1clamscan(1) Clam AntiVirus clamscan(1)
2
6 clamscan - scan files and directories for viruses
7
9 clamscan [options] [file/directory/-]
10
12 clamscan is a command line anti-virus scanner.
13
15 Most of the options are simple switches which enable or disable some
16 features. Options marked with [=yes/no(*)] can be optionally followed
17 by =yes/=no; if they get called without the boolean argument the scan‐
18 ner will assume 'yes'. The asterisk marks the default internal setting
19 for a given option.
20 -h, --help
22 Print help information and exit.
23 -V, --version
25 Print version number and exit.
26 -v, --verbose
28 Be verbose.
29 -a, --archive-verbose
31 Show filenames inside scanned archives
32 --debug
34 Display debug messages from libclamav.
35 --quiet
37 Be quiet (only print error messages).
38 --stdout
40 Write all messages (except for libclamav output) to the standard
41 output (stdout).
42 --no-summary
44 Do not display summary at the end of scanning.
45 -i, --infected
47 Only print infected files.
48 -o, --suppress-ok-results
50 Skip printing OK files
51 --bell Sound bell on virus detection.
53 --tempdir=DIRECTORY
55 Create temporary files in DIRECTORY. Directory must be writable
56 for the '' user or unprivileged user running clamscan.
57 --leave-temps
59 Do not remove temporary files.
60 --gen-json
62 Generate JSON description of scanned file(s). JSON will be
63 printed and also dropped to the temp directory if --leave-temps
64 is enabled.
65 -d FILE/DIR, --database=FILE/DIR
67 Load virus database from FILE or load all virus database files
68 from DIR.
69 --official-db-only=[yes/no(*)]
71 Only load the official signatures published by the ClamAV
72 project.
73 -l FILE, --log=FILE
75 Save scan report to FILE.
76 -r, --recursive
78 Scan directories recursively. All the subdirectories in the
79 given directory will be scanned.
80 -z, --allmatch
82 After a match, continue scanning within the file for additional
83 matches.
84 --cross-fs=[yes(*)/no]
86 Scan files and directories on other filesystems.
87 --follow-dir-symlinks=[0/1(*)/2]
89 Follow directory symlinks. There are 3 options: 0 - never follow
90 directory symlinks, 1 (default) - only follow directory sym‐
91 links, which are passed as direct arguments to clamscan. 2 -
92 always follow directory symlinks.
93 --follow-file-symlinks=[0/1(*)/2]
95 Follow file symlinks. There are 3 options: 0 - never follow file
96 symlinks, 1 (default) - only follow file symlinks, which are
97 passed as direct arguments to clamscan. 2 - always follow file
98 symlinks.
99 -f FILE, --file-list=FILE
101 Scan files listed line by line in FILE.
102 --remove[=yes/no(*)]
104 Remove infected files. Be careful!
105 --move=DIRECTORY
107 Move infected files into DIRECTORY. Directory must be writable
108 for the '' user or unprivileged user running clamscan.
109 --copy=DIRECTORY
111 Copy infected files into DIRECTORY. Directory must be writable
112 for the '' user or unprivileged user running clamscan.
113 --exclude=REGEX, --exclude-dir=REGEX
115 Don't scan file/directory names matching regular expression.
116 These options can be used multiple times.
117 --include=REGEX, --include-dir=REGEX
119 Only scan file/directory matching regular expression. These
120 options can be used multiple times.
121 --bytecode[=yes(*)/no]
123 With this option enabled ClamAV will load bytecode from the
124 database. It is highly recommended you keep this option turned
125 on, otherwise you may miss detections for many new viruses.
126 --bytecode-unsigned[=yes/no(*)]
128 Allow loading bytecode from outside digitally signed .c[lv]d
129 files. **Caution**: You should NEVER run bytecode signatures
130 from untrusted sources. Doing so may result in arbitrary code
131 execution.
132 --bytecode-timeout=N
134 Set bytecode timeout in milliseconds (default: 5000 = 5s)
135 --statistics[=none(*)/bytecode/pcre]
137 Collect and print execution statistics.
138 --detect-pua[=yes/no(*)]
140 Detect Possibly Unwanted Applications.
141 --exclude-pua=CATEGORY
143 Exclude a specific PUA category. This option can be used multi‐
144 ple times. See https://www.clamav.net/documents/potentially-
145 unwanted-applications-pua for the complete list of PUA
146 --include-pua=CATEGORY
148 Only include a specific PUA category. This option can be used
149 multiple times. See https://www.clamav.net/documents/poten‐
150 tially-unwanted-applications-pua for the complete list of PUA
151 --detect-structured[=yes/no(*)]
153 Use the DLP (Data Loss Prevention) module to detect SSN and
154 Credit Card numbers inside documents/text files.
155 --structured-ssn-format=X
157 X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal);
158 X=1: search for valid SSNs formatted as xxxyyzzzz (stripped);
159 X=2: search for both formats. Default is 0.
160 --structured-ssn-count=#n
162 This option sets the lowest number of Social Security Numbers
163 found in a file to generate a detect (default: 3).
