NAME

clamscan - scan files and directories for viruses  

SYNOPSIS

clamscan [options] [file/directory/-]  

DESCRIPTION

clamscan is a command line anti-virus scanner.  

OPTIONS

Most of the options are simple switches which enable or disable some features. Options marked with [=yes/no(*)] can be optionally followed by =yes/=no; if they get called without the boolean argument the scanner will assume 'yes'. The asterisk marks the default internal setting for a given option.

-h, --help

Print help information and exit.

-V, --version

Print version number and exit.

-v, --verbose

Be verbose.

--debug

Display debug messages from libclamav.

--quiet

Be quiet (only print error messages).

--stdout

Write all messages (except for libclamav output) to the standard output (stdout).

-d FILE/DIR, --database=FILE/DIR

Load virus database from FILE or load all virus database files from DIR.

--official-db-only=[yes/no(*)]

Only load the official signatures published by the ClamAV project.

-l FILE, --log=FILE

Save scan report to FILE.

--tempdir=DIRECTORY

Create temporary files in DIRECTORY. Directory must be writable for the 'clamav' user or unprivileged user running clamscan.

--leave-temps

Do not remove temporary files.

-f FILE, --file-list=FILE

Scan files listed line by line in FILE.

-r, --recursive

Scan directories recursively. All the subdirectories in the given directory will be scanned.

--cross-fs=[yes(*)/no]

Scan files and directories on other filesystems.

--bell

Sound bell on virus detection.

--no-summary

Do not display summary at the end of scanning.

--exclude=REGEX, --exclude-dir=REGEX

Don't scan file/directory names matching regular expression. These options can be used multiple times.

--include=REGEX, --include-dir=REGEX

Only scan file/directory matching regular expression. These options can be used multiple times.

-i, --infected

Only print infected files.

--remove[=yes/no(*)]

Remove infected files. Be careful.

--move=DIRECTORY

Move infected files into DIRECTORY. Directory must be writable for the 'clamav' user or unprivileged user running clamscan.

--copy=DIRECTORY

Copy infected files into DIRECTORY. Directory must be writable for the 'clamav' user or unprivileged user running clamscan.

--bytecode[=yes(*)/no]

With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option turned on, otherwise you may miss detections for many new viruses.

--bytecode-trust-all[=yes/no(*)]

This option disables safety checks and makes ClamAV trust all bytecode. It should only be used for debugging.

--bytecode-timeout=N

Set bytecode timeout in milliseconds (default: 60000 = 60s)

--detect-pua[=yes/no(*)]

Detect Possibly Unwanted Applications.

--exclude-pua=CATEGORY

Exclude a specific PUA category. This option can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA

--include-pua=CATEGORY

Only include a specific PUA category. This option can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA

--detect-structured[=yes/no(*)]

Use the DLP (Data Loss Prevention) module to detect SSN and Credit Card numbers inside documents/text files.

--structured-ssn-format=X

X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal); X=1: search for valid SSNs formatted as xxxyyzzzz (stripped); X=2: search for both formats. Default is 0.

--structured-ssn-count=#n

This option sets the lowest number of Social Security Numbers found in a file to generate a detect (default: 3).

--structured-cc-count=#n

This option sets the lowest number of Credit Card numbers found in a file to generate a detect (default: 3).

--scan-mail[=yes(*)/no]

Scan mail files.

--phishing-sigs[=yes(*)/no]

Use the signature-based phishing detection.

--phishing-scan-urls[=yes(*)/no]

Use the url-based heuristic phishing detection (Phishing.Heuristics.Email.*)

--heuristic-scan-precedence[=yes/no(*)]

Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.

--phishing-ssl[=yes/no(*)]

Block SSL mismatches in URLs (might lead to false positives!).

--phishing-cloak[=yes/no(*)]

Block cloaked URLs (might lead to some false positives).

--algorithmic-detection[=yes(*)/no]

In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection.

--scan-pe[=yes(*)/no]

PE stands for Portable Executable - it's an executable file format used in all 32-bit versions of Windows operating systems. By default ClamAV performs deeper analysis of executable files and attempts to decompress popular executable packers such as UPX, Petite, and FSG.

--scan-elf[=yes(*)/no]

Executable and Linking Format is a standard format for UN*X executables. This option controls the ELF support.

--scan-ole2[=yes(*)/no]

Scan Microsoft Office documents and .msi files.

--scan-pdf[=yes(*)/no]

Scan within PDF files.

--scan-html[=yes(*)/no]

Detect, normalize/decrypt and scan HTML files and embedded scripts.

--scan-archive[=yes(*)/no]

Scan archives supported by libclamav.

--detect-broken[=yes/no(*)]

Mark broken executables as viruses (Broken.Executable).

--block-encrypted[=yes/no(*)]

Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

--max-files=#n

Extract at most #n files from each scanned file (when this is an archive, a document or another kind of container). This option protects your system against DoS attacks (default: 10000)

--max-filesize=#n

Extract and scan at most #n kilobytes from each archive. You may pass the value in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 25 MB, max: <4 GB)

--max-scansize=#n

Extract and scan at most #n kilobytes from each scanned file. You may pass the value in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 100 MB, max: <4 GB)

--max-recursion=#n

Set archive recursion level limit. This option protects your system against DoS attacks (default: 16).

--max-dir-recursion=#n

Maximum depth directories are scanned at (default: 15).

EXAMPLES

(0) Scan a single file:

clamscan file

(1) Scan a current working directory:

clamscan

(2) Scan all files (and subdirectories) in /home:

clamscan -r /home

(3) Load database from a file:

clamscan -d /tmp/newclamdb -r /tmp

(4) Scan a data stream:

cat testfile | clamscan -

(5) Scan a mail spool directory:

clamscan -r /var/spool/mail

RETURN CODES

0 : No virus found.

1 : Virus(es) found.

2 : Some error(s) occured.

CREDITS

AUTHOR

Tomasz Kojm <tkojm@clamav.net>  

SEE ALSO

clamdscan(1), freshclam(1), freshclam.conf(5)

Index

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

EXAMPLES

RETURN CODES

CREDITS

AUTHOR

SEE ALSO