1clamscan(1)                     Clam AntiVirus                     clamscan(1)
2
3
4

NAME

6       clamscan - scan files and directories for viruses
7

SYNOPSIS

9       clamscan [options] [file/directory/-]
10

DESCRIPTION

12       clamscan is a command line anti-virus scanner.
13

OPTIONS

15       Most  of  the  options are simple switches which enable or disable some
16       features. Options marked with [=yes/no(*)] can be  optionally  followed
17       by  =yes/=no; if they get called without the boolean argument the scan‐
18       ner will assume 'yes'. The asterisk marks the default internal  setting
19       for a given option.
20
21       -h, --help
22              Print help information and exit.
23
24       -V, --version
25              Print version number and exit.
26
27       -v, --verbose
28              Be verbose.
29
30       -a, --archive-verbose
31              Show filenames inside scanned archives
32
33       --debug
34              Display debug messages from libclamav.
35
36       --quiet
37              Be quiet (only print error messages).
38
39       --stdout
40              Write all messages (except for libclamav output) to the standard
41              output (stdout).
42
43       --no-summary
44              Do not display summary at the end of scanning.
45
46       -i, --infected
47              Only print infected files.
48
49       -o, --suppress-ok-results
50              Skip printing OK files
51
52       --bell Sound bell on virus detection.
53
54       --tempdir=DIRECTORY
55              Create temporary files in DIRECTORY. Directory must be  writable
56              for the '' user or unprivileged user running clamscan.
57
58       --leave-temps
59              Do not remove temporary files.
60
61       --gen-json
62              Generate  JSON  description  of  scanned  file(s).  JSON will be
63              printed and also dropped to the temp directory if  --leave-temps
64              is enabled.
65
66       -d FILE/DIR, --database=FILE/DIR
67              Load  virus  database from FILE or load all virus database files
68              from DIR.
69
70       --official-db-only=[yes/no(*)]
71              Only load  the  official  signatures  published  by  the  ClamAV
72              project.
73
74       -l FILE, --log=FILE
75              Save scan report to FILE.
76
77       -r, --recursive
78              Scan  directories  recursively.  All  the  subdirectories in the
79              given directory will be scanned.
80
81       -z, --allmatch
82              After a match, continue scanning within the file for  additional
83              matches.
84
85       --cross-fs=[yes(*)/no]
86              Scan files and directories on other filesystems.
87
88       --follow-dir-symlinks=[0/1(*)/2]
89              Follow directory symlinks. There are 3 options: 0 - never follow
90              directory symlinks, 1 (default) -  only  follow  directory  sym‐
91              links,  which  are  passed  as direct arguments to clamscan. 2 -
92              always follow directory symlinks.
93
94       --follow-file-symlinks=[0/1(*)/2]
95              Follow file symlinks. There are 3 options: 0 - never follow file
96              symlinks,  1  (default)  -  only follow file symlinks, which are
97              passed as direct arguments to clamscan. 2 - always  follow  file
98              symlinks.
99
100       -f FILE, --file-list=FILE
101              Scan files listed line by line in FILE.
102
103       --remove[=yes/no(*)]
104              Remove infected files. Be careful!
105
106       --move=DIRECTORY
107              Move  infected  files into DIRECTORY. Directory must be writable
108              for the '' user or unprivileged user running clamscan.
109
110       --copy=DIRECTORY
111              Copy infected files into DIRECTORY. Directory must  be  writable
112              for the '' user or unprivileged user running clamscan.
113
114       --exclude=REGEX, --exclude-dir=REGEX
115              Don't  scan  file/directory  names  matching regular expression.
116              These options can be used multiple times.
117
118       --include=REGEX, --include-dir=REGEX
119              Only scan  file/directory  matching  regular  expression.  These
120              options can be used multiple times.
121
122       --bytecode[=yes(*)/no]
123              With  this  option  enabled  ClamAV  will load bytecode from the