164 --structured-cc-count=#n
166 This option sets the lowest number of Credit Card numbers found
167 in a file to generate a detect (default: 3).
168 --scan-mail[=yes(*)/no]
170 Scan mail files. If you turn off this option, the original files
171 will still be scanned, but without parsing individual mes‐
172 sages/attachments.
173 --phishing-sigs[=yes(*)/no]
175 Enable email signature-based phishing detection.
176 --phishing-scan-urls[=yes(*)/no]
178 Enable URL signature-based phishing detection (Phishing.Heuris‐
179 tics.Email.*)
180 --heuristic-alerts[=yes(*)/no]
182 In some cases (eg. complex malware, exploits in graphic files,
183 and others), ClamAV uses special algorithms to provide accurate
184 detection. This option can be used to control the algorithmic
185 detection.
186 --heuristic-scan-precedence[=yes/no(*)]
188 Allow heuristic match to take precedence. When enabled, if a
189 heuristic scan (such as phishingScan) detects a possible
190 virus/phish it will stop scan immediately. Recommended, saves
191 CPU scan-time. When disabled, virus/phish detected by heuristic
192 scans will be reported only at the end of a scan. If an archive
193 contains both a heuristically detected virus/phish, and a real
194 malware, the real malware will be reported Keep this disabled if
195 you intend to handle "*.Heuristics.*" viruses differently from
196 "real" malware. If a non-heuristically-detected virus (signa‐
197 ture-based) is found first, the scan is interrupted immedi‐
198 ately, regardless of this config option.
199 --normalize[=yes(*)/no]
201 Normalize (compress whitespace, downcase, etc.) html, script,
202 and text files. Use normalize=no for yara compatibility.
203 --scan-pe[=yes(*)/no]
205 PE stands for Portable Executable - it's an executable file for‐
206 mat used in all 32-bit versions of Windows operating systems. By
207 default ClamAV performs deeper analysis of executable files and
208 attempts to decompress popular executable packers such as UPX,
209 Petite, and FSG. If you turn off this option, the original files
210 will still be scanned but without additional processing.
211 --scan-elf[=yes(*)/no]
213 Executable and Linking Format is a standard format for UN*X exe‐
214 cutables. This option controls the ELF support. If you turn it
215 off, the original files will still be scanned but without addi‐
216 tional processing.
217 --scan-ole2[=yes(*)/no]
219 Scan Microsoft Office documents and .msi files. If you turn off
220 this option, the original files will still be scanned but with‐
221 out additional processing.
222 --scan-pdf[=yes(*)/no]
224 Scan within PDF files. If you turn off this option, the original
225 files will still be scanned, but without decoding and additional
226 processing.
227 --scan-swf[=yes(*)/no]
229 Scan SWF files. If you turn off this option, the original files
230 will still be scanned but without additional processing.
231 --scan-html[=yes(*)/no]
233 Detect, normalize/decrypt and scan HTML files and embedded
234 scripts. If you turn off this option, the original files will
235 still be scanned, but without additional processing.
236 --scan-xmldocs[=yes(*)/no]
238 Scan xml-based document files supported by libclamav. If you
239 turn off this option, the original files will still be scanned,
240 but without additional processing.
241 --scan-hwp3[=yes(*)/no]
243 Scan HWP3 files. If you turn off this option, the original files
244 will still be scanned, but without additional processing.
245 --scan-archive[=yes(*)/no]
247 Scan archives supported by libclamav. If you turn off this
248 option, the original files will still be scanned, but without
249 unpacking and additional processing.
250 --alert-broken[=yes/no(*)]
252 Alert on broken executable files (PE & ELF).
253 --alert-encrypted[=yes/no(*)]
255 Alert on encrypted archives and documents (encrypted .zip,
256 .7zip, .rar, .pdf).
257 --alert-encrypted-archive[=yes/no(*)]
259 Alert on encrypted archives (encrypted .zip, .7zip, .rar, .pdf).
260 --alert-encrypted-doc[=yes/no(*)]
262 Alert on encrypted documents (encrypted .zip, .7zip, .rar,
263 .pdf).
264 --alert-macros[=yes/no(*)]
266 Alert on OLE2 files containing VBA macros (Heuristics.OLE2.Con‐
267 tainsMacros).
