1clamscan(1) Clam AntiVirus clamscan(1)
2
6 clamscan - scan files and directories for viruses
7
9 clamscan [options] [file/directory/-]
10
12 clamscan is a command line anti-virus scanner.
13
15 Most of the options are simple switches which enable or disable some
16 features. Options marked with [=yes/no(*)] can be optionally followed
17 by =yes/=no; if they get called without the boolean argument the scan‐
18 ner will assume 'yes'. The asterisk marks the default internal setting
19 for a given option.
20 -h, --help
22 Print help information and exit.
23 -V, --version
25 Print version number and exit.
26 -v, --verbose
28 Be verbose.
29 -a, --archive-verbose
31 Show filenames inside scanned archives
32 --debug
34 Display debug messages from libclamav.
35 --quiet
37 Be quiet (only print error messages).
38 --stdout
40 Write all messages (except for libclamav output) to the standard
41 output (stdout).
42 --no-summary
44 Do not display summary at the end of scanning.
45 -i, --infected
47 Only print infected files.
48 -o, --suppress-ok-results
50 Skip printing OK files
51 --bell Sound bell on virus detection.
53 --tempdir=DIRECTORY
55 Create temporary files in DIRECTORY. Directory must be writable
56 for the 'clamupdate' user or unprivileged user running clamscan.
57 --leave-temps
59 Do not remove temporary files.
60 --gen-json
62 Generate JSON description of scanned file(s). JSON will be
63 printed and also dropped to the temp directory if --leave-temps
64 is enabled.
65 -d FILE/DIR, --database=FILE/DIR
67 Load virus database from FILE or load all virus database files
68 from DIR.
69 --official-db-only=[yes/no(*)]
71 Only load the official signatures published by the ClamAV
72 project.
73 -l FILE, --log=FILE
75 Save scan report to FILE.
76 -r, --recursive
78 Scan directories recursively. All the subdirectories in the
79 given directory will be scanned.
80 -z, --allmatch
82 After a match, continue scanning within the file for additional
83 matches.
84 --cross-fs=[yes(*)/no]
86 Scan files and directories on other filesystems.
87 --follow-dir-symlinks=[0/1(*)/2]
89 Follow directory symlinks. There are 3 options: 0 - never follow
90 directory symlinks, 1 (default) - only follow directory sym‐
91 links, which are passed as direct arguments to clamscan. 2 - al‐
92 ways follow directory symlinks.
93 --follow-file-symlinks=[0/1(*)/2]
95 Follow file symlinks. There are 3 options: 0 - never follow file
96 symlinks, 1 (default) - only follow file symlinks, which are
97 passed as direct arguments to clamscan. 2 - always follow file
98 symlinks.
99 -f FILE, --file-list=FILE
101 Scan files listed line by line in FILE.
102 --remove[=yes/no(*)]
104 Remove infected files. Be careful!
105 --move=DIRECTORY
107 Move infected files into DIRECTORY. Directory must be writable
108 for the 'clamupdate' user or unprivileged user running clamscan.
109 --copy=DIRECTORY
111 Copy infected files into DIRECTORY. Directory must be writable
112 for the 'clamupdate' user or unprivileged user running clamscan.
113 --exclude=REGEX, --exclude-dir=REGEX
115 Don't scan file/directory names matching regular expression.
116 These options can be used multiple times.
117 --include=REGEX, --include-dir=REGEX
119 Only scan file/directory matching regular expression. These op‐
120 tions can be used multiple times.
121 --bytecode[=yes(*)/no]
123 With this option enabled ClamAV will load bytecode from the
124 database. It is highly recommended you keep this option turned
125 on, otherwise you may miss detections for many new viruses.
126 --bytecode-unsigned[=yes/no(*)]
128 Allow loading bytecode from outside digitally signed .c[lv]d
129 files. **Caution**: You should NEVER run bytecode signatures
130 from untrusted sources. Doing so may result in arbitrary code
131 execution.
132 --bytecode-timeout=N
134 Set bytecode timeout in milliseconds (default: 10000 = 10s)
135 --statistics[=none(*)/bytecode/pcre]
137 Collect and print execution statistics.
138 --detect-pua[=yes/no(*)]
140 Detect Possibly Unwanted Applications.
141 --exclude-pua=CATEGORY
143 Exclude a specific PUA category. This option can be used multi‐
144 ple times. See https://docs.clamav.net/faq/faq-pua.html for the
145 complete list of PUA
146 --include-pua=CATEGORY
148 Only include a specific PUA category. This option can be used
149 multiple times. See https://docs.clamav.net/faq/faq-pua.html for
150 the complete list of PUA
151 --detect-structured[=yes/no(*)]
153 Use the DLP (Data Loss Prevention) module to detect SSN and
154 Credit Card numbers inside documents/text files.
155 --structured-ssn-format=X
157 X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal);
158 X=1: search for valid SSNs formatted as xxxyyzzzz (stripped);
159 X=2: search for both formats. Default is 0.
160 --structured-ssn-count=#n
162 This option sets the lowest number of Social Security Numbers
163 found in a file to generate a detect (default: 3).