124              database. It is highly recommended you keep this  option  turned
125              on, otherwise you may miss detections for many new viruses.
126
127       --bytecode-unsigned[=yes/no(*)]
128              Allow  loading  bytecode  from  outside digitally signed .c[lv]d
129              files. **Caution**: You should  NEVER  run  bytecode  signatures
130              from  untrusted  sources.  Doing so may result in arbitrary code
131              execution.
132
133       --bytecode-timeout=N
134              Set bytecode timeout in milliseconds (default: 5000 = 5s)
135
136       --statistics[=none(*)/bytecode/pcre]
137              Collect and print execution statistics.
138
139       --detect-pua[=yes/no(*)]
140              Detect Possibly Unwanted Applications.
141
142       --exclude-pua=CATEGORY
143              Exclude a specific PUA category. This option can be used  multi‐
144              ple   times.  See  https://www.clamav.net/documents/potentially-
145              unwanted-applications-pua for the complete list of PUA
146
147       --include-pua=CATEGORY
148              Only include a specific PUA category. This option  can  be  used
149              multiple   times.   See  https://www.clamav.net/documents/poten
150              tially-unwanted-applications-pua for the complete list of PUA
151
152       --detect-structured[=yes/no(*)]
153              Use the DLP (Data Loss Prevention)  module  to  detect  SSN  and
154              Credit Card numbers inside documents/text files.
155
156       --structured-ssn-format=X
157              X=0:  search  for  valid SSNs formatted as xxx-yy-zzzz (normal);
158              X=1: search for valid SSNs formatted  as  xxxyyzzzz  (stripped);
159              X=2: search for both formats. Default is 0.
160
161       --structured-ssn-count=#n
162              This  option  sets  the lowest number of Social Security Numbers
163              found in a file to generate a detect (default: 3).
164
165       --structured-cc-count=#n
166              This option sets the lowest number of Credit Card numbers  found
167              in a file to generate a detect (default: 3).
168
169       --scan-mail[=yes(*)/no]
170              Scan mail files. If you turn off this option, the original files
171              will still be  scanned,  but  without  parsing  individual  mes‐
172              sages/attachments.
173
174       --phishing-sigs[=yes(*)/no]
175              Enable email signature-based phishing detection.
176
177       --phishing-scan-urls[=yes(*)/no]
178              Enable  URL signature-based phishing detection (Phishing.Heuris‐
179              tics.Email.*)
180
181       --heuristic-alerts[=yes(*)/no]
182              In some cases (eg. complex malware, exploits in  graphic  files,
183              and  others), ClamAV uses special algorithms to provide accurate
184              detection. This option can be used to  control  the  algorithmic
185              detection.
186
187       --heuristic-scan-precedence[=yes/no(*)]
188              Allow  heuristic  match  to  take precedence. When enabled, if a
189              heuristic  scan  (such  as  phishingScan)  detects  a   possible
190              virus/phish  it  will  stop scan immediately. Recommended, saves
191              CPU scan-time. When disabled, virus/phish detected by  heuristic
192              scans  will be reported only at the end of a scan. If an archive
193              contains both a heuristically detected  virus/phish, and a  real
194              malware, the real malware will be reported Keep this disabled if
195              you intend to handle "*.Heuristics.*" viruses  differently  from
196              "real"  malware.  If  a non-heuristically-detected virus (signa‐
197              ture-based) is found first,  the  scan  is  interrupted  immedi‐
198              ately, regardless of this config option.
199
200       --normalize[=yes(*)/no]
201              Normalize  (compress  whitespace,  downcase, etc.) html, script,
202              and text files. Use normalize=no for yara compatibility.
203
204       --scan-pe[=yes(*)/no]
205              PE stands for Portable Executable - it's an executable file for‐
206              mat used in all 32-bit versions of Windows operating systems. By
207              default ClamAV performs deeper analysis of executable files  and
