:
382 cat testfile | clamscan -
384 (5) Scan a mail spool directory:
386 clamscan -r /var/spool/mail
388
390 0 : No virus found.
391 1 : Virus(es) found.
393 2 : Some error(s) occurred.
395
397 Please check the full documentation for credits.
398
400 Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>
401
403 clamdscan(1), freshclam(1), freshclam.conf(5)
404ClamAV 0.102.2 December 4, 2013 clamscan(1)