1clamscan(1)                     Clam AntiVirus                     clamscan(1)
2
3
4

NAME

6       clamscan - scan files and directories for viruses
7

SYNOPSIS

9       clamscan [options] [file/directory/-]
10

DESCRIPTION

12       clamscan is a command line anti-virus scanner.
13

OPTIONS

15       Most  of  the  options are simple switches which enable or disable some
16       features. Options marked with [=yes/no(*)] can be  optionally  followed
17       by  =yes/=no; if they get called without the boolean argument the scan‐
18       ner will assume 'yes'. The asterisk marks the default internal  setting
19       for a given option.
20
21       -h, --help
22              Print help information and exit.
23
24       -V, --version
25              Print version number and exit.
26
27       -v, --verbose
28              Be verbose.
29
30       -a, --archive-verbose
31              Show filenames inside scanned archives
32
33       --debug
34              Display debug messages from libclamav.
35
36       --quiet
37              Be quiet (only print error messages).
38
39       --stdout
40              Write all messages (except for libclamav output) to the standard
41              output (stdout).
42
43       --no-summary
44              Do not display summary at the end of scanning.
45
46       -i, --infected
47              Only print infected files.
48
49       -o, --suppress-ok-results
50              Skip printing OK files
51
52       --bell Sound bell on virus detection.
53
54       --tempdir=DIRECTORY
55              Create temporary files in DIRECTORY. Directory must be  writable
56              for the 'clamupdate' user or unprivileged user running clamscan.
57
58       --leave-temps
59              Do not remove temporary files.
60
61       --gen-json
62              Generate  JSON  description  of  scanned  file(s).  JSON will be
63              printed and also dropped to the temp directory if  --leave-temps
64              is enabled.
65
66       -d FILE/DIR, --database=FILE/DIR
67              Load  virus  database from FILE or load all virus database files
68              from DIR.
69
70       --official-db-only=[yes/no(*)]
71              Only load  the  official  signatures  published  by  the  ClamAV
72              project.
73
74       -l FILE, --log=FILE
75              Save scan report to FILE.
76
77       -r, --recursive
78              Scan  directories  recursively.  All  the  subdirectories in the
79              given directory will be scanned.
80
81       -z, --allmatch
82              After a match, continue scanning within the file for  additional
83              matches.
84
85       --cross-fs=[yes(*)/no]
86              Scan files and directories on other filesystems.
87
88       --follow-dir-symlinks=[0/1(*)/2]
89              Follow directory symlinks. There are 3 options: 0 - never follow
90              directory symlinks, 1 (default) -  only  follow  directory  sym‐
91              links, which are passed as direct arguments to clamscan. 2 - al‐
92              ways follow directory symlinks.
93
94       --follow-file-symlinks=[0/1(*)/2]
95              Follow file symlinks. There are 3 options: 0 - never follow file
96              symlinks,  1  (default)  -  only follow file symlinks, which are
97              passed as direct arguments to clamscan. 2 - always  follow  file
98              symlinks.
99
100       -f FILE, --file-list=FILE
101              Scan files listed line by line in FILE.
102
103       --remove[=yes/no(*)]
104              Remove infected files. Be careful!
105
106       --move=DIRECTORY
107              Move  infected  files into DIRECTORY. Directory must be writable
108              for the 'clamupdate' user or unprivileged user running clamscan.
109
110       --copy=DIRECTORY
111              Copy infected files into DIRECTORY. Directory must  be  writable
112              for the 'clamupdate' user or unprivileged user running clamscan.
113
114       --exclude=REGEX, --exclude-dir=REGEX
115              Don't  scan  file/directory  names  matching regular expression.
116              These options can be used multiple times.
117
118       --include=REGEX, --include-dir=REGEX
119              Only scan file/directory matching regular expression. These  op‐
120              tions can be used multiple times.
121
122       --bytecode[=yes(*)/no]
123              With  this  option  enabled  ClamAV  will load bytecode from the
124              database. It is highly recommended you keep this  option  turned
