clamd - an anti-virus daemon
The daemon listens for incoming connections on Unix and/or TCP socket
and scans files or directories on demand. It reads the configuration
It's recommended to prefix clamd commands with the letter z (eg. zSCAN)
to indicate that the command will be delimited by a NULL character and
that clamd should continue reading command data until a NULL character
is read. The null delimiter assures that the complete command and its
entire argument will be processed as a single command. Alternatively
commands may be prefixed with the letter n (e.g. nSCAN) to use a
newline character as the delimiter. Clamd replies will honour the
requested terminator in turn. If clamd doesn't recognize the command,
or the command doesn't follow the requirements specified below, it will
reply with an error message, and close the connection.
Clamd recognizes the following commands:
PING Check the server's state. It should reply with "PONG".
Print program and database versions.
RELOAD Reload the virus databases.
Perform a clean exit.
Scan a file or a directory (recursively) with archive support
enabled (if not disabled in clamd.conf). A full path is
Scan file or directory (recursively) with archive support
enabled and don't stop the scanning when a virus is found.
Scan file in a standard way or scan directory (recursively)
using multiple threads (to make the scanning faster on SMP
It is mandatory to prefix this command with n or z.
Scan a stream of data. The stream is sent to clamd in chunks,
after INSTREAM, on the same socket on which the command was
sent. This avoids the overhead of establishing new TCP
connections and problems with NAT. The format of the chunk is:
'<length><data>' where <length> is the size of the following
data in bytes expressed as a 4 byte unsigned integer in network
byte order and <data> is the actual chunk. Streaming is
terminated by sending a zero-length chunk. Note: do not exceed
StreamMaxLength as defined in clamd.conf, otherwise clamd will
reply with INSTREAM size limit exceeded and close the
FILDES It is mandatory to newline terminate this command, or prefix
with n or z.
This command only works on UNIX domain sockets. Scan a file
descriptor. After issuing a FILDES command a subsequent
rfc2292/bsd4.4 style packet (with at least one dummy character)
is sent to clamd carrying the file descriptor to be scanned
inside the ancillary data. Alternatively the file descriptor
may be sent in the same packet, including the extra character.
STATS IIt is mandatory to newline terminate this command, or prefix
with n or z, it is recommended to only use the z prefix.
Replies with statistics about the scan queue, contents of scan
queue, and memory usage. The exact reply format is subject to
change in future releases.
It is mandatory to prefix this command with n or z, and all
commands inside IDSESSION must be prefixed.
Start/end a clamd session. Within a session multiple SCAN,
INSTREAM, FILDES, VERSION, STATS commands can be sent on the
same socket without opening new connections. Replies from clamd
will be in the form '<id>: <response>' where <id> is the request
number (in ascii, starting from 1) and <response> is the usual
clamd reply. The reply lines have same delimiter as the
corresponding command had. Clamd will process the commands
asynchronously, and reply as soon as it has finished processing.
Clamd requires clients to read all the replies it sent, before
sending more commands to prevent send() deadlocks. The
recommended way to implement a client that uses IDSESSION is
with non-blocking sockets, and a select()/poll() loop: whenever
send would block, sleep in select/poll until either you can
write more data, or read more replies. Note that using non-
blocking sockets without the select/poll loop and alternating
recv()/send() doesn't comply with clamd's requirements.
If clamd detects that a client has deadlocked, it will close
the connection. Note that clamd may close an IDSESSION
connection too if you don't follow the protocol's requirements.
It is mandatory to prefix this command with either n or z. It
is recommended to use nVERSIONCOMMANDS.
Print program and database versions, followed by "| COMMANDS:"
and a space-delimited list of supported commands. Clamd <0.95
will recognize this as the VERSION command, and reply only with
their version, without the commands list.
This command can be used as an easy way to check for IDSESSION
support for example.
STREAM Scan stream - on this command clamd will return "PORT number"
you should connect to and send data to scan. (DEPRECATED, use
NOT SUPPORTED COMMANDS
Start/end a clamd session which will allow you to run multiple
commands per TCP session. (use IDSESSION instead)
Output help information and exit.
Print the version number and exit.
-c FILE, --config-file=FILE
Read configuration from FILE.
Clamd recognizes the following signals:
SIGHUP Reopen the logfile.
Reload the signature databases.
Perform a clean exit.
Please check the full documentation for credits.
Tomasz Kojm <firstname.lastname@example.org>
clamd.conf(5), clamdscan(1), freshclam(1), freshclam.conf(5),