clamav

View documentation for scanning files using the clamd daemon

$ tldr clamdscan

$ tldr clamscan

$ tldr freshclam

clamscan [OPTIONS] [FILE/DIRECTORY]

-r, --recursive
    Scan directories recursively.

-i, --infected
    Only print infected files. Suppresses output for clean files.

--remove
    Remove infected files. Use with extreme caution as this irrevocably deletes files.

--move=DIRECTORY
    Move infected files to the specified directory.

--copy=DIRECTORY
    Copy infected files to the specified directory.

--log=FILE
    Log scan results to the specified file.

--stdout
    Print scan results to standard output.

--bell
    Ring the bell on virus detection.

-v, --verbose
    Be verbose during scanning, showing more details.

--exclude=REGEX
    Exclude files or directories matching the regular expression.

--include=REGEX
    Only include files or directories matching the regular expression.

--database=FILE/DIR
    Load virus definitions from the specified file or directory instead of the default location.

-V, --version
    Print the ClamAV version number and exit.

The term ClamAV refers to an open-source antivirus engine designed for detecting trojans, viruses, malware, and other malicious threats. While there isn't a single executable named "clamav" that encompasses all functions, the suite provides several commands to perform specific tasks.

The primary command for on-demand scanning is clamscan, which allows users to scan files or directories for known threats. It's widely used for email gateway scanning, file server protection, and as a standalone scanning tool on Linux/Unix systems.

Key components of the ClamAV suite include:
clamscan: The command-line utility for scanning files and directories.
freshclam: A tool for updating the virus definitions database, crucial for effective threat detection.
clamd: A multi-threaded daemon that provides a high-performance scanning service, typically used for real-time scanning in conjunction with other applications like email servers or web proxies.

ClamAV relies on a continuously updated database of virus signatures, which is downloaded via freshclam. It's a versatile solution for adding an extra layer of security to Linux environments.

ClamAV, particularly clamscan, performs on-demand scanning and is not a real-time scanner on its own in the typical sense of a desktop antivirus program. For continuous real-time protection, it generally needs to be integrated with other system components or used with the clamd daemon.

The effectiveness of ClamAV relies heavily on its virus definitions being up-to-date. Neglecting to run freshclam regularly will significantly reduce its detection capabilities.

Using the --remove option can lead to data loss if legitimate files are incorrectly identified as threats (false positives). Always exercise extreme caution or use the --move or --copy options instead.

Here are some common ways to use clamscan:
Scan a single file:
clamscan /path/to/my_file.txt
Scan a directory recursively and only show infected files:
clamscan -r -i /home/user/downloads
Scan a directory and move infected files to a quarantine folder:
clamscan -r --move=/var/quarantine /var/www/html
Update virus definitions (using freshclam):
freshclam

It's common to schedule freshclam to run periodically via a cron job to ensure definition currency.

ClamAV is most famously integrated with email servers like Postfix or Exim to scan incoming and outgoing emails for malware. This is often achieved by passing email content through the clamd daemon, which offers faster scanning performance due to its persistent nature and pre-loaded definitions, avoiding the overhead of starting clamscan for each email.

The effectiveness of ClamAV depends entirely on its virus definitions. The freshclam utility is used to download the latest virus definition database from ClamAV's servers. It is highly recommended to set up a cron job to run freshclam at least once a day, or even more frequently, to ensure you have the most current protection against new threats.

ClamAV was originally developed by Tomasz Kojm in 2002 as an open-source project. Its aim was to provide a free and flexible antivirus solution, particularly for Unix-like operating systems. It quickly gained popularity for its use in mail servers and gateway scanning.

In 2007, ClamAV was acquired by Sourcefire, an American network security company. Subsequently, in 2013, Cisco Systems acquired Sourcefire, including the ClamAV project. Despite these acquisitions, ClamAV has remained an open-source project, with its development continuing to be community-driven and maintained by Cisco engineers. It has become a standard component in many Linux distributions and open-source security stacks.

freshclam(1), clamd(8), clamconf(1), clamav-milter(8), logrotate(8)