125              on, otherwise you may miss detections for many new viruses.
126
127       --bytecode-unsigned[=yes/no(*)]
128              Allow  loading  bytecode  from  outside digitally signed .c[lv]d
129              files. **Caution**: You should  NEVER  run  bytecode  signatures
130              from  untrusted  sources.  Doing so may result in arbitrary code
131              execution.
132
133       --bytecode-timeout=N
134              Set bytecode timeout in milliseconds (default: 10000 = 10s)
135
136       --statistics[=none(*)/bytecode/pcre]
137              Collect and print execution statistics.
138
139       --detect-pua[=yes/no(*)]
140              Detect Possibly Unwanted Applications.
141
142       --exclude-pua=CATEGORY
143              Exclude a specific PUA category. This option can be used  multi‐
144              ple  times. See https://docs.clamav.net/faq/faq-pua.html for the
145              complete list of PUA
146
147       --include-pua=CATEGORY
148              Only include a specific PUA category. This option  can  be  used
149              multiple times. See https://docs.clamav.net/faq/faq-pua.html for
150              the complete list of PUA
151
152       --detect-structured[=yes/no(*)]
153              Use the DLP (Data Loss Prevention)  module  to  detect  SSN  and
154              Credit Card numbers inside documents/text files.
155
156       --structured-ssn-format=X
157              X=0:  search  for  valid SSNs formatted as xxx-yy-zzzz (normal);
158              X=1: search for valid SSNs formatted  as  xxxyyzzzz  (stripped);
159              X=2: search for both formats. Default is 0.
160
161       --structured-ssn-count=#n
162              This  option  sets  the lowest number of Social Security Numbers
163              found in a file to generate a detect (default: 3).
164
165       --structured-cc-count=#n
166              This option sets the lowest number of Credit Card numbers  found
167              in a file to generate a detect (default: 3).
168
169       --scan-mail[=yes(*)/no]
170              Scan mail files. If you turn off this option, the original files
171              will still be  scanned,  but  without  parsing  individual  mes‐
172              sages/attachments.
173
174       --phishing-sigs[=yes(*)/no]
175              Enable email signature-based phishing detection.
176
177       --phishing-scan-urls[=yes(*)/no]
178              Enable URL signature-based phishing detection (Heuristics.Phish‐
179              ing.Email.*)
180
181       --heuristic-alerts[=yes(*)/no]
182              In some cases (eg. complex malware, exploits in  graphic  files,
183              and  others), ClamAV uses special algorithms to provide accurate
184              detection. This option can be used to  control  the  algorithmic
185              detection.
186
187       --heuristic-scan-precedence[=yes/no(*)]
188              Allow  heuristic  match  to  take precedence. When enabled, if a
189              heuristic  scan  (such  as  phishingScan)  detects  a   possible
190              virus/phish  it  will  stop scan immediately. Recommended, saves
191              CPU scan-time. When disabled, virus/phish detected by  heuristic
192              scans  will be reported only at the end of a scan. If an archive
193              contains both a heuristically detected  virus/phish, and a  real
194              malware, the real malware will be reported Keep this disabled if
195              you intend to handle "Heuristics.*"  viruses   differently  from
196              "real"  malware.  If  a non-heuristically-detected virus (signa‐
197              ture-based) is found first,  the  scan  is  interrupted  immedi‐
198              ately, regardless of this config option.
199
200       --normalize[=yes(*)/no]
201              Normalize  (compress  whitespace,  downcase, etc.) html, script,
202              and text files. Use normalize=no for yara compatibility.
203
204       --scan-pe[=yes(*)/no]
205              PE stands for Portable Executable - it's an executable file for‐
206              mat used in all 32-bit versions of Windows operating systems. By
207              default ClamAV performs deeper analysis of executable files  and
208              attempts  to  decompress popular executable packers such as UPX,
209              Petite, and FSG. If you turn off this option, the original files
210              will still be scanned but without additional processing.
211
212       --scan-elf[=yes(*)/no]
