clamscan

Scan a file for vulnerabilities

$ clamscan [path/to/file]

$ clamscan [[-r|--recursive]] [path/to/directory]

$ [command] | clamscan -

$ clamscan [[-d|--database]] [path/to/database_file_or_directory]

$ clamscan [[-i|--infected]]

$ clamscan [[-l|--log]] [path/to/log_file]

$ clamscan --move [path/to/quarantine_directory]

$ clamscan --remove yes

clamscan [options] [file|directory|-]

--help
    Display help information and exit

--version|-V
    Print version number

-r|--recursive
    Scan directories recursively

-i|--infected
    Only print paths of infected files

--bell|-b
    Bell on infected file found

--no-summary
    Disable summary at end of scan

--stdout
    Write infected files to stdout

--copy=DIR
    Copy infected files to DIR

--move=DIR
    Move infected files to DIR

--remove
    Remove infected files (dangerous)

--log=FILE
    Log scan results to FILE

--max-filesize=N
    Don't scan files larger than N bytes/kB/MB/GB

--max-scansize=N
    Limit total scanned data to N bytes

--max-filecount=N
    Maximum number of files to scan

--max-recursion=N
    Limit recursion to N levels

--exclude=REGEX
    Exclude files matching regex

--exclude-dir=PATH
    Exclude directory PATH

--include=REGEX
    Only scan files matching regex

--detect-pua
    Detect potentially unwanted applications

--scan-archive=TYPE
    Scan archives of type (all/auto/encrypted)

--multiscan-size-limit=N
    Limit multi-threaded scan size

--fdpass
    Pass file descriptors to clamd (with clamdscan)

--config-file=FILE
    Read config from FILE

--quiet
    Be quiet, output only error messages

--leave-temps
    Do not remove temporary files

Clamscan is a powerful, multi-threaded command-line tool from the open-source ClamAV antivirus suite designed for Unix-like systems. It detects trojans, viruses, malware, and other malicious threats by scanning files, directories, emails, and archives using up-to-date virus signature databases.

Unlike the daemon-based clamdscan, clamscan operates standalone without requiring a running antivirus daemon, making it ideal for on-demand scans, scripts, or environments where a persistent service is undesirable. It supports recursive directory traversal, archive extraction (e.g., ZIP, RAR, PDF), email scanning (MIME), and bytecode signature detection. Users can customize scans with limits on file sizes, recursion depth, and threads for performance tuning.

Key features include moving, copying, or removing infected files, logging results, excluding patterns, and detecting potentially unwanted applications (PUA). Before scanning, ensure virus definitions are fresh via freshclam. Clamscan outputs infected files by default and provides a summary unless suppressed. It's lightweight, cross-platform, and widely used for server security, forensics, and automated malware checks.

Clamscan is slower for large scans compared to daemon-based clamdscan; requires fresh virus database via freshclam; may miss zero-day threats; resource-intensive on deep recursions without limits.

Run freshclam first to download signatures from ClamAV.net

0: clean; 1: found infection; 2: error; 50+: virus found (code=signature ID)

Use --multiscan-threads=8 on multi-core systems; set size limits to avoid OOM

Part of ClamAV, started in 2002 by Tomasz Kojm as open-source antivirus for Unix. Acquired by Sourcefire (Cisco) in 2007; now maintained by Cisco Talos. Clamscan evolved from single-threaded to multi-threaded support in ClamAV 0.103+ (2020). Widely used in servers, mail filters, and forensics.

freshclam(1), clamdscan(1), clamconf(8), sigtool(1), clamsubmit(1)