268 --alert-exceeds-max[=yes/no(*)]
270 Alert on files that exceed max file size, max scan size, or max
271 recursion limit (Heuristics.Limits.Exceeded).
272 --alert-phishing-ssl[=yes/no(*)]
274 Alert on emails containing SSL mismatches in URLs (might lead to
275 false positives!).
276 --alert-phishing-cloak[=yes/no(*)]
278 Alert on emails containing cloaked URLs (might lead to some
279 false positives).
280 --alert-partition-intersection[=yes/no(*)]
282 Detect partition intersections in raw disk images using heuris‐
283 tics.
284 --max-scantime=#n
286 The maximum time to scan before giving up. The value is in mil‐
287 liseconds. The value of 0 disables the limit. This option pro‐
288 tects your system against DoS attacks (default: 120000 = 120s or
289 2min)
290 --max-filesize=#n
292 Extract and scan at most #n bytes from each archive. You may
293 pass the value in kilobytes in format xK or xk, or megabytes in
294 format xM or xm, where x is a number. This option protects your
295 system against DoS attacks (default: 25 MB, max: <4 GB)
296 --max-scansize=#n
298 Extract and scan at most #n bytes from each archive. The size
299 the archive plus the sum of the sizes of all files within ar‐
300 chive count toward the scan size. For example, a 1M uncompressed
301 archive containing a single 1M inner file counts as 2M toward
302 max-scansize. You may pass the value in kilobytes in format xK
303 or xk, or megabytes in format xM or xm, where x is a number.
304 This option protects your system against DoS attacks (default:
305 100 MB, max: <4 GB)
306 --max-files=#n
308 Extract at most #n files from each scanned file (when this is an
309 archive, a document or another kind of container). This option
310 protects your system against DoS attacks (default: 10000)
311 --max-recursion=#n
313 Set archive recursion level limit. This option protects your
314 system against DoS attacks (default: 16).
315 --max-dir-recursion=#n
317 Maximum depth directories are scanned at (default: 15).
318 --max-embeddedpe=#n
321 Maximum size file to check for embedded PE. You may pass the
322 value in kilobytes in format xK or xk, or megabytes in format xM
323 or xm, where x is a number (default: 10 MB, max: <4 GB).
324 --max-htmlnormalize=#n
326 Maximum size of HTML file to normalize. You may pass the value
327 in kilobytes in format xK or xk, or megabytes in format xM or
328 xm, where x is a number (default: 10 MB, max: <4 GB).
329 --max-htmlnotags=#n
331 Maximum size of normalized HTML file to scan. You may pass the
332 value in kilobytes in format xK or xk, or megabytes in format xM
333 or xm, where x is a number (default: 2 MB, max: <4 GB).
334 --max-scriptnormalize=#n
336 Maximum size of script file to normalize. You may pass the value
337 in kilobytes in format xK or xk, or megabytes in format xM or
338 xm, where x is a number (default: 5 MB, max: <4 GB).
339 --max-ziptypercg=#n
341 Maximum size zip to type reanalyze. You may pass the value in
342 kilobytes in format xK or xk, or megabytes in format xM or xm,
343 where x is a number (default: 1 MB, max: <4 GB).
344 --max-partitions=#n
346 This option sets the maximum number of partitions of a raw disk
347 image to be scanned. This must be a positive integer (default:
348 50).
349 --max-iconspe=#n
351 This option sets the maximum number of icons within a PE to be
352 scanned. This must be a positive integer (default: 100).
353 --max-rechwp3=#n
355 This option sets the maximum recursive calls to HWP3 parsing
356 function (default: 16).
357 --pcre-match-limit=#n
359 Maximum calls to the PCRE match function (default: 100000).
360 --pcre-recmatch-limit=#n
362 Maximum recursive calls to the PCRE match function (default:
363 2000).
364 --pcre-max-filesize=#n
366 Maximum size file to perform PCRE subsig matching (default: 25
367 MB, max: <4 GB).
368 --disable-cache
370 Disable caching and cache checks for hash sums of scanned files.
371
373 (0) Scan a single file:
374 clamscan file
376 (1) Scan a current working directory:
378 clamscan
380 (2) Scan all files (and subdirectories) in /home:
382 clamscan -r /home
384 (3) Load database from a file:
386 clamscan -d /tmp/newclamdb -r /tmp
388 (4) Scan a data stream:
390 cat testfile | clamscan -
392 (5) Scan a mail spool directory:
394 clamscan -r /var/spool/mail
396
398 0 : No virus found.
399 1 : Virus(es) found.
401 2 : Some error(s) occurred.
403
405 Please check the full documentation for credits.
406
408 Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>
409
411 clamdscan(1), freshclam(1), freshclam.conf(5)
412ClamAV 0.103.2 December 4, 2013 clamscan(1)