FreeBSD Manual Pages

home | help
clamscan(1)			Clam AntiVirus			   clamscan(1)

NAME
       clamscan	- scan files and directories for viruses

SYNOPSIS
       clamscan	[options] [file/directory/-]

DESCRIPTION
       clamscan	is a command line anti-virus scanner.

OPTIONS
       Most  of	 the  options are simple switches which	enable or disable some
       features. Options marked	with [=yes/no(*)] can be  optionally  followed
       by  =yes/=no; if	they get called	without	the boolean argument the scan-
       ner will	assume 'yes'. The asterisk marks the default internal  setting
       for a given option.

       -h, --help
	      Print help information and exit.

       -V, --version
	      Print version number and exit.

       -v, --verbose
	      Be verbose.

       -a, --archive-verbose
	      Show filenames inside scanned archives

       --debug
	      Display debug messages from libclamav.

       --quiet
	      Be quiet (only print error messages).

       --stdout
	      Write all	messages (except for libclamav output) to the standard
	      output (stdout).

       --no-summary
	      Do not display summary at	the end	of scanning.

       -i, --infected
	      Only print infected files.

       -o, --suppress-ok-results
	      Skip printing OK files

       --bell Sound bell on virus detection.

       --tempdir=DIRECTORY
	      Create  temporary	files in DIRECTORY. Directory must be writable
	      for the 'clamav' user or unprivileged user running clamscan.

       --leave-temps
	      Do not remove temporary files.

       --gen-json
	      Generate JSON description	 of  scanned  file(s).	JSON  will  be
	      printed  and also	dropped	to the temp directory if --leave-temps
	      is enabled.

       -d FILE/DIR, --database=FILE/DIR
	      Load virus database from FILE or load all	virus  database	 files
	      from DIR.

       --official-db-only=[yes/no(*)]
	      Only  load  the  official	 signatures  published	by  the	ClamAV
	      project.

       -l FILE,	--log=FILE
	      Save scan	report to FILE.

       -r, --recursive
	      Scan directories recursively.  All  the  subdirectories  in  the
	      given directory will be scanned.

       -z, --allmatch
	      After  a match, continue scanning	within the file	for additional
	      matches.

       --cross-fs=[yes(*)/no]
	      Scan files and directories on other filesystems.

       --follow-dir-symlinks=[0/1(*)/2]
	      Follow directory symlinks. There are 3 options: 0	- never	follow
	      directory	symlinks, 1 (default) -	 only  follow  directory  sym-
	      links, which are passed as direct	arguments to clamscan. 2 - al-
	      ways follow directory symlinks.

       --follow-file-symlinks=[0/1(*)/2]
	      Follow file symlinks. There are 3	options: 0 - never follow file
	      symlinks,	 1  (default)  -  only follow file symlinks, which are
	      passed as	direct arguments to clamscan. 2	- always  follow  file
	      symlinks.

       -f FILE,	--file-list=FILE
	      Scan files listed	line by	line in	FILE.

       --remove[=yes/no(*)]
	      Remove infected files. Be	careful!

       --move=DIRECTORY
	      Move  infected  files into DIRECTORY. Directory must be writable
	      for the 'clamav' user or unprivileged user running clamscan.

       --copy=DIRECTORY
	      Copy infected files into DIRECTORY. Directory must  be  writable
	      for the 'clamav' user or unprivileged user running clamscan.

       --exclude=REGEX,	--exclude-dir=REGEX
	      Don't  scan  file/directory  names  matching regular expression.
	      These options can	be used	multiple times.

       --include=REGEX,	--include-dir=REGEX
	      Only scan	file/directory matching	regular	expression. These  op-
	      tions can	be used	multiple times.

       --bytecode[=yes(*)/no]
	      With  this  option  enabled  ClamAV  will	load bytecode from the
	      database.	It is highly recommended you keep this	option	turned
	      on, otherwise you	may miss detections for	many new viruses.

