Clam Daemon(8) Clam AntiVirus Clam Daemon(8)
NAME
clamd - an anti-virus daemon
SYNOPSIS
clamd [options]
DESCRIPTION
The daemon listens for incoming connections on Unix and/or TCP socket
and scans files or directories on demand. It reads the configuration
from /etc/clamav/clamd.conf
COMMANDS
It's recommended to prefix clamd commands with the letter z (eg. zSCAN)
to indicate that the command will be delimited by a NULL character and
that clamd should continue reading command data until a NULL character
is read. The null delimiter assures that the complete command and its
entire argument will be processed as a single command. Alternatively
commands may be prefixed with the letter n (e.g. nSCAN) to use a new-
line character as the delimiter. Clamd replies will honour the re-
quested terminator in turn. If clamd doesn't recognize the command, or
the command doesn't follow the requirements specified below, it will
reply with an error message, and close the connection.
Clamd recognizes the following commands:
PING Check the server's state. It should reply with "PONG".
VERSION
Print program and database versions.
RELOAD Reload the virus databases.
SHUTDOWN
Perform a clean exit.
SCAN file/directory
Scan a file or a directory (recursively) with archive support
enabled (if not disabled in clamd.conf). A full path is re-
quired.
CONTSCAN file/directory
Scan file or directory (recursively) with archive support en-
abled and don't stop the scanning when a virus is found.
MULTISCAN file/directory
Scan file in a standard way or scan directory (recursively) us-
ing multiple threads (to make the scanning faster on SMP ma-
chines).
ALLMATCHSCAN file/directory
ALLMATCHSCAN works just like SCAN except that it sets a mode
where scanning continues after finding a match within a file.
INSTREAM
It is mandatory to prefix this command with n or z.
Scan a stream of data. The stream is sent to clamd in chunks,
after INSTREAM, on the same socket on which the command was
sent. This avoids the overhead of establishing new TCP connec-
tions and problems with NAT. The format of the chunk is:
'<length><data>' where <length> is the size of the following
data in bytes expressed as a 4 byte unsigned integer in network
byte order and <data> is the actual chunk. Streaming is termi-
nated by sending a zero-length chunk. Note: do not exceed
StreamMaxLength as defined in clamd.conf, otherwise clamd will
reply with INSTREAM size limit exceeded and close the connec-
tion.
FILDES It is mandatory to newline terminate this command, or prefix
with n or z.
This command only works on UNIX domain sockets. Scan a file de-
scriptor. After issuing a FILDES command a subsequent
rfc2292/bsd4.4 style packet (with at least one dummy character)
is sent to clamd carrying the file descriptor to be scanned in-
side the ancillary data. Alternatively the file descriptor may
be sent in the same packet, including the extra character.
STATS It is mandatory to newline terminate this command, or prefix
with n or z, it is recommended to only use the z prefix.
Replies with statistics about the scan queue, contents of scan
queue, and memory usage. The exact reply format is subject to
change in future releases.
IDSESSION, END
It is mandatory to prefix this command with n or z, and all com-
mands inside IDSESSION must be prefixed.
Start/end a clamd session. Within a session multiple SCAN, IN-
STREAM, FILDES, VERSION, STATS commands can be sent on the same
socket without opening new connections. Replies from clamd will
be in the form '<id>: <response>' where <id> is the request num-
ber (in ascii, starting from 1) and <response> is the usual
clamd reply. The reply lines have same delimiter as the corre-
sponding command had. Clamd will process the commands asyn-
chronously, and reply as soon as it has finished processing.
Clamd requires clients to read all the replies it sent, before
sending more commands to prevent send() deadlocks. The recom-
mended way to implement a client that uses IDSESSION is with
non-blocking sockets, and a select()/poll() loop: whenever send
would block, sleep in select/poll until either you can write
more data, or read more replies. Note that using non-blocking
sockets without the select/poll loop and alternating
recv()/send() doesn't comply with clamd's requirements.
If clamd detects that a client has deadlocked, it will close
the connection. Note that clamd may close an IDSESSION connec-
tion too if you don't follow the protocol's requirements. The
client can use the PING command to keep the connection alive.
VERSIONCOMMANDS
It is mandatory to prefix this command with either n or z. It
is recommended to use nVERSIONCOMMANDS.
Print program and database versions, followed by "| COMMANDS:"
and a space-delimited list of supported commands. Clamd <0.95
will recognize this as the VERSION command, and reply only with
their version, without the commands list.
This command can be used as an easy way to check for IDSESSION
support for example.
DEPRECATED COMMANDS
STREAM Scan stream - on this command clamd will return "PORT number"
you should connect to and send data to scan. (DEPRECATED, use
INSTREAM instead)
NOT SUPPORTED COMMANDS
SESSION, END
Start/end a clamd session which will allow you to run multiple
commands per TCP session. (use IDSESSION instead)
OPTIONS
-h, --help
Output help information and exit.
-V, --version
Print the version number and exit.
-F, --foreground
Run in foreground; do not daemonize.
--debug
Enable debug mode.
-c FILE, --config-file=FILE
Read configuration from FILE.
SIGNALS
Clamd recognizes the following signals:
SIGHUP Reopen the logfile.
SIGUSR2
Reload the signature databases.
SIGTERM
Perform a clean exit.
FILES
/etc/clamav/clamd.conf
CREDITS
Please check the full documentation for credits.
AUTHOR
Tomasz Kojm <tkojm@clamav.net>
SEE ALSO
clamd.conf(5), clamdscan(1), freshclam(1), freshclam.conf(5), cla-
mav-milter(8)
ClamAV 0.102.4 February 12, 2009 Clam Daemon(8)