|
|
Post mortem of a virus :)
|
|
|
|
clamscan(1) Clam AntiVirus clamscan(1) NAME
clamscan - scan files and directories for viruses SYNOPSIS
clamscan [options] [file/directory/-] DESCRIPTION
clamscan is a command line anti-virus scanner. OPTIONS
Most of the options are simple switches which enable or disable some features. Options marked with [=yes/no(*)] can be optionally followed by =yes/=no; if they get called without the boolean argument the scanner will assume 'yes'. The asterisk marks the default internal setting for a given option. -h, --help Print help information and exit. -V, --version Print version number and exit. -v, --verbose Be verbose. --debug Display debug messages from libclamav. --quiet Be quiet (only print error messages). --stdout Write all messages (except for libclamav output) to the standard output (stdout). -d FILE/DIR, --database=FILE/DIR Load virus database from FILE or load all virus database files from DIR. --official-db-only=[yes/no(*)] Only load the official signatures published by the ClamAV project. -l FILE, --log=FILE Save scan report to FILE. --tempdir=DIRECTORY Create temporary files in DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan. --leave-temps Do not remove temporary files. -f FILE, --file-list=FILE Scan files listed line by line in FILE. -r, --recursive Scan directories recursively. All the subdirectories in the given directory will be scanned. --cross-fs=[yes(*)/no] Scan files and directories on other filesystems. --bell Sound bell on virus detection. --no-summary Do not display summary at the end of scanning. --exclude=REGEX, --exclude-dir=REGEX Don't scan file/directory names matching regular expression. These options can be used multiple times. --include=REGEX, --include-dir=REGEX Only scan file/directory matching regular expression. These options can be used multiple times. -i, --infected Only print infected files. --remove[=yes/no(*)] Remove infected files. Be careful. --move=DIRECTORY Move infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan. --copy=DIRECTORY Copy infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan. --bytecode[=yes(*)/no] With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option turned on, oth- erwise you may miss detections for many new viruses. --bytecode-trust-all[=yes/no(*)] This option disables safety checks and makes ClamAV trust all bytecode. It should only be used for debugging. --bytecode-timeout=N Set bytecode timeout in milliseconds (default: 60000 = 60s) --detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications. --exclude-pua=CATEGORY Exclude a specific PUA category. This option can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA --include-pua=CATEGORY Only include a specific PUA category. This option can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA --detect-structured[=yes/no(*)] Use the DLP (Data Loss Prevention) module to detect SSN and Credit Card numbers inside documents/text files. --structured-ssn-format=X X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal); X=1: search for valid SSNs formatted as xxxyyzzzz (stripped); X=2: search for both formats. Default is 0. --structured-ssn-count=#n This option sets the lowest number of Social Security Numbers found in a file to generate a detect (default: 3). --structured-cc-count=#n This option sets the lowest number of Credit Card numbers found in a file to generate a detect (default: 3). --scan-mail[=yes(*)/no] Scan mail files. --phishing-sigs[=yes(*)/no] Use the signature-based phishing detection. --phishing-scan-urls[=yes(*)/no] Use the url-based heuristic phishing detection (Phishing.Heuristics.Email.*) --heuristic-scan-precedence[=yes/no(*)] Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option. --phishing-ssl[=yes/no(*)] Block SSL mismatches in URLs (might lead to false positives!). --phishing-cloak[=yes/no(*)] Block cloaked URLs (might lead to some false positives). --algorithmic-detection[=yes(*)/no] In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection. --scan-pe[=yes(*)/no] PE stands for Portable Executable - it's an executable file format used in all 32-bit versions of Windows operating systems. By default ClamAV performs deeper analysis of executable files and attempts to decompress popular executable packers such as UPX, Petite, and FSG. --scan-elf[=yes(*)/no] Executable and Linking Format is a standard format for UN*X executables. This option controls the ELF support. --scan-ole2[=yes(*)/no] Scan Microsoft Office documents and .msi files. --scan-pdf[=yes(*)/no] Scan within PDF files. --scan-html[=yes(*)/no] Detect, normalize/decrypt and scan HTML files and embedded scripts. --scan-archive[=yes(*)/no] Scan archives supported by libclamav. --detect-broken[=yes/no(*)] Mark broken executables as viruses (Broken.Executable). --block-encrypted[=yes/no(*)] Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). --max-files=#n Extract at most #n files from each scanned file (when this is an archive, a document or another kind of container). This option pro- tects your system against DoS attacks (default: 10000) --max-filesize=#n Extract and scan at most #n kilobytes from each archive. You may pass the value in megabytes in format xM or xm, where x is a num- ber. This option protects your system against DoS attacks (default: 25 MB, max: <4 GB) --max-scansize=#n Extract and scan at most #n kilobytes from each scanned file. You may pass the value in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 100 MB, max: <4 GB) --max-recursion=#n Set archive recursion level limit. This option protects your system against DoS attacks (default: 16). --max-dir-recursion=#n Maximum depth directories are scanned at (default: 15). EXAMPLES
(0) Scan a single file: clamscan file (1) Scan a current working directory: clamscan (2) Scan all files (and subdirectories) in /home: clamscan -r /home (3) Load database from a file: clamscan -d /tmp/newclamdb -r /tmp (4) Scan a data stream: cat testfile | clamscan - (5) Scan a mail spool directory: clamscan -r /var/spool/mail RETURN CODES
0 : No virus found. 1 : Virus(es) found. 2 : Some error(s) occured. CREDITS
Please check the full documentation for credits. AUTHOR
Tomasz Kojm <tkojm@clamav.net> SEE ALSO
clamdscan(1), freshclam(1), freshclam.conf(5) ClamAV 0.96.1 December 30, 2008 clamscan(1)
