clamscan

Scan a file for vulnerabilities

$ clamscan [path/to/file]

$ clamscan [[-r|--recursive]] [path/to/directory]

$ [command] | clamscan -

$ clamscan [[-d|--database]] [path/to/database_file_or_directory]

$ clamscan [[-i|--infected]]

$ clamscan [[-l|--log]] [path/to/log_file]

$ clamscan --move [path/to/quarantine_directory]

$ clamscan --remove yes

clamscan [OPTIONS] [FILE | DIRECTORY ...]

-h, --help
    Displays the help message and exits.

-V, --version
    Prints the version number of ClamAV and exits.

-v, --verbose
    Be verbose during the scan process, providing more detailed output.

-r, --recursive
    Scans directories recursively, including all subdirectories and their contents.

-i, --infected
    Only prints infected files. Suppresses output for clean files.

--remove[=yes/no]
    Removes infected files. WARNING: This option can be destructive and should be used with extreme caution.

--move=DIRECTORY
    Moves infected files to the specified DIRECTORY instead of removing them.

--copy=DIRECTORY
    Copies infected files to the specified DIRECTORY, leaving the originals in place.

--log=FILE
    Logs all scan results to the specified FILE.

--database=FILE
    Loads virus signatures from the specified FILE instead of the default location.

--exclude=REGEX
    Excludes files matching the specified regular expression from the scan.

--include=REGEX
    Only scans files matching the specified regular expression.

--max-scansize=SIZE
    Sets the maximum size of files to scan. Files larger than this will be skipped.

--no-summary
    Suppresses the final summary message after the scan completes.

--bell
    Rings the system bell when a virus is found.

--suppress-ok-results
    Only output scan results for files that are not clean.

clamscan is the command-line interface for the ClamAV antivirus engine, an open-source solution for detecting various types of malicious software, including viruses, trojans, malware, and other threats.

It allows users to scan individual files, specific directories, or entire file systems recursively for known signatures of malware. The effectiveness of clamscan heavily relies on an up-to-date virus definition database, which is typically maintained by the freshclam utility.

Beyond basic scanning, clamscan provides extensive options to control scan behavior, such as limiting file sizes, handling infected files (e.g., moving, copying, or removing them), logging results, and adjusting verbosity. It is widely used on Linux systems, particularly in email gateways and file servers, to ensure the integrity and security of data.

While clamscan is a powerful tool, it has certain limitations:

Database Dependency: Its effectiveness is directly tied to the currency of its virus definition database, requiring regular updates via freshclam.
No Real-time Protection: By itself, clamscan does not provide real-time, on-access scanning. For continuous monitoring, it's typically used in conjunction with the clamd daemon and clamdscan client.
False Positives: Like any antivirus software, it can occasionally produce false positives.
Performance: Scanning large numbers of files or deeply nested directories can be resource-intensive and time-consuming.

For clamscan to be effective, its virus definition database must be kept up-to-date. This is achieved by regularly running the freshclam utility, which downloads the latest signatures from ClamAV's servers. Outdated databases significantly reduce detection capabilities.

clamscan provides meaningful exit codes to indicate scan results, which are useful for scripting:
0: No threats found.
1: At least one threat found.
2: An error occurred during scanning (e.g., file not found, permission issue).

The ClamAV project, of which clamscan is a central component, began in 2001. It was conceived as an open-source antivirus engine, primarily designed for Unix-like systems and intended for integration with email gateways.

Over the years, it has grown to become a widely adopted solution for various anti-malware tasks, including desktop scanning, web content filtering, and file server protection. The project was acquired by Sourcefire in 2007 and subsequently by Cisco in 2013, but has maintained its open-source nature and community-driven development.

freshclam(1), clamd(8), clamdscan(1), sigtool(1)