164 --structured-cc-count=#n
166 This option sets the lowest number of Credit Card numbers found
167 in a file to generate a detect (default: 3).
168 --scan-mail[=yes(*)/no]
170 Scan mail files. If you turn off this option, the original files
171 will still be scanned, but without parsing individual mes‐
172 sages/attachments.
173 --phishing-sigs[=yes(*)/no]
175 Enable email signature-based phishing detection.
176 --phishing-scan-urls[=yes(*)/no]
178 Enable URL signature-based phishing detection (Heuristics.Phish‐
179 ing.Email.*)
180 --heuristic-alerts[=yes(*)/no]
182 In some cases (eg. complex malware, exploits in graphic files,
183 and others), ClamAV uses special algorithms to provide accurate
184 detection. This option can be used to control the algorithmic
185 detection.
186 --heuristic-scan-precedence[=yes/no(*)]
188 Allow heuristic match to take precedence. When enabled, if a
189 heuristic scan (such as phishingScan) detects a possible
190 virus/phish it will stop scan immediately. Recommended, saves
191 CPU scan-time. When disabled, virus/phish detected by heuristic
192 scans will be reported only at the end of a scan. If an archive
193 contains both a heuristically detected virus/phish, and a real
194 malware, the real malware will be reported Keep this disabled if
195 you intend to handle "Heuristics.*" viruses differently from
196 "real" malware. If a non-heuristically-detected virus (signa‐
197 ture-based) is found first, the scan is interrupted immedi‐
198 ately, regardless of this config option.
199 --normalize[=yes(*)/no]
201 Normalize (compress whitespace, downcase, etc.) html, script,
202 and text files. Use normalize=no for yara compatibility.
203 --scan-pe[=yes(*)/no]
205 PE stands for Portable Executable - it's an executable file for‐
206 mat used in all 32-bit versions of Windows operating systems. By
207 default ClamAV performs deeper analysis of executable files and
208 attempts to decompress popular executable packers such as UPX,
209 Petite, and FSG. If you turn off this option, the original files
210 will still be scanned but without additional processing.
211 --scan-elf[=yes(*)/no]
213 Executable and Linking Format is a standard format for UN*X exe‐
214 cutables. This option controls the ELF support. If you turn it
215 off, the original files will still be scanned but without addi‐
216 tional processing.
217 --scan-ole2[=yes(*)/no]
219 Scan Microsoft Office documents and .msi files. If you turn off
220 this option, the original files will still be scanned but with‐
221 out additional processing.
222 --scan-pdf[=yes(*)/no]
224 Scan within PDF files. If you turn off this option, the original
225 files will still be scanned, but without decoding and additional
226 processing.
227 --scan-swf[=yes(*)/no]
229 Scan SWF files. If you turn off this option, the original files
230 will still be scanned but without additional processing.
231 --scan-html[=yes(*)/no]
233 Detect, normalize/decrypt and scan HTML files and embedded
234 scripts. If you turn off this option, the original files will
235 still be scanned, but without additional processing.
236 --scan-xmldocs[=yes(*)/no]
238 Scan xml-based document files supported by libclamav. If you
239 turn off this option, the original files will still be scanned,
240 but without additional processing.
241 --scan-hwp3[=yes(*)/no]
243 Scan HWP3 files. If you turn off this option, the original files
244 will still be scanned, but without additional processing.
245 --scan-archive[=yes(*)/no]
247 Scan archives supported by libclamav. If you turn off this op‐
248 tion, the original files will still be scanned, but without un‐
249 packing and additional processing.
250 --alert-broken[=yes/no(*)]
252 Alert on broken executable files (PE & ELF).
253 --alert-encrypted[=yes/no(*)]
255 Alert on encrypted archives and documents (encrypted .zip,
256 .7zip, .rar, .pdf).
257 --alert-encrypted-archive[=yes/no(*)]
259 Alert on encrypted archives (encrypted .zip, .7zip, .rar, .pdf).
260 --alert-encrypted-doc[=yes/no(*)]
262 Alert on encrypted documents (encrypted .zip, .7zip, .rar,
263 .pdf).
264 --alert-macros[=yes/no(*)]
266 Alert on OLE2 files containing VBA macros (Heuristics.OLE2.Con‐
267 tainsMacros).
268 --alert-exceeds-max[=yes/no(*)]
270 Alert on files that exceed max file size, max scan size, or max
271 recursion limit (Heuristics.Limits.Exceeded).
272 --alert-phishing-ssl[=yes/no(*)]
274 Alert on emails containing SSL mismatches in URLs (might lead to
275 false positives!).