213              Executable and Linking Format is a standard format for UN*X exe‐
214              cutables. This option controls the ELF support. If you  turn  it
215              off,  the original files will still be scanned but without addi‐
216              tional processing.
217
218       --scan-ole2[=yes(*)/no]
219              Scan Microsoft Office documents and .msi files. If you turn  off
220              this  option, the original files will still be scanned but with‐
221              out additional processing.
222
223       --scan-pdf[=yes(*)/no]
224              Scan within PDF files. If you turn off this option, the original
225              files will still be scanned, but without decoding and additional
226              processing.
227
228       --scan-swf[=yes(*)/no]
229              Scan SWF files. If you turn off this option, the original  files
230              will still be scanned but without additional processing.
231
232       --scan-html[=yes(*)/no]
233              Detect,  normalize/decrypt  and  scan  HTML  files  and embedded
234              scripts. If you turn off this option, the  original  files  will
235              still be scanned, but without additional processing.
236
237       --scan-xmldocs[=yes(*)/no]
238              Scan  xml-based  document  files  supported by libclamav. If you
239              turn off this option, the original files will still be  scanned,
240              but without additional processing.
241
242       --scan-hwp3[=yes(*)/no]
243              Scan HWP3 files. If you turn off this option, the original files
244              will still be scanned, but without additional processing.
245
246       --scan-archive[=yes(*)/no]
247              Scan archives supported by libclamav. If you turn off  this  op‐
248              tion,  the original files will still be scanned, but without un‐
249              packing and additional processing.
250
251       --alert-broken[=yes/no(*)]
252              Alert on broken executable files (PE & ELF).
253
254       --alert-encrypted[=yes/no(*)]
255              Alert on  encrypted  archives  and  documents  (encrypted  .zip,
256              .7zip, .rar, .pdf).
257
258       --alert-encrypted-archive[=yes/no(*)]
259              Alert on encrypted archives (encrypted .zip, .7zip, .rar, .pdf).
260
261       --alert-encrypted-doc[=yes/no(*)]
262              Alert  on  encrypted  documents  (encrypted  .zip,  .7zip, .rar,
263              .pdf).
264
265       --alert-macros[=yes/no(*)]
266              Alert on OLE2 files containing VBA macros  (Heuristics.OLE2.Con‐
267              tainsMacros).
268
269       --alert-exceeds-max[=yes/no(*)]
270              Alert  on files that exceed max file size, max scan size, or max
271              recursion limit (Heuristics.Limits.Exceeded).
272
273       --alert-phishing-ssl[=yes/no(*)]
274              Alert on emails containing SSL mismatches in URLs (might lead to
275              false positives!).
276
277       --alert-phishing-cloak[=yes/no(*)]
278              Alert  on  emails  containing  cloaked  URLs (might lead to some
279              false positives).
280
281       --alert-partition-intersection[=yes/no(*)]
282              Detect partition intersections in raw disk images using  heuris‐
283              tics.
284
285       --nocerts
286              Disable authenticode certificate chain verification in PE files.
287
288       --dumpcerts
289              Dump authenticode certificate chain in PE files.
290
291       --max-scantime=#n
292              The  maximum time to scan before giving up. The value is in mil‐
293              liseconds. The value of 0 disables the limit. This  option  pro‐
294              tects your system against DoS attacks (default: 120000 = 120s or
295              2min)
296
297       --max-filesize=#n
298              Extract and scan at most #n bytes from  each  archive.  You  may
299              pass  the value in kilobytes in format xK or xk, or megabytes in
300              format xM or xm, where x is a number. This option protects  your
301              system against DoS attacks (default: 25 MB, max: <4 GB)
302
303       --max-scansize=#n
304              Extract  and  scan  at most #n bytes from each archive. The size
305              the archive plus the sum of the sizes of all  files  within  ar‐
306              chive count toward the scan size. For example, a 1M uncompressed
307              archive containing a single 1M inner file counts  as  2M  toward