       --bytecode-unsigned[=yes/no(*)]
	      Allow  loading  bytecode	from  outside digitally	signed .c[lv]d
	      files. **Caution**: You should  NEVER  run  bytecode  signatures
	      from  untrusted  sources.	 Doing so may result in	arbitrary code
	      execution.

       --bytecode-timeout=N
	      Set bytecode timeout in milliseconds (default: 10000 = 10s)

       --statistics[=none(*)/bytecode/pcre]
	      Collect and print	execution statistics.

       --detect-pua[=yes/no(*)]
	      Detect Possibly Unwanted Applications.

       --exclude-pua=CATEGORY
	      Exclude a	specific PUA category. This option can be used	multi-
	      ple  times. See https://docs.clamav.net/faq/faq-pua.html for the
	      complete list of PUA

       --include-pua=CATEGORY
	      Only include a specific PUA category. This option	 can  be  used
	      multiple times. See https://docs.clamav.net/faq/faq-pua.html for
	      the complete list	of PUA

       --detect-structured[=yes/no(*)]
	      Use  the	DLP  (Data  Loss  Prevention) module to	detect SSN and
	      Credit Card numbers inside documents/text	files.

       --structured-ssn-format=X
	      X=0: search for valid SSNs formatted  as	xxx-yy-zzzz  (normal);
	      X=1:  search  for	 valid SSNs formatted as xxxyyzzzz (stripped);
	      X=2: search for both formats. Default is 0.

       --structured-ssn-count=#n
	      This option sets the lowest number of  Social  Security  Numbers
	      found in a file to generate a detect (default: 3).

       --structured-cc-count=#n
	      This  option sets	the lowest number of Credit Card numbers found
	      in a file	to generate a detect (default: 3).

       --scan-mail[=yes(*)/no]
	      Scan mail	files. If you turn off this option, the	original files
	      will still be  scanned,  but  without  parsing  individual  mes-
	      sages/attachments.

       --phishing-sigs[=yes(*)/no]
	      Enable email signature-based phishing detection.

       --phishing-scan-urls[=yes(*)/no]
	      Enable URL signature-based phishing detection (Heuristics.Phish-
	      ing.Email.*)

       --heuristic-alerts[=yes(*)/no]
	      In  some	cases (eg. complex malware, exploits in	graphic	files,
	      and others), ClamAV uses special algorithms to provide  accurate
	      detection.  This	option	can be used to control the algorithmic
	      detection.

       --heuristic-scan-precedence[=yes/no(*)]
	      Allow heuristic match to take precedence.	 When  enabled,	 if  a
	      heuristic	  scan	(such  as  phishingScan)  detects  a  possible
	      virus/phish it will stop scan  immediately.  Recommended,	 saves
	      CPU  scan-time. When disabled, virus/phish detected by heuristic
	      scans will be reported only at the end of	a scan.	If an  archive
	      contains	both a heuristically detected  virus/phish, and	a real
	      malware, the real	malware	will be	reported Keep this disabled if
	      you intend to handle "Heuristics.*"  viruses   differently  from
	      "real"  malware.	If  a non-heuristically-detected virus (signa-
	      ture-based) is found first,  the	scan  is  interrupted  immedi-
	      ately, regardless	of this	config option.

       --normalize[=yes(*)/no]
	      Normalize	 (compress  whitespace,	 downcase, etc.) html, script,
	      and text files. Use normalize=no for yara	compatibility.

       --scan-pe[=yes(*)/no]
	      PE stands	for Portable Executable	- it's an executable file for-
	      mat used in all 32-bit versions of Windows operating systems. By
	      default ClamAV performs deeper analysis of executable files  and
	      attempts	to  decompress popular executable packers such as UPX,
	      Petite, and FSG. If you turn off this option, the	original files
	      will still be scanned but	without	additional processing.

