oam/knowledge base/clamav.md

ClamAV

TL;DR

# manually update the virus definitions
# do it once **before** starting a scan or the daemon
# the definitions updater deamon must be stopped to avoid complaints from it
sudo systemctl stop clamav-freshclam \
  && sudo freshclam \
  && sudo systemctl enable --now clamav-freshclam

# scan a file or directory
clamscan path/to/file
clamscan --recursive path/to/dir

# only return specific files
clamscan --infected /home/
clamscan --suppress-ok-results Downloads/

# save results to file
clamscan --bell -i -r /home -l output.txt

# scan files in a list
clamscan -i -f /tmp/scan.list

# remove infected files
clamscan -r --remove /home/user
clamscan -r -i --move=/home/user/infected /home/

# limit cpu usage
nice -n 15 clamscan && clamscan --bell -i -r /home

# use multiple threads

Gotchas

• The --fdpass option of clamdscan (notice the d in the command) sends a file descriptor to clamd rather than a path name, avoiding the need for the clamav user to be able to read everyone's files

• clamscan is designed to be single-threaded, so when scanning a file or directory from the command line only a single CPU thread is used; use xargs or another executor to run a scan in parallel:

  find . -type f -printf "'%p' " | xargs -P $(nproc) -n 1 clamscan
  find . -type f | parallel --group --jobs 0 -d '\n' clamscan {}
  

Further readings

• Gentoo Wiki

Sources

• Install ClamAV on Fedora Linux 35