208              attempts  to  decompress popular executable packers such as UPX,
209              Petite, and FSG. If you turn off this option, the original files
210              will still be scanned but without additional processing.
211
212       --scan-elf[=yes(*)/no]
213              Executable and Linking Format is a standard format for UN*X exe‐
214              cutables. This option controls the ELF support. If you  turn  it
215              off,  the original files will still be scanned but without addi‐
216              tional processing.
217
218       --scan-ole2[=yes(*)/no]
219              Scan Microsoft Office documents and .msi files. If you turn  off
220              this  option, the original files will still be scanned but with‐
221              out additional processing.
222
223       --scan-pdf[=yes(*)/no]
224              Scan within PDF files. If you turn off this option, the original
225              files will still be scanned, but without decoding and additional
226              processing.
227
228       --scan-swf[=yes(*)/no]
229              Scan SWF files. If you turn off this option, the original  files
230              will still be scanned but without additional processing.
231
232       --scan-html[=yes(*)/no]
233              Detect,  normalize/decrypt  and  scan  HTML  files  and embedded
234              scripts. If you turn off this option, the  original  files  will
235              still be scanned, but without additional processing.
236
237       --scan-xmldocs[=yes(*)/no]
238              Scan  xml-based  document  files  supported by libclamav. If you
239              turn off this option, the original files will still be  scanned,
240              but without additional processing.
241
242       --scan-hwp3[=yes(*)/no]
243              Scan HWP3 files. If you turn off this option, the original files
244              will still be scanned, but without additional processing.
245
246       --scan-archive[=yes(*)/no]
247              Scan archives supported by  libclamav.  If  you  turn  off  this
248              option,  the  original  files will still be scanned, but without
249              unpacking and additional processing.
250
251       --alert-broken[=yes/no(*)]
252              Alert on broken executable files (PE & ELF).
253
254       --alert-encrypted[=yes/no(*)]
255              Alert on  encrypted  archives  and  documents  (encrypted  .zip,
256              .7zip, .rar, .pdf).
257
258       --alert-encrypted-archive[=yes/no(*)]
259              Alert on encrypted archives (encrypted .zip, .7zip, .rar, .pdf).
260
261       --alert-encrypted-doc[=yes/no(*)]
262              Alert  on  encrypted  documents  (encrypted  .zip,  .7zip, .rar,
263              .pdf).
264
265       --alert-macros[=yes/no(*)]
266              Alert on OLE2 files containing VBA macros  (Heuristics.OLE2.Con‐
267              tainsMacros).
268
269       --alert-exceeds-max[=yes/no(*)]
270              Alert  on files that exceed max file size, max scan size, or max
271              recursion limit (Heuristics.Limits.Exceeded).
272
273       --alert-phishing-ssl[=yes/no(*)]
274              Alert on emails containing SSL mismatches in URLs (might lead to
275              false positives!).
276
277       --alert-phishing-cloak[=yes/no(*)]
278              Alert  on  emails  containing  cloaked  URLs (might lead to some
279              false positives).
280
281       --alert-partition-intersection[=yes/no(*)]
282              Detect partition intersections in raw disk images using  heuris‐
283              tics.
284
285       --max-scantime=#n
286              The  maximum time to scan before giving up. The value is in mil‐
287              liseconds. The value of 0 disables the limit. This  option  pro‐
288              tects your system against DoS attacks (default: 120000 = 120s or
289              2min)
290
291       --max-filesize=#n
292              Extract and scan at most #n bytes from  each  archive.  You  may
293              pass  the value in kilobytes in format xK or xk, or megabytes in
294              format xM or xm, where x is a number. This option protects  your
295              system against DoS attacks (default: 25 MB, max: <4 GB)
296
297       --max-scansize=#n
298              Extract  and  scan  at most #n bytes from each archive. The size
299              the archive plus the sum of the sizes of all  files  within  ar‐
