Linux Commands Examples

A great documentation place for Linux commands

clamscan

scan files and directories for viruses


see also : freshclam

Synopsis

clamscan [options] [file/directory/-]


add an example, a script, a trick and tips

: email address (won't be displayed)
: name

Step 2

Thanks for this example ! - It will be moderated and published shortly.

Feel free to post other examples
Oops ! There is a tiny cockup. A damn 404 cockup. Please contact the loosy team who maintains and develops this wonderful site by clicking in the mighty feedback button on the side of the page. Say what happened. Thanks!

examples

0

(0) Scan a single file:

clamscan file

(1) Scan a current working directory:

clamscan

(2) Scan all files (and subdirectories) in /home:

clamscan -r /home

(3) Load database from a file:

clamscan -d /tmp/newclamdb -r /tmp

(4) Scan a data stream:

cat testfile | clamscan -

(5) Scan a mail spool directory:

clamscan -r /var/spool/mail


description

clamscan is a command line anti-virus scanner.

options

Most of the options are simple switches which enable or disable some features. Options marked with [=yes/no(*)] can be optionally followed by =yes/=no; if they get called without the boolean argument the scanner will assume ’yes’. The asterisk marks the default internal setting for a given option.
-h, --help

Print help information and exit.

-V, --version

Print version number and exit.

-v, --verbose

Be verbose.

--debug

Display debug messages from libclamav.

--quiet

Be quiet (only print error messages).

--stdout

Write all messages (except for libclamav output) to the standard output (stdout).

-d FILE/DIR, --database=FILE/DIR

Load virus database from FILE or load all virus database files from DIR.

--official-db-only=[yes/no(*)]

Only load the official signatures published by the ClamAV project.

-l FILE, --log=FILE

Save scan report to FILE.

--tempdir=DIRECTORY

Create temporary files in DIRECTORY. Directory must be writable for the ’’ user or unprivileged user running clamscan.

--leave-temps

Do not remove temporary files.

-f FILE, --file-list=FILE

Scan files listed line by line in FILE.

-r, --recursive

Scan directories recursively. All the subdirectories in the given directory will be scanned.

--cross-fs=[yes(*)/no]

Scan files and directories on other filesystems.

--follow-dir-symlinks=[0/1(*)/2]

Follow directory symlinks. There are 3 options: 0 - never follow directory symlinks, 1 (default) - only follow directory symlinks, which are passed as direct arguments to clamscan. 2 - always follow directory symlinks.

--follow-file-symlinks=[0/1(*)/2]

Follow file symlinks. There are 3 options: 0 - never follow file symlinks, 1 (default) - only follow file symlinks, which are passed as direct arguments to clamscan. 2 - always follow file symlinks.

--bell

Sound bell on virus detection.

--no-summary

Do not display summary at the end of scanning.

--exclude=REGEX, --exclude-dir=REGEX

Don’t scan file/directory names matching regular expression. These options can be used multiple times.

--include=REGEX, --include-dir=REGEX

Only scan file/directory matching regular expression. These options can be used multiple times.

-i, --infected

Only print infected files.

--remove[=yes/no(*)]

Remove infected files. Be careful.

--move=DIRECTORY

Move infected files into DIRECTORY. Directory must be writable for the ’’ user or unprivileged user running clamscan.

--copy=DIRECTORY

Copy infected files into DIRECTORY. Directory must be writable for the ’’ user or unprivileged user running clamscan.

--bytecode[=yes(*)/no]

With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option turned on, otherwise you may miss detections for many new viruses.

--bytecode-unsigned[=yes/no(*)]

Allow loading bytecode from outside digitally signed .c[lv]d files.

--bytecode-timeout=N

Set bytecode timeout in milliseconds (default: 60000 = 60s)

--detect-pua[=yes/no(*)]

Detect Possibly Unwanted Applications.

--exclude-pua=CATEGORY

Exclude a specific PUA category. This option can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA

--include-pua=CATEGORY

Only include a specific PUA category. This option can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA

--detect-structured[=yes/no(*)]

Use the DLP (Data Loss Prevention) module to detect SSN and Credit Card numbers inside documents/text files.

--structured-ssn-format=X

X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal); X=1: search for valid SSNs formatted as xxxyyzzzz (stripped); X=2: search for both formats. Default is 0.

--structured-ssn-count=#n

This option sets the lowest number of Social Security Numbers found in a file to generate a detect (default: 3).

--structured-cc-count=#n

This option sets the lowest number of Credit Card numbers found in a file to generate a detect (default: 3).

--scan-mail[=yes(*)/no]

Scan mail files. If you turn off this option, the original files will still be scanned, but without parsing individual messages/attachments.

--phishing-sigs[=yes(*)/no]

Use the signature-based phishing detection.

--phishing-scan-urls[=yes(*)/no]

Use the url-based heuristic phishing detection (Phishing.Heuristics.Email.*)

--heuristic-scan-precedence[=yes/no(*)]

Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.

--phishing-ssl[=yes/no(*)]

Block SSL mismatches in URLs (might lead to false positives!).

--phishing-cloak[=yes/no(*)]

Block cloaked URLs (might lead to some false positives).

--algorithmic-detection[=yes(*)/no]

In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection.

--scan-pe[=yes(*)/no]

PE stands for Portable Executable - it’s an executable file format used in all 32-bit versions of Windows operating systems. By default ClamAV performs deeper analysis of executable files and attempts to decompress popular executable packers such as UPX, Petite, and FSG. If you turn off this option, the original files will still be scanned but without additional processing.

--scan-elf[=yes(*)/no]

Executable and Linking Format is a standard format for UN*X executables. This option controls the ELF support. If you turn it off, the original files will still be scanned but without additional processing.

--scan-ole2[=yes(*)/no]

Scan Microsoft Office documents and .msi files. If you turn off this option, the original files will still be scanned but without additional processing.

--scan-pdf[=yes(*)/no]

Scan within PDF files. If you turn off this option, the original files will still be scanned, but without decoding and additional processing.

--scan-html[=yes(*)/no]

Detect, normalize/decrypt and scan HTML files and embedded scripts. If you turn off this option, the original files will still be scanned, but without additional processing.

--scan-archive[=yes(*)/no]

Scan archives supported by libclamav. If you turn off this option, the original files will still be scanned, but without unpacking and additional processing.

--detect-broken[=yes/no(*)]

Mark broken executables as viruses (Broken.Executable).

--block-encrypted[=yes/no(*)]

Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

--max-files=#n

Extract at most #n files from each scanned file (when this is an archive, a document or another kind of container). This option protects your system against DoS attacks (default: 10000)

--max-filesize=#n

Extract and scan at most #n kilobytes from each archive. You may pass the value in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 25 MB, max: <4 GB)

--max-scansize=#n

Extract and scan at most #n kilobytes from each scanned file. You may pass the value in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 100 MB, max: <4 GB)

--max-recursion=#n

Set archive recursion level limit. This option protects your system against DoS attacks (default: 16).

--max-dir-recursion=#n

Maximum depth directories are scanned at (default: 15).

credits

Please check the full documentation for credits.

return codes

0 : No virus found.
1 : Virus(es) found.
2 : Some error(s) occured.


see also

clamdscan, freshclam , freshclam.conf


author

Tomasz Kojm <tkojm[:at:]clamav[:dot:]net>

How can this site be more helpful to YOU ?


give  feedback