Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
Clam Daemon(8)			Clam AntiVirus			Clam Daemon(8)

       clamd - an anti-virus daemon

       clamd [options]

       The  daemon  listens for	incoming connections on	Unix and/or TCP	socket
       and scans files or directories on demand. It  reads  the	 configuration
       from /usr/local/etc/clamd.conf

       It's recommended	to prefix clamd	commands with the letter z (eg.	zSCAN)
       to indicate that	the command will be delimited by a NULL	character  and
       that  clamd should continue reading command data	until a	NULL character
       is read.	The null delimiter assures that	the complete command  and  its
       entire  argument	 will  be processed as a single	command. Alternatively
       commands	may be prefixed	with the letter	n (e.g.	nSCAN) to use  a  new-
       line  character	as  the	 delimiter.  Clamd replies will	honour the re-
       quested terminator in turn.  If clamd doesn't recognize the command, or
       the  command  doesn't  follow the requirements specified	below, it will
       reply with an error message, and	close the connection.

       Clamd recognizes	the following commands:

       PING   Check the	server's state.	It should reply	with "PONG".

	      Print program and	database versions.

       RELOAD Reload the virus databases.

	      Perform a	clean exit.

       SCAN file/directory
	      Scan a file or a directory (recursively)	with  archive  support
	      enabled  (if  not	 disabled  in  clamd.conf). A full path	is re-

       CONTSCAN	file/directory
	      Scan file	or directory (recursively) with	 archive  support  en-
	      abled and	don't stop the scanning	when a virus is	found.

       MULTISCAN file/directory
	      Scan  file in a standard way or scan directory (recursively) us-
	      ing multiple threads (to make the	scanning  faster  on  SMP  ma-

       ALLMATCHSCAN file/directory
	      ALLMATCHSCAN  works  just	 like  SCAN except that	it sets	a mode
	      where scanning continues after finding a match within a file.

	      It is mandatory to prefix	this command with n or z.

	      Scan a stream of data. The stream	is sent	to  clamd  in  chunks,
	      after  INSTREAM,	on  the	 same  socket on which the command was
	      sent.  This avoids the overhead of establishing new TCP  connec-
	      tions  and  problems  with  NAT.	The  format  of	 the chunk is:
	      '<length><data>' where <length> is the  size  of	the  following
	      data  in bytes expressed as a 4 byte unsigned integer in network
	      byte order and <data> is the actual chunk. Streaming  is	termi-
	      nated  by	 sending  a  zero-length  chunk.  Note:	 do not	exceed
	      StreamMaxLength as defined in clamd.conf,	otherwise  clamd  will
	      reply  with  INSTREAM  size limit	exceeded and close the connec-

       FILDES It is mandatory to newline terminate  this  command,  or	prefix
	      with n or	z.

	      This command only	works on UNIX domain sockets.  Scan a file de-
	      scriptor.	 After	issuing	 a   FILDES   command	a   subsequent
	      rfc2292/bsd4.4  style packet (with at least one dummy character)
	      is sent to clamd carrying	the file descriptor to be scanned  in-
	      side  the	ancillary data.	 Alternatively the file	descriptor may
	      be sent in the same packet, including the	extra character.

       STATS  It is mandatory to newline terminate  this  command,  or	prefix
	      with n or	z, it is recommended to	only use the z prefix.

	      Replies  with  statistics	about the scan queue, contents of scan
	      queue, and memory	usage. The exact reply format  is  subject  to
	      change in	future releases.

	      It is mandatory to prefix	this command with n or z, and all com-
	      mands inside IDSESSION must be prefixed.

	      Start/end	a clamd	session. Within	a session multiple  SCAN,  IN-
	      STREAM,  FILDES, VERSION,	STATS commands can be sent on the same
	      socket without opening new connections. Replies from clamd  will
	      be in the	form '<id>: <response>'	where <id> is the request num-
	      ber (in ascii, starting from 1)  and  <response>	is  the	 usual
	      clamd  reply.  The reply lines have same delimiter as the	corre-
	      sponding command had.  Clamd will	 process  the  commands	 asyn-
	      chronously, and reply as soon as it has finished processing.

	      Clamd  requires  clients to read all the replies it sent,	before
	      sending more commands to prevent send()  deadlocks.  The	recom-
	      mended  way  to  implement  a client that	uses IDSESSION is with
	      non-blocking sockets, and	a select()/poll() loop:	whenever  send
	      would  block,  sleep  in	select/poll until either you can write
	      more data, or read more replies.	Note that  using  non-blocking
	      sockets	without	  the	select/poll   loop   and   alternating
	      recv()/send() doesn't comply with	clamd's	requirements.

	      If clamd detects that a client has deadlocked,   it  will	 close
	      the  connection.	Note that clamd	may close an IDSESSION connec-
	      tion too if you don't follow the	protocol's  requirements.  The
	      client can use the PING command to keep the connection alive.

	      It  is  mandatory	to prefix this command with either n or	z.  It
	      is recommended to	use nVERSIONCOMMANDS.

	      Print program and	database versions, followed by	"|  COMMANDS:"
	      and  a  space-delimited list of supported	commands.  Clamd <0.95
	      will recognize this as the VERSION command, and reply only  with
	      their version, without the commands list.

	      This  command  can be used as an easy way	to check for IDSESSION
	      support for example.


       STREAM Scan stream - on this command clamd will	return	"PORT  number"
	      you  should  connect  to and send	data to	scan. (DEPRECATED, use
	      INSTREAM instead)


	      Start/end	a clamd	session	which will allow you to	 run  multiple
	      commands per TCP session.	(use IDSESSION instead)

       -h, --help
	      Output help information and exit.

       -V, --version
	      Print the	version	number and exit.

       -F, --foreground
	      Run in foreground; do not	daemonize.

	      Enable debug mode.

       -c FILE,	--config-file=FILE
	      Read configuration from FILE.

       Clamd recognizes	the following signals:

       SIGHUP Reopen the logfile.

	      Reload the signature databases.

	      Perform a	clean exit.


       Please check the	full documentation for credits.

       Tomasz Kojm <>

       clamd.conf(5),	clamdscan(1),  freshclam(1),  freshclam.conf(5),  cla-

ClamAV 0.102.4		       February	12, 2009		Clam Daemon(8)


Want to link to this manual page? Use this URL:

home | help