ClamAV
Jump to navigation
Jump to search
DRAFT
This page is still a draft. Thank you for your understanding.
Description
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Installation
From packages
$ sudo aptitude install clamav clamav-freshclam
From sources
$ cd /data/src/ $ wget http://downloads.sourceforge.net/project/clamav/clamav/0.97.6/clamav-0.97.6.tar.gz $ tar xzvf clamav-0.97.6.tar.gz $ cd clamav-0.97.6/ $ ./configure $ make $ sudo make install
Usage
clamscan
- --help, -h
- Print this help screen
- --version, -V
- Print version number
- --verbose, -v
- Be verbose
- --debug
- Enable libclamav's debug messages
- --quiet
- Only output error messages
- --stdout
- Write to stdout instead of stderr
- --no-summary
- Disable summary at end of scanning
- --infected, -i
- Only print infected files
- --bell
- Sound bell on virus detection
- --tempdir=DIRECTORY
- Create temporary files in DIRECTORY
- --leave-temps[=yes/no(*)]
- Do not remove temporary files
- --database=FILE/DIR, -d FILE/DIR
- Load virus database from FILE or load all supported db files from DIR
- --official-db-only[=yes/no(*)]
- Only load official signatures
- --log=FILE, -l FILE
- Save scan report to FILE
- --recursive[=yes/no(*)], -r
- Scan subdirectories recursively
- --cross-fs[=yes(*)/no]
- Scan files and directories on other filesystems
- --follow-dir-symlinks[=0/1(*)/2]
- Follow directory symlinks (0 = never, 1 = direct, 2 = always)
- --follow-file-symlinks[=0/1(*)/2]
- Follow file symlinks (0 = never, 1 = direct, 2 = always)
- --file-list=FILE, -f FILE
- Scan files from FILE
- --remove[=yes/no(*)]
- Remove infected files. Be careful!
- --move=DIRECTORY
- Move infected files into DIRECTORY
- --copy=DIRECTORY
- Copy infected files into DIRECTORY
- --exclude=REGEX
- Don't scan file names matching REGEX
- --exclude-dir=REGEX
- Don't scan directories matching REGEX
- --include=REGEX
- Only scan file names matching REGEX
- --include-dir=REGEX
- Only scan directories matching REGEX
- --bytecode[=yes(*)/no]
- Load bytecode from the database
- --bytecode-unsigned[=yes/no(*)]
- Load unsigned bytecode
- --bytecode-timeout=N
- Set bytecode timeout (in milliseconds)
- --detect-pua[=yes/no(*)]
- Detect Possibly Unwanted Applications
- --exclude-pua=CAT
- Skip PUA sigs of category CAT
- --include-pua=CAT
- Load PUA sigs of category CAT
- --detect-structured[=yes/no(*)]
- Detect structured data (SSN, Credit Card)
- --structured-ssn-format=X
- SSN format (0=normal,1=stripped,2=both)
- --structured-ssn-count=N
- Min SSN count to generate a detect
- --structured-cc-count=N
- Min CC count to generate a detect
- --scan-mail[=yes(*)/no]
- Scan mail files
- --phishing-sigs[=yes(*)/no]
- Signature-based phishing detection
- --phishing-scan-urls[=yes(*)/no]
- URL-based phishing detection
- --heuristic-scan-precedence[=yes/no(*)]
- Stop scanning as soon as a heuristic match is found
- --phishing-ssl[=yes/no(*)]
- Always block SSL mismatches in URLs (phishing module)
- --phishing-cloak[=yes/no(*)]
- Always block cloaked URLs (phishing module)
- --algorithmic-detection[=yes(*)/no]
- Algorithmic detection
- --scan-pe[=yes(*)/no]
- Scan PE files
- --scan-elf[=yes(*)/no]
- Scan ELF files
- --scan-ole2[=yes(*)/no]
- Scan OLE2 containers
- --scan-pdf[=yes(*)/no]
- Scan PDF files
- --scan-html[=yes(*)/no]
- Scan HTML files
- --scan-archive[=yes(*)/no]
- Scan archive files (supported by libclamav)
- --detect-broken[=yes/no(*)]
- Try to detect broken executable files
- --block-encrypted[=yes/no(*)]
- Block encrypted archives
- --max-filesize=#n
- Files larger than this will be skipped and assumed clean
- --max-scansize=#n
- The maximum amount of data to scan for each container file (**)
- --max-files=#n
- The maximum number of files to scan for each container file (**)
- --max-recursion=#n
- Maximum archive recursion level for container file (**)
- --max-dir-recursion=#n
- Maximum directory recursion level
Use cases
Update signatures
$ $ sudo freshclam ClamAV update process started at Sat Mar 2 21:48:29 2013 main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) Downloading daily.cvd [ 12%]
Scan a file
$ clamscan /data/exploits/winfixer.exe /data/exploits/winfixer.exe: Worm.Autorun-7661 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 1044387 Engine version: 0.97.6 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.03 MB Data read: 0.03 MB (ratio 1.00:1) Time: 1.998 sec (0 m 1 s)
Scan a directory
$ clamscan /data/exploits/ /data/exploits/arru.exe: OK /data/exploits/setup[1].exe: OK /data/exploits/nuxninqynkow.exe: OK /data/exploits/MsMxEng.exe: Trojan.Buzus-6212 FOUND /data/exploits/ARPPRODUCTICON.exe: OK /data/exploits/nopenico.exe: OK /data/exploits/Captain Coucou!.JPG: OK /data/exploits/ptrvta.exe: OK /data/exploits/360Tray.exe: OK /data/exploits/vgwisb.exe: OK /data/exploits/ose00000.exe: OK /data/exploits/alicsrv.exe: OK /data/exploits/Dc30.exe: OK /data/exploits/Persomod.exe: OK /data/exploits/tm2002.exe: OK /data/exploits/teasing.exe: OK /data/exploits/ICBCEBankAssist.exe: OK /data/exploits/hod.exe: Worm.Autorun-2205 FOUND /data/exploits/ext_1.exe: OK /data/exploits/My IP Address.exe: OK /data/exploits/Skycn_1.2.1.exe: OK /data/exploits/panjxg.exe: OK /data/exploits/6C82D104845D404ED19B40607B07D287.ico: OK