308              max-scansize.  You  may pass the value in kilobytes in format xK
309              or xk, or megabytes in format xM or xm, where  x  is  a  number.
310              This  option  protects your system against DoS attacks (default:
311              100 MB, max: <4 GB)
312
313       --max-files=#n
314              Extract at most #n files from each scanned file (when this is an
315              archive,  a  document or another kind of container). This option
316              protects your system against DoS attacks (default: 10000)
317
318       --max-recursion=#n
319              Set archive recursion level limit.  This  option  protects  your
320              system against DoS attacks (default: 17).
321
322       --max-dir-recursion=#n
323              Maximum depth directories are scanned at (default: 15).
324
325
326       --max-embeddedpe=#n
327              Maximum  size  file  to  check for embedded PE. You may pass the
328              value in kilobytes in format xK or xk, or megabytes in format xM
329              or xm, where x is a number (default: 10 MB, max: <4 GB).
330
331       --max-htmlnormalize=#n
332              Maximum  size  of HTML file to normalize. You may pass the value
333              in kilobytes in format xK or xk, or megabytes in  format  xM  or
334              xm, where x is a number (default: 10 MB, max: <4 GB).
335
336       --max-htmlnotags=#n
337              Maximum  size  of normalized HTML file to scan. You may pass the
338              value in kilobytes in format xK or xk, or megabytes in format xM
339              or xm, where x is a number (default: 2 MB, max: <4 GB).
340
341       --max-scriptnormalize=#n
342              Maximum size of script file to normalize. You may pass the value
343              in kilobytes in format xK or xk, or megabytes in  format  xM  or
344              xm, where x is a number (default: 5 MB, max: <4 GB).
345
346       --max-ziptypercg=#n
347              Maximum  size  zip  to type reanalyze. You may pass the value in
348              kilobytes in format xK or xk, or megabytes in format xM  or  xm,
349              where x is a number (default: 1 MB, max: <4 GB).
350
351       --max-partitions=#n
352              This  option sets the maximum number of partitions of a raw disk
353              image to be scanned. This must be a positive  integer  (default:
354              50).
355
356       --max-iconspe=#n
357              This  option  sets the maximum number of icons within a PE to be
358              scanned. This must be a positive integer (default: 100).
359
360       --max-rechwp3=#n
361              This option sets the maximum recursive  calls  to  HWP3  parsing
362              function (default: 16).
363
364       --pcre-match-limit=#n
365              Maximum calls to the PCRE match function (default: 100000).
366
367       --pcre-recmatch-limit=#n
368              Maximum  recursive  calls  to  the PCRE match function (default:
369              2000).
370
371       --pcre-max-filesize=#n
372              Maximum size file to perform PCRE subsig matching  (default:  25
373              MB, max: <4 GB).
374
375       --disable-cache
376              Disable caching and cache checks for hash sums of scanned files.
377
378

ENVIRONMENT VARIABLES

380       clamscan uses the following environment variables:
381
382       LD_LIBRARY_PATH - May be used on startup to find the libclamunrar_iface
383       shared library module to enable RAR archive support.
384
385

EXAMPLES

387       (0) Scan a single file:
388
389              clamscan file
390
391       (1) Scan a current working directory:
392
393              clamscan
394
395       (2) Scan all files (and subdirectories) in /home:
396
397              clamscan -r /home
398
399       (3) Load database from a file:
400
401              clamscan -d /tmp/newclamdb -r /tmp
402
403       (4) Scan a data stream:
404
405              cat testfile | clamscan -
406
407       (5) Scan a mail spool directory:
408
409              clamscan -r /var/spool/mail
410

RETURN CODES

412       0 : No virus found.
413
414       1 : Virus(es) found.
415
416       2 : Some error(s) occurred.
417

CREDITS

419       Please check the full documentation for credits.
420

AUTHOR

422       Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>
423

SEE ALSO

425       clamdscan(1), freshclam(1), freshclam.conf(5)
426
427
428
429ClamAV 1.0.4                   December 4, 2013                    clamscan(1)
Impressum