clamdscan

Scan a file or directory for vulnerabilities

$ clamdscan [path/to/file_or_directory]

$ [command] | clamdscan -

$ clamdscan --infected

$ clamdscan --log [path/to/log_file]

$ clamdscan --move [path/to/quarantine_directory]

$ clamdscan --remove

$ clamdscan --multiscan

$ clamdscan --fdpass

clamdscan [OPTIONS] [FILE/DIRECTORY...]

-h, --help
    Display a help message and exit.

-V, --version
    Print program version information and exit.

-v, --verbose
    Be verbose during the scan process, showing more details.

-r, --recursive
    Scan directories recursively. This is the default behavior when scanning directories.

--infected
    Only print information about infected files.

--remove
    Remove infected files. Use with extreme caution as this action is irreversible and can lead to data loss.

--move=PATH
    Move infected files to the specified PATH.

--copy=PATH
    Copy infected files to the specified PATH.

--scan-archive
    Scan files within archives (e.g., .zip, .tar, .rar). Enabled by default.

--scan-mail
    Scan mail files (e.g., .eml, .mbox).

--stdout
    Print the scan report to standard output.

--socket=PATH
    Connect to the clamd daemon via a Unix socket at the specified PATH.

--host=HOST
    Connect to the clamd daemon via TCP/IP on the specified HOST.

--port=PORT
    Connect to the clamd daemon via TCP/IP on the specified PORT (used with --host).

--timeout=N
    Set the connection timeout to clamd (in seconds).

--fdpass
    Pass file descriptors to clamd. This is useful when clamd runs as a different user than clamdscan, allowing clamd to bypass permissions for scanning. Requires clamd to be configured with AllowFDPass.

clamdscan is a command-line utility for scanning files and directories for viruses and other malware using the ClamAV daemon (clamd). Unlike its counterpart, clamscan, which loads virus definitions into memory for each scan, clamdscan offloads the scanning process to a persistent clamd daemon. This approach significantly improves performance, especially when performing multiple or frequent scans, as the daemon keeps the virus definitions loaded and ready, avoiding the overhead of reloading them repeatedly.

It communicates with the clamd daemon via a Unix socket or TCP/IP. This client-server architecture makes clamdscan ideal for environments requiring high-performance, continuous, or automated virus scanning, such as mail servers, file servers, or scheduled system scans.

• Daemon Requirement: clamdscan requires the clamd daemon to be running and accessible. If clamd is not running or misconfigured, clamdscan will fail.
• Permissions: Ensure that the user running clamdscan has sufficient read permissions to the files/directories being scanned, and that the clamd daemon (which typically runs under a dedicated user like 'clamav') also has the necessary permissions. The --fdpass option can help in certain permission scenarios.
• Resource Usage: While faster for repeated scans, clamd itself can consume significant memory as it keeps the virus definitions loaded.
• Data Modification Options: Options like --remove, --move, and --copy directly affect the scanned files. Use them with extreme caution and only after thorough testing, as incorrect usage can lead to data loss or unintended file relocation.

• Always ensure your clamd daemon is running and that its virus definitions are kept up-to-date using freshclam.
• For automated or frequent scans (e.g., cron jobs), clamdscan is highly recommended over clamscan due to its performance benefits.
• When using options like --remove or --move, it is advisable to test them in a controlled environment first to understand their behavior fully and prevent accidental data loss.
• Monitor clamd's logs for any issues or detected threats.

clamdscan acts as a client to the clamd server. When you execute clamdscan, it establishes a connection to the clamd daemon (either via a Unix socket or TCP/IP), sends the paths of the files/directories to be scanned, and waits for the scanning results from the daemon. The actual virus scanning and detection logic reside within the clamd daemon, which maintains a loaded and updated database of virus signatures. This separation of concerns allows clamd to serve multiple clamdscan clients concurrently and efficiently.

clamdscan is an integral part of the ClamAV open-source antivirus engine. It was developed to provide a more efficient and higher-performance scanning interface compared to the initial clamscan utility. As ClamAV's usage expanded beyond occasional, manual scans to server-side applications (like mail gateways and web servers) requiring continuous monitoring and faster response times, the need for a daemon-based scanning solution became apparent. clamdscan addresses this by leveraging the clamd daemon, which keeps virus definitions in memory, significantly reducing the overhead of reloading them for each scan request. This evolution made ClamAV a more viable and scalable solution for demanding production environments.

clamscan(1), clamd(8), freshclam(1)