       --scan-elf[=yes(*)/no]
	      Executable and Linking Format is a standard format for UN*X exe-
	      cutables.	This option controls the ELF support. If you  turn  it
	      off,  the	original files will still be scanned but without addi-
	      tional processing.

       --scan-ole2[=yes(*)/no]
	      Scan Microsoft Office documents and .msi files. If you turn  off
	      this  option, the	original files will still be scanned but with-
	      out additional processing.

       --scan-pdf[=yes(*)/no]
	      Scan within PDF files. If	you turn off this option, the original
	      files will still be scanned, but without decoding	and additional
	      processing.

       --scan-swf[=yes(*)/no]
	      Scan SWF files. If you turn off this option, the original	 files
	      will still be scanned but	without	additional processing.

       --scan-html[=yes(*)/no]
	      Detect,  normalize/decrypt  and  scan  HTML  files  and embedded
	      scripts. If you turn off this option, the	 original  files  will
	      still be scanned,	but without additional processing.

       --scan-xmldocs[=yes(*)/no]
	      Scan  xml-based  document	 files	supported by libclamav.	If you
	      turn off this option, the	original files will still be  scanned,
	      but without additional processing.

       --scan-hwp3[=yes(*)/no]
	      Scan HWP3	files. If you turn off this option, the	original files
	      will still be scanned, but without additional processing.

       --scan-archive[=yes(*)/no]
	      Scan  archives  supported	by libclamav. If you turn off this op-
	      tion, the	original files will still be scanned, but without  un-
	      packing and additional processing.

       --alert-broken[=yes/no(*)]
	      Alert on broken executable files (PE & ELF).

       --alert-encrypted[=yes/no(*)]
	      Alert  on	 encrypted  archives  and  documents  (encrypted .zip,
	      .7zip, .rar, .pdf).

       --alert-encrypted-archive[=yes/no(*)]
	      Alert on encrypted archives (encrypted .zip, .7zip, .rar,	.pdf).

       --alert-encrypted-doc[=yes/no(*)]
	      Alert on	encrypted  documents  (encrypted  .zip,	 .7zip,	 .rar,
	      .pdf).

       --alert-macros[=yes/no(*)]
	      Alert  on	OLE2 files containing VBA macros (Heuristics.OLE2.Con-
	      tainsMacros).

       --alert-exceeds-max[=yes/no(*)]
	      Alert on files that exceed max file size,	max scan size, or  max
	      recursion	limit (Heuristics.Limits.Exceeded).

       --alert-phishing-ssl[=yes/no(*)]
	      Alert on emails containing SSL mismatches	in URLs	(might lead to
	      false positives!).

       --alert-phishing-cloak[=yes/no(*)]
	      Alert  on	 emails	 containing  cloaked  URLs (might lead to some
	      false positives).

       --alert-partition-intersection[=yes/no(*)]
	      Detect partition intersections in	raw disk images	using  heuris-
	      tics.

       --nocerts
	      Disable authenticode certificate chain verification in PE	files.

       --dumpcerts
	      Dump authenticode	certificate chain in PE	files.

       --max-scantime=#n
	      The  maximum time	to scan	before giving up. The value is in mil-
	      liseconds. The value of 0	disables the limit. This  option  pro-
	      tects your system	against	DoS attacks (default: 120000 = 120s or
	      2min)

       --max-filesize=#n
	      Extract  and  scan  at  most #n bytes from each archive. You may
	      pass the value in	kilobytes in format xK or xk, or megabytes  in
	      format  xM or xm,	where x	is a number. This option protects your
	      system against DoS attacks (default: 25 MB, max: <4 GB)

       --max-scansize=#n
	      Extract and scan at most #n bytes	from each  archive.  The  size
	      the  archive  plus  the  sum  of	the  sizes of all files	within
	      archive count toward the scan size. For  example,	 a  1M	uncom-
	      pressed  archive	containing a single 1M inner file counts as 2M
	      toward max-scansize. You may pass	the value in kilobytes in for-
	      mat xK or	xk, or megabytes in format xM or xm, where x is	a num-
	      ber. This	option protects	your system against DoS	 attacks  (de-
	      fault: 100 MB, max: <4 GB)

       --max-files=#n
	      Extract at most #n files from each scanned file (when this is an
	      archive,	a  document or another kind of container). This	option
	      protects your system against DoS attacks (default: 10000)

       --max-recursion=#n
	      Set archive recursion level limit.  This	option	protects  your
	      system against DoS attacks (default: 17).

