# ClamAV — Hunt Viruses and Malware from the Command Line

> Practical guide to ClamAV — scan files, update signatures with freshclam and detect threats through the clamd daemon on the command line.

Source: https://www.jpkc.com/db/en/cheatsheets/security/clamav/

<!-- PROSE:intro -->
ClamAV is the best-known open-source antivirus engine for Unix systems – from mail gateways through file servers to web hosting. Use `clamscan` for on-demand scans, `clamdscan` to hand files to the fast background daemon `clamd`, and `freshclam` to keep the signature database current. This guide takes you from signature updates through recursive scans and quarantine to daemon management. Make sure `freshclam` runs regularly – with stale signatures even the best scanner misses fresh threats.
<!-- PROSE:intro:end -->

## Signature Updates (freshclam)

`freshclam` — Update virus signature database.

```bash
sudo freshclam
```

`freshclam --check <n>` — Check for updates n times per day (in daemon mode).

```bash
sudo freshclam --check 12
```

`freshclam --show-progress` — Update signatures with download progress display.

```bash
sudo freshclam --show-progress
```

`freshclam --datadir <path>` — Use a custom directory for signature databases.

```bash
sudo freshclam --datadir /opt/clamav/db
```

`freshclam -d` — Run freshclam as a daemon for automatic updates.

```bash
sudo freshclam -d
```

## On-Demand Scanning (clamscan)

`clamscan <file>` — Scan a single file for threats.

```bash
clamscan suspicious-file.zip
```

`clamscan -r <dir>` — Recursively scan a directory and all subdirectories.

```bash
clamscan -r /home/user/Downloads
```

`clamscan -r -i <dir>` — Recursively scan and only show infected files.

```bash
clamscan -r -i /var/www
```

`clamscan -r --remove <dir>` — Scan and automatically delete infected files (irreversible – use with care).

```bash
clamscan -r --remove /tmp/uploads
```

`clamscan -r --move <quarantine> <dir>` — Scan and move infected files to a quarantine directory.

```bash
clamscan -r --move /quarantine /home/user
```

`clamscan -r --copy <quarantine> <dir>` — Scan and copy infected files to quarantine (keep originals).

```bash
clamscan -r --copy /quarantine /var/www
```

`clamscan -r -l <logfile> <dir>` — Scan and write results to a log file.

```bash
clamscan -r -l /var/log/clamav/scan.log /home
```

`clamscan --bell <dir>` — Ring a bell when a virus is detected.

```bash
clamscan --bell -r /home/user
```

## Scan Options

`clamscan --max-filesize=<size> <dir>` — Set maximum file size to scan (default 100M).

```bash
clamscan --max-filesize=500M -r /data
```

`clamscan --max-scansize=<size> <dir>` — Set maximum data size scanned per file (for archives).

```bash
clamscan --max-scansize=1G -r /uploads
```

`clamscan --max-recursion=<n> <dir>` — Set max archive extraction depth (default 17).

```bash
clamscan --max-recursion=10 -r /tmp
```

`clamscan --exclude=<regex> -r <dir>` — Exclude files matching a regex pattern.

```bash
clamscan --exclude='\.log$' -r /var
```

`clamscan --exclude-dir=<regex> -r <dir>` — Exclude directories matching a regex pattern.

```bash
clamscan --exclude-dir='node_modules' -r /home/user/projects
```

`clamscan --include=<regex> -r <dir>` — Only scan files matching a regex pattern.

```bash
clamscan --include='\.php$' -r /var/www
```

`clamscan --no-summary <file>` — Suppress the summary at the end of the scan.

```bash
clamscan --no-summary -r /tmp
```

## Daemon Scanning (clamdscan)

`clamdscan <file>` — Scan using the clamd daemon (much faster than clamscan).

```bash
clamdscan suspicious-file.zip
```

`clamdscan -r <dir>` — Recursively scan using the daemon.

```bash
clamdscan -r /var/www
```

`clamdscan --multiscan -r <dir>` — Parallel scan using multiple daemon threads.

```bash
clamdscan --multiscan -r /home
```

