ClamAV — Hunt Viruses and Malware from the Command Line

ClamAV is the best-known open-source antivirus engine for Unix systems – from mail gateways through file servers to web hosting. Use clamscan for on-demand scans, clamdscan to hand files to the fast background daemon clamd, and freshclam to keep the signature database current. This guide takes you from signature updates through recursive scans and quarantine to daemon management. Make sure freshclam runs regularly – with stale signatures even the best scanner misses fresh threats.

Signature Updates (freshclam)

freshclam — Update virus signature database.

sudo freshclam

freshclam --check <n> — Check for updates n times per day (in daemon mode).

sudo freshclam --check 12

freshclam --show-progress — Update signatures with download progress display.

sudo freshclam --show-progress

freshclam --datadir <path> — Use a custom directory for signature databases.

sudo freshclam --datadir /opt/clamav/db

freshclam -d — Run freshclam as a daemon for automatic updates.

sudo freshclam -d

On-Demand Scanning (clamscan)

clamscan <file> — Scan a single file for threats.

clamscan suspicious-file.zip

clamscan -r <dir> — Recursively scan a directory and all subdirectories.

clamscan -r /home/user/Downloads

clamscan -r -i <dir> — Recursively scan and only show infected files.

clamscan -r -i /var/www

clamscan -r --remove <dir> — Scan and automatically delete infected files (irreversible – use with care).

clamscan -r --remove /tmp/uploads

clamscan -r --move <quarantine> <dir> — Scan and move infected files to a quarantine directory.

clamscan -r --move /quarantine /home/user

clamscan -r --copy <quarantine> <dir> — Scan and copy infected files to quarantine (keep originals).

clamscan -r --copy /quarantine /var/www

clamscan -r -l <logfile> <dir> — Scan and write results to a log file.

clamscan -r -l /var/log/clamav/scan.log /home

clamscan --bell <dir> — Ring a bell when a virus is detected.

clamscan --bell -r /home/user

Scan Options

clamscan --max-filesize=<size> <dir> — Set maximum file size to scan (default 100M).

clamscan --max-filesize=500M -r /data

clamscan --max-scansize=<size> <dir> — Set maximum data size scanned per file (for archives).

clamscan --max-scansize=1G -r /uploads

clamscan --max-recursion=<n> <dir> — Set max archive extraction depth (default 17).

clamscan --max-recursion=10 -r /tmp

clamscan --exclude=<regex> -r <dir> — Exclude files matching a regex pattern.

clamscan --exclude='\.log$' -r /var

clamscan --exclude-dir=<regex> -r <dir> — Exclude directories matching a regex pattern.

clamscan --exclude-dir='node_modules' -r /home/user/projects

clamscan --include=<regex> -r <dir> — Only scan files matching a regex pattern.

clamscan --include='\.php$' -r /var/www

clamscan --no-summary <file> — Suppress the summary at the end of the scan.

clamscan --no-summary -r /tmp

Daemon Scanning (clamdscan)

clamdscan <file> — Scan using the clamd daemon (much faster than clamscan).

clamdscan suspicious-file.zip

clamdscan -r <dir> — Recursively scan using the daemon.

clamdscan -r /var/www

clamdscan --multiscan -r <dir> — Parallel scan using multiple daemon threads.

clamdscan --multiscan -r /home

clamdscan --fdpass <file> — Pass file descriptor to clamd (avoids permission issues).

clamdscan --fdpass /root/file.bin

clamdscan --stream <file> — Stream file to clamd via network (for remote scanning).

clamdscan --stream suspicious-file.zip

clamdscan -V — Show clamd version and database info.

clamdscan -V

Daemon Management (clamd)

clamd — Start the ClamAV daemon.

sudo clamd

clamdtop — Monitor clamd performance in real-time (like top).

clamdtop

clamconf — Display ClamAV configuration and database info.

clamconf

clamconf --generate-config=clamd.conf — Generate a sample clamd.conf configuration file.

clamconf --generate-config=clamd.conf > /etc/clamav/clamd.conf

systemctl status clamav-daemon — Check status of the clamd systemd service.

sudo systemctl status clamav-daemon

systemctl restart clamav-daemon — Restart the clamd daemon.

sudo systemctl restart clamav-daemon

Database Info

sigtool --info <cvd> — Show info about a signature database file.

sigtool --info /var/lib/clamav/main.cvd

sigtool --list-sigs — List all signatures in the loaded databases.

sigtool --list-sigs | wc -l

sigtool --find-sigs <name> — Search for a specific signature by name.

sigtool --find-sigs Eicar

clamscan --debug 2>&1 | grep 'loaded' — Show number of loaded signatures.

clamscan --debug 2>&1 | grep 'loaded'

Common Patterns

clamscan -r -i --move=/quarantine / — Full system scan, show only infected, quarantine threats.

sudo clamscan -r -i --move=/quarantine /

clamscan -r -i /var/www -l /var/log/clamav/www-scan.log — Scan web directory and log results for review.

sudo clamscan -r -i /var/www -l /var/log/clamav/www-scan.log

find /uploads -mtime -1 -type f -exec clamscan {} + — Scan only files modified in the last 24 hours.

find /var/www/uploads -mtime -1 -type f -exec clamscan {} +

clamscan -r --exclude-dir='^\.git' --include='\.(php|js|html)$' <dir> — Scan only web-relevant files, skip .git directories.

clamscan -r --exclude-dir='^\.git' --include='\.(php|js|html)$' /var/www

freshclam && clamscan -r -i /home — Update signatures first, then scan home directories.

sudo freshclam && sudo clamscan -r -i /home

echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar.txt && clamscan /tmp/eicar.txt — Create EICAR test file and verify ClamAV detects it.

clamscan /tmp/eicar.txt

Conclusion

ClamAV is not a real-time guard like commercial desktop suites; it shines wherever files pass through a controlled chokepoint: mail gateways, upload directories and scheduled cron scans. Pair it with freshclam for fresh signatures and reach for --remove only with care – quarantine via --move is almost always the safer choice, because it lets you recover false positives.