       --max-dir-recursion=#n
	      Maximum depth directories	are scanned at (default: 15).

       --max-embeddedpe=#n
	      Maximum  size  file  to  check for embedded PE. You may pass the
	      value in kilobytes in format xK or xk, or	megabytes in format xM
	      or xm, where x is	a number (default: 10 MB, max: <4 GB).

       --max-htmlnormalize=#n
	      Maximum size of HTML file	to normalize. You may pass  the	 value
	      in  kilobytes  in	 format	xK or xk, or megabytes in format xM or
	      xm, where	x is a number (default:	10 MB, max: <4 GB).

       --max-htmlnotags=#n
	      Maximum size of normalized HTML file to scan. You	may  pass  the
	      value in kilobytes in format xK or xk, or	megabytes in format xM
	      or xm, where x is	a number (default: 2 MB, max: <4 GB).

       --max-scriptnormalize=#n
	      Maximum size of script file to normalize.	You may	pass the value
	      in  kilobytes  in	 format	xK or xk, or megabytes in format xM or
	      xm, where	x is a number (default:	5 MB, max: <4 GB).

       --max-ziptypercg=#n
	      Maximum size zip to type reanalyze. You may pass	the  value  in
	      kilobytes	 in  format xK or xk, or megabytes in format xM	or xm,
	      where x is a number (default: 1 MB, max: <4 GB).

       --max-partitions=#n
	      This option sets the maximum number of partitions	of a raw  disk
	      image  to	 be scanned. This must be a positive integer (default:
	      50).

       --max-iconspe=#n
	      This option sets the maximum number of icons within a PE	to  be
	      scanned. This must be a positive integer (default: 100).

       --max-rechwp3=#n
	      This  option  sets  the  maximum recursive calls to HWP3 parsing
	      function (default: 16).

       --pcre-match-limit=#n
	      Maximum calls to the PCRE	match function (default: 100000).

       --pcre-recmatch-limit=#n
	      Maximum recursive	calls to the  PCRE  match  function  (default:
	      2000).

       --pcre-max-filesize=#n
	      Maximum  size  file to perform PCRE subsig matching (default: 25
	      MB, max: <4 GB).

       --disable-cache
	      Disable caching and cache	checks for hash	sums of	scanned	files.

ENVIRONMENT VARIABLES
       clamscan	uses the following environment variables:

       LD_LIBRARY_PATH - May be	used on	startup	to find	the libclamunrar_iface
       shared library module to	enable RAR archive support.

EXAMPLES
       (0) Scan	a single file:

	      clamscan file

       (1) Scan	a current working directory:

	      clamscan

       (2) Scan	all files (and subdirectories) in /home:

	      clamscan -r /home

       (3) Load	database from a	file:

	      clamscan -d /tmp/newclamdb -r /tmp

       (4) Scan	a data stream:

	      cat testfile | clamscan -

       (5) Scan	a mail spool directory:

	      clamscan -r /var/spool/mail

RETURN CODES
       0 : No virus found.

       1 : Virus(es) found.

       2 : Some	error(s) occurred.

CREDITS
       Please check the	full documentation for credits.

AUTHOR
       Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>

SEE ALSO
       clamdscan(1), freshclam(1), freshclam.conf(5)

ClamAV 1.0.8		       December	4, 2013			   clamscan(1)
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=clamscan&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>
home | help
Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages
