clamav

View documentation for scanning files using the clamd daemon

$ tldr clamdscan

$ tldr clamscan

$ tldr freshclam

clamscan [options] [files|directories|-]

-V, --version
    Print version information and exit

--help
    Show help and exit

-d, --dir=DIR
    Load freshclam database from specified directory

--database=...
    Load database(s) from specified files/directories

-r, --recursive
    Scan directories recursively

--bell
    Bell on infected file found

--infected
    Only print infected files

--no-summary
    Disable summary at end of scanning

-i, --infected
    Show only infected files and functional info

--exclude-dir=...
    Exclude directory from scanning

--max-filesize=N
    Do not scan files exceeding size limit (N=number with unit: b,B,k,K,M,G,T)

--max-scansize=N
    Do not scan files larger than N bytes even if --max-filesize exceeded

--max-filecount=N
    Do not scan more than N files

--max-recursion=N
    Limit recursion level to N

-c, --countchildren
    Count children while scanning

--detect-pua[=yes/no]
    Detect potentially unwanted applications

--scan-archive=...
    Control archive scanning

--leave-temps
    Do not remove temporary files

--stdout
    Write to stdout instead of stderr

--quiet
    Be quiet, output only error messages

--verbose
    More verbose output

--debug
    Debug messages

--tempdir=DIR
    Create temporary files in directory DIR

--config-file=FILE
    Configuration file

--log=FILE
    Log scan results to FILE

--move=DIR
    Move infected files to DIR

--copy=DIR
    Copy infected files to DIR

--quarantine=DIR
    Move infected files to DIR

--remove
    Remove infected files. Be careful!

--no-warnings
    Don't show warnings

--archive
    Scan inside archives

Clamscan is the command-line interface scanner from the ClamAV project, an open-source antivirus engine designed for detecting trojans, viruses, malware, and other malicious threats. It scans files, directories, or stdin for threats using ClamAV's signature-based detection database, which includes millions of signatures for known malware.

Primarily used on Unix-like systems, clamscan supports on-access scanning, email attachment checks, and integration with mail servers. It performs thorough byte-level scanning and heuristic analysis for unknown threats. While standalone, it's slower for large-scale use compared to the clamd daemon; for production, pair with freshclam for signature updates and clamdscan for faster scanning.

Key strengths include cross-platform support, regular updates from Cisco Talos, and community-driven signatures. It's lightweight, with no GUI, making it ideal for servers and scripts. Output includes infected files, summaries, and optional actions like quarantine or removal.

Clamscan is single-threaded and memory-intensive for large scans; use clamdscan with clamd daemon for better performance. Requires freshclam updates for current signatures. False positives possible; review logs. Not real-time; manual invocation needed.

0: clean; 1: virus found; 2: error; 50: error code 50; 52: error code 52

Use --multiscan-engine for parallel scanning if compiled with support. Update databases daily with freshclam.

ClamAV originated in 2002 by Tomasz Bytowski as an open-source antivirus for Unix. Acquired by Sourcefire (2007), then Cisco (2013). Clamscan has evolved with multi-engine support, YARA integration, and improved heuristics. Actively maintained by Cisco Talos Intelligence Group.

freshclam(1), clamdscan(1), clamd(8), sigtool(1), clamconf(1)