oam/knowledge base/clamav.md

ClamAV

Table of contents

1. TL;DR
2. Gotchas
3. Further readings
4. Sources

TL;DR

# Manually update the virus definitions.
# Do this once **before** starting a scan or the daemon.
# The definitions updater daemon **must be stopped** to avoid its complaints.
sudo systemctl stop 'clamav-freshclam' \
&& sudo 'freshclam' \
&& sudo systemctl enable --now 'clamav-freshclam'

# scan a file or directory.
clamscan 'path/to/file'
clamscan --recursive 'path/to/dir'

# only return specific files.
clamscan --infected '/home/'
clamscan --suppress-ok-results 'Downloads/'

# save results to file.
clamscan --bell -i -r '/home' -l 'output.txt'

# scan files in a list.
clamscan -i -f '/tmp/scan.list'

# remove infected files.
clamscan -r --remove '/home/user'
clamscan -r -i --move='/home/user/infected' '/home/'

# limit cpu usage.
nice -n 15 clamscan \
&& clamscan --bell -i -r '/home'

# use multiple threads.
find . -type f -printf "'%p' " | xargs -P "$(nproc)" -n 1 clamscan
find . -type f | parallel --group --jobs 0 -d '\n' clamscan {}

Gotchas

• The --fdpass option of clamdscan (notice the d in the command) sends a file descriptor to clamd rather than a path name, avoiding the need for the clamav user to be able to read everyone's files

• clamscan is designed to be single-threaded, so when scanning a file or directory from the command line only a single CPU thread is used; use xargs or another executor to run a scan in parallel:

  find . -type f -printf "'%p' " | xargs -P $(nproc) -n 1 clamscan
  find . -type f | parallel --group --jobs 0 -d '\n' clamscan {}
  

Further readings

• Gentoo Wiki

Sources

All the references in the further readings section, plus the following:

• Install ClamAV on Fedora Linux 35