276 --alert-phishing-cloak[=yes/no(*)]
278 Alert on emails containing cloaked URLs (might lead to some
279 false positives).
280 --alert-partition-intersection[=yes/no(*)]
282 Detect partition intersections in raw disk images using heuris‐
283 tics.
284 --nocerts
286 Disable authenticode certificate chain verification in PE files.
287 --dumpcerts
289 Dump authenticode certificate chain in PE files.
290 --max-scantime=#n
292 The maximum time to scan before giving up. The value is in mil‐
293 liseconds. The value of 0 disables the limit. This option pro‐
294 tects your system against DoS attacks (default: 120000 = 120s or
295 2min)
296 --max-filesize=#n
298 Extract and scan at most #n bytes from each archive. You may
299 pass the value in kilobytes in format xK or xk, or megabytes in
300 format xM or xm, where x is a number. This option protects your
301 system against DoS attacks (default: 25 MB, max: <4 GB)
302 --max-scansize=#n
304 Extract and scan at most #n bytes from each archive. The size
305 the archive plus the sum of the sizes of all files within ar‐
306 chive count toward the scan size. For example, a 1M uncompressed
307 archive containing a single 1M inner file counts as 2M toward
308 max-scansize. You may pass the value in kilobytes in format xK
309 or xk, or megabytes in format xM or xm, where x is a number.
310 This option protects your system against DoS attacks (default:
311 100 MB, max: <4 GB)
312 --max-files=#n
314 Extract at most #n files from each scanned file (when this is an
315 archive, a document or another kind of container). This option
316 protects your system against DoS attacks (default: 10000)
317 --max-recursion=#n
319 Set archive recursion level limit. This option protects your
320 system against DoS attacks (default: 17).
321 --max-dir-recursion=#n
323 Maximum depth directories are scanned at (default: 15).
324 --max-embeddedpe=#n
327 Maximum size file to check for embedded PE. You may pass the
328 value in kilobytes in format xK or xk, or megabytes in format xM
329 or xm, where x is a number (default: 10 MB, max: <4 GB).
330 --max-htmlnormalize=#n
332 Maximum size of HTML file to normalize. You may pass the value
333 in kilobytes in format xK or xk, or megabytes in format xM or
334 xm, where x is a number (default: 10 MB, max: <4 GB).
335 --max-htmlnotags=#n
337 Maximum size of normalized HTML file to scan. You may pass the
338 value in kilobytes in format xK or xk, or megabytes in format xM
339 or xm, where x is a number (default: 2 MB, max: <4 GB).
340 --max-scriptnormalize=#n
342 Maximum size of script file to normalize. You may pass the value
343 in kilobytes in format xK or xk, or megabytes in format xM or
344 xm, where x is a number (default: 5 MB, max: <4 GB).
345 --max-ziptypercg=#n
347 Maximum size zip to type reanalyze. You may pass the value in
348 kilobytes in format xK or xk, or megabytes in format xM or xm,
349 where x is a number (default: 1 MB, max: <4 GB).
350 --max-partitions=#n
352 This option sets the maximum number of partitions of a raw disk
353 image to be scanned. This must be a positive integer (default:
354 50).
355 --max-iconspe=#n
357 This option sets the maximum number of icons within a PE to be
358 scanned. This must be a positive integer (default: 100).
359 --max-rechwp3=#n
361 This option sets the maximum recursive calls to HWP3 parsing
362 function (default: 16).
363 --pcre-match-limit=#n
365 Maximum calls to the PCRE match function (default: 100000).
366 --pcre-recmatch-limit=#n
368 Maximum recursive calls to the PCRE match function (default:
369 2000).
370 --pcre-max-filesize=#n
372 Maximum size file to perform PCRE subsig matching (default: 25
373 MB, max: <4 GB).
374 --disable-cache
376 Disable caching and cache checks for hash sums of scanned files.
377
380 clamscan uses the following environment variables:
381 LD_LIBRARY_PATH - May be used on startup to find the libclamunrar_iface
383 shared library module to enable RAR archive support.
384
387 (0) Scan a single file:
388 clamscan file
390 (1) Scan a current working directory:
392 clamscan
394 (2) Scan all files (and subdirectories) in /home:
396 clamscan -r /home
398 (3) Load database from a file:
400 clamscan -d /tmp/newclamdb -r /tmp
402 (4) Scan a data stream:
404 cat testfile | clamscan -
406 (5) Scan a mail spool directory:
408 clamscan -r /var/spool/mail
410
412 0 : No virus found.
413 1 : Virus(es) found.
415 2 : Some error(s) occurred.
417
419 Please check the full documentation for credits.
420
422 Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>
423
425 clamdscan(1), freshclam(1), freshclam.conf(5)
426ClamAV 1.0.4 December 4, 2013 clamscan(1)