300              chive count toward the scan size. For example, a 1M uncompressed
301              archive containing a single 1M inner file counts  as  2M  toward
302              max-scansize.  You  may pass the value in kilobytes in format xK
303              or xk, or megabytes in format xM or xm, where  x  is  a  number.
304              This  option  protects your system against DoS attacks (default:
305              100 MB, max: <4 GB)
306
307       --max-files=#n
308              Extract at most #n files from each scanned file (when this is an
309              archive,  a  document or another kind of container). This option
310              protects your system against DoS attacks (default: 10000)
311
312       --max-recursion=#n
313              Set archive recursion level limit.  This  option  protects  your
314              system against DoS attacks (default: 16).
315
316       --max-dir-recursion=#n
317              Maximum depth directories are scanned at (default: 15).
318
319
320       --max-embeddedpe=#n
321              Maximum  size  file  to  check for embedded PE. You may pass the
322              value in kilobytes in format xK or xk, or megabytes in format xM
323              or xm, where x is a number (default: 10 MB, max: <4 GB).
324
325       --max-htmlnormalize=#n
326              Maximum  size  of HTML file to normalize. You may pass the value
327              in kilobytes in format xK or xk, or megabytes in  format  xM  or
328              xm, where x is a number (default: 10 MB, max: <4 GB).
329
330       --max-htmlnotags=#n
331              Maximum  size  of normalized HTML file to scan. You may pass the
332              value in kilobytes in format xK or xk, or megabytes in format xM
333              or xm, where x is a number (default: 2 MB, max: <4 GB).
334
335       --max-scriptnormalize=#n
336              Maximum size of script file to normalize. You may pass the value
337              in kilobytes in format xK or xk, or megabytes in  format  xM  or
338              xm, where x is a number (default: 5 MB, max: <4 GB).
339
340       --max-ziptypercg=#n
341              Maximum  size  zip  to type reanalyze. You may pass the value in
342              kilobytes in format xK or xk, or megabytes in format xM  or  xm,
343              where x is a number (default: 1 MB, max: <4 GB).
344
345       --max-partitions=#n
346              This  option sets the maximum number of partitions of a raw disk
347              image to be scanned. This must be a positive  integer  (default:
348              50).
349
350       --max-iconspe=#n
351              This  option  sets the maximum number of icons within a PE to be
352              scanned. This must be a positive integer (default: 100).
353
354       --max-rechwp3=#n
355              This option sets the maximum recursive  calls  to  HWP3  parsing
356              function (default: 16).
357
358       --pcre-match-limit=#n
359              Maximum calls to the PCRE match function (default: 100000).
360
361       --pcre-recmatch-limit=#n
362              Maximum  recursive  calls  to  the PCRE match function (default:
363              2000).
364
365       --pcre-max-filesize=#n
366              Maximum size file to perform PCRE subsig matching  (default:  25
367              MB, max: <4 GB).
368
369       --disable-cache
370              Disable caching and cache checks for hash sums of scanned files.
371

EXAMPLES

373       (0) Scan a single file:
374
375              clamscan file
376
377       (1) Scan a current working directory:
378
379              clamscan
380
381       (2) Scan all files (and subdirectories) in /home:
382
383              clamscan -r /home
384
385       (3) Load database from a file:
386
387              clamscan -d /tmp/newclamdb -r /tmp
388
389       (4) Scan a data stream:
390
391              cat testfile | clamscan -
392
393       (5) Scan a mail spool directory:
394
395              clamscan -r /var/spool/mail
396

RETURN CODES

398       0 : No virus found.
399
400       1 : Virus(es) found.
401
402       2 : Some error(s) occurred.
403

CREDITS

405       Please check the full documentation for credits.
406

AUTHOR

408       Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>
409

SEE ALSO

411       clamdscan(1), freshclam(1), freshclam.conf(5)
412
413
414
415ClamAV 0.103.2                 December 4, 2013                    clamscan(1)
Impressum