clamav/docs/man/clamscan.1.in

.TH "clamscan" "1" "February 12, 2007" "ClamAV @VERSION@" "Clam AntiVirus"
.SH "NAME"
.LP 
clamscan \- scan files and directories for viruses
.SH "SYNOPSIS"
.LP 
clamscan [options] [file/directory/\-]
.SH "DESCRIPTION"
.LP 
clamscan is a command line anti\-virus scanner.
.SH "OPTIONS"
.LP 

.TP 
\fB\-h, \-\-help\fR
Print help information and exit.
.TP 
\fB\-V, \-\-version\fR
Print version number and exit.
.TP 
\fB\-v, \-\-verbose\fR
Be verbose.
.TP 
\fB\-\-debug\fR
Display debug messages from libclamav.
.TP 
\fB\-\-quiet\fR
Be quiet (only print error messages).
.TP 
\fB\-\-stdout\fR
Write all messages (except for libclamav output) to the standard output (stdout).
.TP 
\fB\-d FILE/DIR, \-\-database=FILE/DIR\fR
Load virus database from FILE or load all virus database files from DIR.
.TP 
\fB\-l FILE, \-\-log=FILE\fR
Save scan report to FILE.
.TP 
\fB\-\-tempdir=DIRECTORY\fR
Create temporary files in DIRECTORY. Directory must be writable for the '@CLAMAVUSER@' user or unprivileged user running clamscan.
.TP 
\fB\-\-leave\-temps\fR
Do not remove temporary files.
.TP 
\fB\-r, \-\-recursive\fR
Scan directories recursively. All the subdirectories in the given directory will be scanned.
.TP 
\fB\-\-bell\fR
Sound bell on virus detection.
.TP 
\fB\-\-no\-summary\fR
Do not display summary at the end of scanning.
.TP 
\fB\-\-exclude=PATT, \-\-exclude\-dir=PATT\fR
Don't scan file/directory names containing PATT. It may be used multiple times.
.TP 
\fB\-\-include=PATT, \-\-include\-dir=PATT\fR
Only scan file/directory names containing PATT. It may be used multiple times.
.TP 
\fB\-i, \-\-infected\fR
Only print infected files.
.TP 
\fB\-\-remove\fR
Remove infected files. \fBBe careful.\fR
.TP 
\fB\-\-move=DIRECTORY\fR
Move infected files into DIRECTORY. Directory must be writable for the '@CLAMAVUSER@' user or unprivileged user running clamscan.
.TP 
\fB\-\-copy=DIRECTORY\fR
Copy infected files into DIRECTORY. Directory must be writable for the '@CLAMAVUSER@' user or unprivileged user running clamscan.
.TP 
\fB\-\-detect\-pua\fR
Detect Possibly Unwanted Applications.
.TP 
\fB\-\-exclude\-pua=CATEGORY\fR
Exclude a specific PUA category. This option can be used multiple times.
.TP 
\fB\-\-include\-pua=CATEGORY\fR
Only include a specific PUA category. This option can be used multiple times.
.TP 
\fB\-\-detect\-structured\fR
Enable the DLP (Data Loss Prevention) module which provides detection of SSN and Credit Card numbers.
.TP 
\fB\-\-structured\-ssn\-format=X\fR
X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal); X=1: search for valid SSNs formatted as xxxyyzzzz (stripped); X=2: default: search for both formats.
.TP 
\fB\-\-structured\-ssn\-count=#n\fR
This option sets the lowest number of Social Security Numbers found in a file to generate a detect (default: 3).
.TP 
\fB\-\-structured\-cc\-count=#n\fR
This option sets the lowest number of Credit Card numbers found in a file to generate a detect (default: 3).
.TP 
\fB\-\-no\-mail\fR
Disable scanning of mail files.
.TP 
\fB\-\-no\-phishing\-sigs\fR
Disable signature-based phishing detection.
.TP 
\fB\-\-no\-phishing\-scan\-urls\fR
Disable url-based heuristic phishing detection. This disables Phishing.Heuristics.Email.*
.TP
\fB\-\-heuristic\-scan\-precedence\fR
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected  virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses  differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first,  the scan is interrupted immediately, regardless of this config option.
.TP
\fB\-\-phishing\-ssl\fR
Always block SSL mismatches in URLs (might lead to false positives!).
.TP
\fB\-\-phishing\-cloak\fR
Always block cloaked URLs (might lead to some false positives).
.TP
\fB\-\-no\-algorithmic\fR
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option disables the algorithmic detection.
.TP 
\fB\-\-no\-pe\fR
PE stands for Portable Executable \- it's an executable file format used in all 32\-bit versions of Windows operating systems. By default ClamAV performs deeper analysis of executable files and attempts to decompress popular executable packers such as UPX, Petite, and FSG. This option \fBdisables\fR PE support and should be used with care!
.TP 
\fB\-\-no\-elf\fR
Executable and Linking Format is a standard format for UN*X executables. This option \fBdisables\fR ELF support.
.TP 
\fB\-\-no\-ole2\fR
Disable support for Microsoft Office documents and .msi files.
.TP 
\fB\-\-no\-pdf\fR
Disable scanning within PDF files.
.TP 
\fB\-\-no\-html\fR
Disable support for HTML detection and normalisation.
.TP 
\fB\-\-no\-archive\fR
Disable archive support built in libclamav.
.TP 
\fB\-\-detect\-broken\fR
Mark broken executables as viruses (Broken.Executable).
.TP 
\fB\-\-block\-encrypted\fR
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
.TP 
\fB\-\-mail\-follow\-urls\fR
If an email contains URLs ClamAV can download and scan them. \fBWARNING: This option may open your system to a DoS attack. Never use it on loaded servers.\fR
.TP 
\fB\-\-max\-files=#n\fR
Extract at most #n files from each scanned file (when this is an archive, a document or another kind of container). This option protects your system against DoS attacks (default: 10000)
.TP 
\fB\-\-max\-filesize=#n\fR
Extract and scan at most #n kilobytes from each archive. You may pass the value in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 25 MB)
.TP 
\fB\-\-max\-scansize=#n\fR
Extract and scan at most #n kilobytes from each scanned file. You may pass the value in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 100 MB)
.TP 
\fB\-\-max\-recursion=#n\fR
Set archive recursion level limit. This option protects your system against DoS attacks (default: 16).
.TP 
\fB\-\-max\-dir\-recursion=#n\fR
Maximum depth directories are scanned at (default: 15).
.SH "EXAMPLES"
.LP 
.TP 
(0) Scan a single file:

