mirror of https://github.com/Cisco-Talos/clamav
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
229 lines
8.4 KiB
229 lines
8.4 KiB
.TH "clamscan" "1" "December 30, 2008" "ClamAV @VERSION@" "Clam AntiVirus"
|
|
.SH "NAME"
|
|
.LP
|
|
clamscan \- scan files and directories for viruses
|
|
.SH "SYNOPSIS"
|
|
.LP
|
|
clamscan [options] [file/directory/\-]
|
|
.SH "DESCRIPTION"
|
|
.LP
|
|
clamscan is a command line anti\-virus scanner.
|
|
.SH "OPTIONS"
|
|
.LP
|
|
Most of the options are simple switches which enable or disable some features. Options marked with [=yes/no(*)] can be optionally followed by =yes/=no; if they get called without the boolean argument the scanner will assume 'yes'. The asterisk marks the default internal setting for a given option.
|
|
.TP
|
|
\fB\-h, \-\-help\fR
|
|
Print help information and exit.
|
|
.TP
|
|
\fB\-V, \-\-version\fR
|
|
Print version number and exit.
|
|
.TP
|
|
\fB\-v, \-\-verbose\fR
|
|
Be verbose.
|
|
.TP
|
|
\fB\-\-debug\fR
|
|
Display debug messages from libclamav.
|
|
.TP
|
|
\fB\-\-quiet\fR
|
|
Be quiet (only print error messages).
|
|
.TP
|
|
\fB\-\-stdout\fR
|
|
Write all messages (except for libclamav output) to the standard output (stdout).
|
|
.TP
|
|
\fB\-d FILE/DIR, \-\-database=FILE/DIR\fR
|
|
Load virus database from FILE or load all virus database files from DIR.
|
|
.TP
|
|
\fB\-\-official\-db\-only=[yes/no(*)]\fR
|
|
Only load the official signatures published by the ClamAV project.
|
|
.TP
|
|
\fB\-l FILE, \-\-log=FILE\fR
|
|
Save scan report to FILE.
|
|
.TP
|
|
\fB\-\-tempdir=DIRECTORY\fR
|
|
Create temporary files in DIRECTORY. Directory must be writable for the '@CLAMAVUSER@' user or unprivileged user running clamscan.
|
|
.TP
|
|
\fB\-\-leave\-temps\fR
|
|
Do not remove temporary files.
|
|
.TP
|
|
\fB\-f FILE, \-\-file\-list=FILE\fR
|
|
Scan files listed line by line in FILE.
|
|
.TP
|
|
\fB\-r, \-\-recursive\fR
|
|
Scan directories recursively. All the subdirectories in the given directory will be scanned.
|
|
.TP
|
|
\fB\-\-cross\-fs=[yes(*)/no]\fR
|
|
Scan files and directories on other filesystems.
|
|
.TP
|
|
\fB\-\-bell\fR
|
|
Sound bell on virus detection.
|
|
.TP
|
|
\fB\-\-no\-summary\fR
|
|
Do not display summary at the end of scanning.
|
|
.TP
|
|
\fB\-\-exclude=REGEX, \-\-exclude\-dir=REGEX\fR
|
|
Don't scan file/directory names matching regular expression. These options can be used multiple times.
|
|
.TP
|
|
\fB\-\-include=REGEX, \-\-include\-dir=REGEX\fR
|
|
Only scan file/directory matching regular expression. These options can be used multiple times.
|
|
.TP
|
|
\fB\-i, \-\-infected\fR
|
|
Only print infected files.
|
|
.TP
|
|
\fB\-\-remove[=yes/no(*)]\fR
|
|
Remove infected files. \fBBe careful.\fR
|
|
.TP
|
|
\fB\-\-move=DIRECTORY\fR
|
|
Move infected files into DIRECTORY. Directory must be writable for the '@CLAMAVUSER@' user or unprivileged user running clamscan.
|
|
.TP
|
|
\fB\-\-copy=DIRECTORY\fR
|
|
Copy infected files into DIRECTORY. Directory must be writable for the '@CLAMAVUSER@' user or unprivileged user running clamscan.
|
|
.TP
|
|
\fB\-\-detect\-pua[=yes/no(*)]\fR
|
|
Detect Possibly Unwanted Applications.
|
|
.TP
|
|
\fB\-\-exclude\-pua=CATEGORY\fR
|
|
Exclude a specific PUA category. This option can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA
|
|
.TP
|
|
\fB\-\-include\-pua=CATEGORY\fR
|
|
Only include a specific PUA category. This option can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA
|
|
.TP
|
|
\fB\-\-detect\-structured[=yes/no(*)]\fR
|
|
Use the DLP (Data Loss Prevention) module to detect SSN and Credit Card numbers inside documents/text files.
|
|
.TP
|
|
\fB\-\-structured\-ssn\-format=X\fR
|
|
X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal); X=1: search for valid SSNs formatted as xxxyyzzzz (stripped); X=2: search for both formats. Default is 0.
|
|
.TP
|
|
\fB\-\-structured\-ssn\-count=#n\fR
|
|
This option sets the lowest number of Social Security Numbers found in a file to generate a detect (default: 3).
|
|
.TP
|
|
\fB\-\-structured\-cc\-count=#n\fR
|
|
This option sets the lowest number of Credit Card numbers found in a file to generate a detect (default: 3).
|
|
.TP
|
|
\fB\-\-scan\-mail[=yes(*)/no]\fR
|
|
Scan mail files.
|
|
.TP
|
|
\fB\-\-phishing\-sigs[=yes(*)/no]\fR
|
|
Use the signature-based phishing detection.
