clamscan(1) Clam AntiVirus clamscan(1)
NAME
clamscan - scan files and directories for viruses
SYNOPSIS
clamscan [options] [file/directory/-]
DESCRIPTION
clamscan is a command line anti-virus scanner.
OPTIONS
-h, --help
Print help information and exit.
-V, --version
Print version number and exit.
-v, --verbose
Be verbose.
--debug
Display debug messages from libclamav.
--quiet
Be quiet (only print error messages).
--stdout
Write all messages (except for libclamav output) to the standard output (stdout).
-d FILE/DIR, --database=FILE/DIR
Load virus database from FILE or load all virus database files from DIR.
-l FILE, --log=FILE
Save scan report to FILE.
--tempdir=DIRECTORY
Create temporary files in DIRECTORY. Directory must be writable for the 'clamav'
user or unprivileged user running clamscan.
--leave-temps
Do not remove temporary files.
-r, --recursive
Scan directories recursively. All the subdirectories in the given directory will be
scanned.
--bell Sound bell on virus detection.
--no-summary
Do not display summary at the end of scanning.
--exclude=PATT, --exclude-dir=PATT
Don't scan file/directory names containing PATT. It may be used multiple times.
--include=PATT, --include-dir=PATT
Only scan file/directory names containing PATT. It may be used multiple times.
-i, --infected
Only print infected files.
--remove
Remove infected files. Be careful.
--move=DIRECTORY
Move infected files into DIRECTORY. Directory must be writable for the 'clamav'
user or unprivileged user running clamscan.
--copy=DIRECTORY
Copy infected files into DIRECTORY. Directory must be writable for the 'clamav'
user or unprivileged user running clamscan.
--detect-pua
Detect Possibly Unwanted Applications.
--exclude-pua=CATEGORY
Exclude a specific PUA category. This option can be used multiple times. See
http://www.clamav.net/support/pua for the complete list of PUA
--include-pua=CATEGORY
Only include a specific PUA category. This option can be used multiple times. See
http://www.clamav.net/support/pua for the complete list of PUA
--detect-structured
Enable the DLP (Data Loss Prevention) module which provides detection of SSN and
Credit Card numbers.
--structured-ssn-format=X
X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal); X=1: search for valid
SSNs formatted as xxxyyzzzz (stripped); X=2: search for both formats. Default is 0.
--structured-ssn-count=#n
This option sets the lowest number of Social Security Numbers found in a file to
generate a detect (default: 3).
--structured-cc-count=#n
This option sets the lowest number of Credit Card numbers found in a file to gener-
ate a detect (default: 3).
--no-mail
Disable scanning of mail files.
--no-phishing-sigs
Disable signature-based phishing detection.
--no-phishing-scan-urls
Disable url-based heuristic phishing detection. This disables Phishing.Heuris-
tics.Email.*
--heuristic-scan-precedence
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such
as phishingScan) detects a possible virus/phish it will stop scan immediately. Rec-
ommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic
scans will be reported only at the end of a scan. If an archive contains both a
heuristically detected virus/phish, and a real malware, the real malware will be
reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses dif-
ferently from "real" malware. If a non-heuristically-detected virus (signature-
based) is found first, the scan is interrupted immediately, regardless of this
config option.
--phishing-ssl
Always block SSL mismatches in URLs (might lead to false positives!).
--phishing-cloak
Always block cloaked URLs (might lead to some false positives).
--no-algorithmic
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV
uses special algorithms to provide accurate detection. This option disables the
algorithmic detection.
--no-pe
PE stands for Portable Executable - it's an executable file format used in all
32-bit versions of Windows operating systems. By default ClamAV performs deeper
analysis of executable files and attempts to decompress popular executable packers
such as UPX, Petite, and FSG. This option disables PE support and should be used
with care!
--no-elf
Executable and Linking Format is a standard format for UN*X executables. This
option disables ELF support.
--no-ole2
Disable support for Microsoft Office documents and .msi files.
--no-pdf
Disable scanning within PDF files.
--no-html
Disable support for HTML detection and normalisation.
--no-archive
Disable archive support built in libclamav.
--detect-broken
Mark broken executables as viruses (Broken.Executable).
--block-encrypted
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
--mail-follow-urls
If an email contains URLs ClamAV can download and scan them. WARNING: This option
may open your system to a DoS attack. Never use it on loaded servers.
--max-files=#n
Extract at most #n files from each scanned file (when this is an archive, a docu-
ment or another kind of container). This option protects your system against DoS
attacks (default: 10000)
--max-filesize=#n
Extract and scan at most #n kilobytes from each archive. You may pass the value in
megabytes in format xM or xm, where x is a number. This option protects your system
against DoS attacks (default: 25 MB)
--max-scansize=#n
Extract and scan at most #n kilobytes from each scanned file. You may pass the
value in megabytes in format xM or xm, where x is a number. This option protects
your system against DoS attacks (default: 100 MB)
--max-recursion=#n
Set archive recursion level limit. This option protects your system against DoS
attacks (default: 16).
--max-dir-recursion=#n
Maximum depth directories are scanned at (default: 15).
EXAMPLES
(0) Scan a single file:
clamscan file
(1) Scan a current working directory:
clamscan
(2) Scan all files (and subdirectories) in /home:
clamscan -r /home
(3) Load database from a file:
clamscan -d /tmp/newclamdb -r /tmp
(4) Scan a data stream:
cat testfile | clamscan -
(5) Scan a mail spool directory:
clamscan -r /var/spool/mail
RETURN CODES
Note: some return codes may only appear in a single file mode (when clamscan is started
with a single argument). Those are marked with (ofm).
0 : No virus found.
1 : Virus(es) found.
40: Unknown option passed.
50: Database initialization error.
52: Not supported file type.
53: Can't open directory.
54: Can't open file. (ofm)
55: Error reading file. (ofm)
56: Can't stat input file / directory.
57: Can't get absolute path name of current working directory.
58: I/O error, please check your file system.
62: Can't initialize logger.
63: Can't create temporary files/directories (check permissions).
64: Can't write to temporary directory (please specify another one).
70: Can't allocate memory (calloc).
71: Can't allocate memory (malloc).
CREDITS
Please check the full documentation for credits.
AUTHOR
Tomasz Kojm <>
SEE ALSO
clamdscan(1), freshclam(1)
ClamAV 0.94.2 February 12, 2007 clamscan(1)
|