`clamdscan --fdpass <file>` — Pass file descriptor to clamd (avoids permission issues).

```bash
clamdscan --fdpass /root/file.bin
```

`clamdscan --stream <file>` — Stream file to clamd via network (for remote scanning).

```bash
clamdscan --stream suspicious-file.zip
```

`clamdscan -V` — Show clamd version and database info.

```bash
clamdscan -V
```

## Daemon Management (clamd)

`clamd` — Start the ClamAV daemon.

```bash
sudo clamd
```

`clamdtop` — Monitor clamd performance in real-time (like top).

```bash
clamdtop
```

`clamconf` — Display ClamAV configuration and database info.

```bash
clamconf
```

`clamconf --generate-config=clamd.conf` — Generate a sample clamd.conf configuration file.

```bash
clamconf --generate-config=clamd.conf > /etc/clamav/clamd.conf
```

`systemctl status clamav-daemon` — Check status of the clamd systemd service.

```bash
sudo systemctl status clamav-daemon
```

`systemctl restart clamav-daemon` — Restart the clamd daemon.

```bash
sudo systemctl restart clamav-daemon
```

## Database Info

`sigtool --info <cvd>` — Show info about a signature database file.

```bash
sigtool --info /var/lib/clamav/main.cvd
```

`sigtool --list-sigs` — List all signatures in the loaded databases.

```bash
sigtool --list-sigs | wc -l
```

`sigtool --find-sigs <name>` — Search for a specific signature by name.

```bash
sigtool --find-sigs Eicar
```

`clamscan --debug 2>&1 | grep 'loaded'` — Show number of loaded signatures.

```bash
clamscan --debug 2>&1 | grep 'loaded'
```

## Common Patterns

`clamscan -r -i --move=/quarantine /` — Full system scan, show only infected, quarantine threats.

```bash
sudo clamscan -r -i --move=/quarantine /
```

`clamscan -r -i /var/www -l /var/log/clamav/www-scan.log` — Scan web directory and log results for review.

```bash
sudo clamscan -r -i /var/www -l /var/log/clamav/www-scan.log
```

`find /uploads -mtime -1 -type f -exec clamscan {} +` — Scan only files modified in the last 24 hours.

```bash
find /var/www/uploads -mtime -1 -type f -exec clamscan {} +
```

`clamscan -r --exclude-dir='^\.git' --include='\.(php|js|html)$' <dir>` — Scan only web-relevant files, skip .git directories.

```bash
clamscan -r --exclude-dir='^\.git' --include='\.(php|js|html)$' /var/www
```

`freshclam && clamscan -r -i /home` — Update signatures first, then scan home directories.

```bash
sudo freshclam && sudo clamscan -r -i /home
```

`echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar.txt && clamscan /tmp/eicar.txt` — Create EICAR test file and verify ClamAV detects it.

```bash
clamscan /tmp/eicar.txt
```

<!-- PROSE:outro -->
## Conclusion

ClamAV is not a real-time guard like commercial desktop suites; it shines wherever files pass through a controlled chokepoint: mail gateways, upload directories and scheduled cron scans. Pair it with `freshclam` for fresh signatures and reach for `--remove` only with care – quarantine via `--move` is almost always the safer choice, because it lets you recover false positives.

## Further Reading

- [ClamAV – official documentation](https://docs.clamav.net/) – manual and reference
- [ClamAV – project site](https://www.clamav.net/) – downloads, signatures and news
- [Clam AntiVirus – Wikipedia](https://en.wikipedia.org/wiki/ClamAV) – background and history
<!-- PROSE:outro:end -->

## Related Commands

- [age](https://www.jpkc.com/db/en/cheatsheets/security/age/) – simple, modern file encryption
- [fail2ban](https://www.jpkc.com/db/en/cheatsheets/security/fail2ban/) – block brute-force attacks via log analysis
- [firewalld](https://www.jpkc.com/db/en/cheatsheets/security/firewalld/) – manage dynamic firewall rules