|
|
.TP
|
|
\fB\-\-phishing\-scan\-urls[=yes(*)/no]\fR
|
|
Use the url-based heuristic phishing detection (Phishing.Heuristics.Email.*)
|
|
.TP
|
|
\fB\-\-heuristic\-scan\-precedence[=yes/no(*)]\fR
|
|
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.
|
|
.TP
|
|
\fB\-\-phishing\-ssl[=yes/no(*)]\fR
|
|
Block SSL mismatches in URLs (might lead to false positives!).
|
|
.TP
|
|
\fB\-\-phishing\-cloak[=yes/no(*)]\fR
|
|
Block cloaked URLs (might lead to some false positives).
|
|
.TP
|
|
\fB\-\-algorithmic\-detection[=yes(*)/no]\fR
|
|
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection.
|
|
.TP
|
|
\fB\-\-scan\-pe[=yes(*)/no]\fR
|
|
PE stands for Portable Executable \- it's an executable file format used in all 32\-bit versions of Windows operating systems. By default ClamAV performs deeper analysis of executable files and attempts to decompress popular executable packers such as UPX, Petite, and FSG.
|
|
.TP
|
|
\fB\-\-scan\-elf[=yes(*)/no]\fR
|
|
Executable and Linking Format is a standard format for UN*X executables. This option controls the ELF support.
|
|
.TP
|
|
\fB\-\-scan\-ole2[=yes(*)/no]\fR
|
|
Scan Microsoft Office documents and .msi files.
|
|
.TP
|
|
\fB\-\-scan\-pdf[=yes(*)/no]\fR
|
|
Scan within PDF files.
|
|
.TP
|
|
\fB\-\-scan\-html[=yes(*)/no]\fR
|
|
Detect, normalize/decrypt and scan HTML files and embedded scripts.
|
|
.TP
|
|
\fB\-\-scan\-archive[=yes(*)/no]\fR
|
|
Scan archives supported by libclamav.
|
|
.TP
|
|
\fB\-\-detect\-broken[=yes/no(*)]\fR
|
|
Mark broken executables as viruses (Broken.Executable).
|
|
.TP
|
|
\fB\-\-block\-encrypted[=yes/no(*)]\fR
|
|
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
|
|
.TP
|
|
\fB\-\-max\-files=#n\fR
|
|
Extract at most #n files from each scanned file (when this is an archive, a document or another kind of container). This option protects your system against DoS attacks (default: 10000)
|
|
.TP
|
|
\fB\-\-max\-filesize=#n\fR
|
|
Extract and scan at most #n kilobytes from each archive. You may pass the value in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 25 MB, max: <4 GB)
|
|
.TP
|
|
\fB\-\-max\-scansize=#n\fR
|
|
Extract and scan at most #n kilobytes from each scanned file. You may pass the value in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 100 MB, max: <4 GB)
|
|
.TP
|
|
\fB\-\-max\-recursion=#n\fR
|
|
Set archive recursion level limit. This option protects your system against DoS attacks (default: 16).
|
|
.TP
|
|
\fB\-\-max\-dir\-recursion=#n\fR
|
|
Maximum depth directories are scanned at (default: 15).
|
|
.SH "EXAMPLES"
|
|
.LP
|
|
.TP
|
|
(0) Scan a single file:
|
|
|
|
\fBclamscan file\fR
|
|
.TP
|
|
(1) Scan a current working directory:
|
|
|
|
\fBclamscan\fR
|
|
.TP
|
|
(2) Scan all files (and subdirectories) in /home:
|
|
|
|
\fBclamscan \-r /home\fR
|
|
.TP
|
|
(3) Load database from a file:
|
|
|
|
\fBclamscan \-d /tmp/newclamdb \-r /tmp\fR
|
|
.TP
|
|
(4) Scan a data stream:
|
|
|
|
\fBcat testfile | clamscan \-\fR
|
|
.TP
|
|
(5) Scan a mail spool directory:
|
|
|
|
\fBclamscan \-r /var/spool/mail\fR
|
|
.SH "RETURN CODES"
|
|
.LP
|
|
Note: some return codes may only appear in a single file mode (when clamscan is started with a single argument). Those are marked with \fB(ofm)\fR.
|
|
|
|
0 : No virus found.
|
|
.TP
|
|
1 : Virus(es) found.
|
|
.TP
|
|
40: Unknown option passed.
|
|
.TP
|
|
50: Database initialization error.
|
|
.TP
|
|
52: Not supported file type.
|
|
.TP
|
|
53: Can't open directory.
|
|
.TP
|
|
54: Can't open file. (ofm)
|
|
.TP
|
|
55: Error reading file. (ofm)
|
|
.TP
|
|
56: Can't stat input file / directory.
|
|
.TP
|
|
57: Can't get absolute path name of current working directory.
|
|
.TP
|
|
58: I/O error, please check your file system.
|
|
.TP
|
|
62: Can't initialize logger.
|
|
.TP
|
|
63: Can't create temporary files/directories (check permissions).
|
|
.TP
|
|
64: Can't write to temporary directory (please specify another one).
|
|
.TP
|
|
70: Can't allocate memory (calloc).
|
|
.TP
|
|
71: Can't allocate memory (malloc).
|
|
.SH "CREDITS"
|
|
Please check the full documentation for credits.
|
|
.SH "AUTHOR"
|
|
.LP
|
|
Tomasz Kojm <tkojm@clamav.net>
|
|
.SH "SEE ALSO"
|
|
.LP
|
|
clamdscan(1), freshclam(1)
|
|
|