LinuxCommandLibrary

clamdscan

Scan files for viruses using ClamAV

TLDR

Scan a file or directory for vulnerabilities

$ clamdscan [path/to/file_or_directory]
copy

Scan data from stdin
$ [command] | clamdscan -
copy

Scan the current directory and output only infected files
$ clamdscan --infected
copy

Print the scan report to a log file
$ clamdscan --log [path/to/log_file]
copy

Move infected files to a specific directory
$ clamdscan --move [path/to/quarantine_directory]
copy

Remove infected files
$ clamdscan --remove
copy

Use multiple threads to scan a directory
$ clamdscan --multiscan
copy

Pass the file descriptor instead of streaming the file to the daemon
$ clamdscan --fdpass
copy

SYNOPSIS

clamdscan [options] [files|dirs|-]

PARAMETERS

--version
    Print version information and exit

--help
    Display help and exit

--verbose
    Enable verbose output

--quiet
    Suppress warnings and non-error messages

--stdout
    Write infected files to stdout (disables streaming)

--fdpass
    Pass file descriptors to daemon for scanning

--stream
    Force streaming via stdin/stdout (default if no files)

--multiscan
    Scan multiple files in single daemon message

--config-file=FILE
    Load configuration from FILE

--local-socket=PATH
    Use Unix socket at PATH

--tcp=HOST:PORT
    Connect to TCP clamd at HOST:PORT

--user=USER
    Run as USER (changes uid)

--exclude=REGEX
    Exclude paths matching REGEX

--exclude-dir=PATTERN
    Exclude directories matching PATTERN

--include-dir=PATTERN
    Only include directories matching PATTERN

--max-filesize=N
    Ignore files > N bytes (e.g., 10M)

--max-scansize=N
    Ignore scans > N bytes

--max-filecount=N
    Limit to N files per scan

--max-recursion=N
    Limit recursion depth to N

--max-files=N
    Maximum number of files in batch

--follow-dir-symlinks
    Follow directory symlinks

--follow-file-symlinks
    Follow file symlinks

--detect-pua
    Enable Potentially Unwanted Application detection

--scan-archive=ARGS
    Configure archive scanning (yes/no/auto/ARGS)

--show-progress
    Display scan progress

--no-summary
    Disable summary at end

--bell
    Bell on virus found

DESCRIPTION

Clamdscan is a command-line utility from the ClamAV open-source antivirus toolkit designed to scan files, directories, or standard input for malware by communicating with a running clamd daemon server. Unlike the standalone clamscan, it leverages the daemon's pre-loaded virus signatures, offering faster scans especially in high-volume or scripted environments.

It supports Unix domain sockets (default: /var/run/clamav/clamd.ctl) or TCP connections for client-server interaction. Key features include recursive directory scanning, exclusion patterns, size limits, progress reporting, and options for handling archives or potentially unwanted applications (PUA). Output can be customized with verbose details, summaries, or bells on detection.

Ideal for servers, cron jobs, or integration with tools like inotify. Scans report clean, infected, or errors via exit codes. Requires clamd running with matching config for optimal use.

CAVEATS

Requires running clamd daemon with matching config/socket permissions. Not suitable for one-off scans (use clamscan). TCP mode exposes to network risks; use localhost or auth. Large scans may timeout or exhaust daemon resources.

EXIT CODES

0: OK/Clean
1: Malware found
2: Scan error

EXAMPLES

clamdscan /home/user (scan directory)
clamdscan --fdpass --stream < file.txt (stream single file)
clamdscan --exclude-dir='^/tmp' /var (exclude /tmp)

HISTORY

Developed as part of ClamAV project (2002 by Tomasz Kojm, later Cisco). Clamdscan added early (~2003) for efficient daemon-based scanning, evolving with AV signature support and performance tweaks in releases up to ClamAV 1.0+.

SEE ALSO

clamscan(1), clamd(8), freshclam(8), clamconf(1), sigtool(1)

Copied to clipboard