\fBclamscan file\fR
.TP 
(1) Scan a current working directory:

\fBclamscan\fR
.TP 
(2) Scan all files (and subdirectories) in /home:

\fBclamscan \-r /home\fR
.TP 
(3) Load database from a file and limit disk usage to 50 MB:

\fBclamscan \-d /tmp/newclamdb \-\-max\-space=50m \-r /tmp\fR
.TP 
(4) Scan a data stream:

\fBcat testfile | clamscan \-\fR
.TP 
(5) Scan a mail spool directory:

\fBclamscan \-r /var/spool/mail\fR
.SH "RETURN CODES"
.LP 
Note: some return codes may only appear in a single file mode (when clamscan is started with a single argument). Those are marked with \fB(ofm)\fR.

0 : No virus found.
.TP 
1 : Virus(es) found.
.TP 
40: Unknown option passed.
.TP 
50: Database initialization error.
.TP 
52: Not supported file type.
.TP 
53: Can't open directory.
.TP 
54: Can't open file. (ofm)
.TP 
55: Error reading file. (ofm)
.TP 
56: Can't stat input file / directory.
.TP 
57: Can't get absolute path name of current working directory.
.TP 
58: I/O error, please check your file system.
.TP 
62: Can't initialize logger.
.TP 
63: Can't create temporary files/directories (check permissions).
.TP 
64: Can't write to temporary directory (please specify another one).
.TP 
70: Can't allocate memory (calloc).
.TP 
71: Can't allocate memory (malloc).
.SH "CREDITS"
Please check the full documentation for credits.
.SH "AUTHOR"
.LP 
Tomasz Kojm <tkojm@clamav.net>
.SH "SEE ALSO"
.LP 
clamdscan(1), freshclam(1)