19
19
<LINK REL="STYLESHEET" HREF="clamdoc.css">
21
<LINK REL="next" HREF="node27.html">
22
<LINK REL="previous" HREF="node25.html">
23
<LINK REL="up" HREF="node25.html">
21
<LINK REL="previous" HREF="node24.html">
22
<LINK REL="up" HREF="node19.html">
24
23
<LINK REL="next" HREF="node27.html">
29
28
<DIV CLASS="navigation"><!--Navigation Panel-->
31
30
HREF="node27.html">
32
31
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
35
34
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
36
35
<A NAME="tex2html527"
37
36
HREF="node25.html">
38
37
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
41
40
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>
43
<B> Next:</B> <A NAME="tex2html538"
44
HREF="node27.html">Clamdscan</A>
45
<B> Up:</B> <A NAME="tex2html534"
46
HREF="node25.html">Usage</A>
42
<B> Next:</B> <A NAME="tex2html536"
43
HREF="node27.html">Usage</A>
44
<B> Up:</B> <A NAME="tex2html532"
45
HREF="node19.html">Configuration</A>
47
46
<B> Previous:</B> <A NAME="tex2html528"
48
HREF="node25.html">Usage</A>
49
<B> <A NAME="tex2html536"
47
HREF="node25.html">Closest mirrors</A>
48
<B> <A NAME="tex2html534"
50
49
HREF="node1.html">Contents</A></B>
53
52
<!--End of Navigation Panel-->
55
<H2><A NAME="SECTION00061000000000000000"></A><A NAME="clamd"></A>
54
<H2><A NAME="SECTION00055000000000000000">
55
ClamAV Active Malware Report</A>
59
<code>clamd</code> is a multi-threaded daemon that uses <SPAN CLASS="textit">libclamav</SPAN>
60
to scan files for viruses. It may work in one or both modes listening on:
63
<LI>Unix (local) socket
69
The daemon is fully configurable via the <code>clamd.conf</code> file
71
HREF="footnode.html#foot227"><SUP><SPAN CLASS="arabic">6</SPAN></SUP></A>. <code>clamd</code> recognizes the following commands:
74
<LI><SPAN CLASS="textbf">PING</SPAN>
76
Check the daemon's state (should reply with "PONG").
78
<LI><SPAN CLASS="textbf">VERSION</SPAN>
80
Print program and database versions.
82
<LI><SPAN CLASS="textbf">RELOAD</SPAN>
86
<LI><SPAN CLASS="textbf">SHUTDOWN</SPAN>
90
<LI><SPAN CLASS="textbf">SCAN file/directory</SPAN>
92
Scan file or directory (recursively) with archive support
93
enabled (a full path is required).
95
<LI><SPAN CLASS="textbf">RAWSCAN file/directory</SPAN>
97
Scan file or directory (recursively) with archive and special file
98
support disabled (a full path is required).
100
<LI><SPAN CLASS="textbf">CONTSCAN file/directory</SPAN>
102
Scan file or directory (recursively) with archive support
103
enabled and don't stop the scanning when a virus is found.
105
<LI><SPAN CLASS="textbf">MULTISCAN file/directory</SPAN>
107
Scan file in a standard way or scan directory (recursively) using
108
multiple threads (to make the scanning faster on SMP machines).
110
<LI><SPAN CLASS="textbf">INSTREAM</SPAN>
111
<BR> <SPAN CLASS="textit">It is mandatory to prefix this command with <SPAN CLASS="textbf">n</SPAN> or
112
<SPAN CLASS="textbf">z</SPAN>.</SPAN>
114
Scan a stream of data. The stream is sent to clamd in chunks,
115
after INSTREAM, on the same socket on which the command
116
was sent. This avoids the overhead of establishing new TCP
117
connections and problems with NAT. The format of the chunk is:
118
<code><length><data></code> where <code><length></code> is the size of the
119
following data in bytes expressed as a 4 byte unsigned integer in
120
network byte order and <code><data></code> is the actual chunk. Streaming
121
is terminated by sending a zero-length chunk. Note: do not exceed
122
StreamMaxLength as defined in clamd.conf, otherwise clamd will
123
reply with <SPAN CLASS="textit">INSTREAM size limit exceeded</SPAN> and close the
126
<LI><SPAN CLASS="textbf">FILDES</SPAN>
127
<BR> <SPAN CLASS="textit">It is mandatory to newline terminate this command, or prefix
128
with <SPAN CLASS="textbf">n</SPAN> or <SPAN CLASS="textbf">z</SPAN>. This command only works on UNIX
129
domain sockets.</SPAN>
131
Scan a file descriptor. After issuing a FILDES command a subsequent
132
rfc2292/bsd4.4 style packet (with at least one dummy character) is
133
sent to clamd carrying the file descriptor to be scanned inside the
134
ancillary data. Alternatively the file descriptor may be sent in
135
the same packet, including the extra character.
137
<LI><SPAN CLASS="textbf">STATS</SPAN>
138
<BR> <SPAN CLASS="textit">It is mandatory to newline terminate this command, or prefix
139
with <SPAN CLASS="textbf">n</SPAN> or <SPAN CLASS="textbf">z</SPAN>, it is recommended to only use the
140
<SPAN CLASS="textbf">z</SPAN> prefix.</SPAN>
142
On this command clamd provides statistics about the scan queue,
143
contents of scan queue, and memory usage. The exact reply format is
144
subject to changes in future releases.
146
<LI><SPAN CLASS="textbf">IDSESSION, END</SPAN>
147
<BR> <SPAN CLASS="textit">It is mandatory to prefix this command with <SPAN CLASS="textbf">n</SPAN> or
148
<SPAN CLASS="textbf">z</SPAN>, also all commands inside <SPAN CLASS="textbf">IDSESSION</SPAN> must be
151
Start/end a clamd session. Within a session multiple
152
SCAN, INSTREAM, FILDES, VERSION, STATS commands can be sent on the
153
same socket without opening new connections. Replies from clamd
154
will be in the form <code><id>: <response></code> where <code><id></code> is
155
the request number (in ASCII, starting from 1) and <code><response></code>
156
is the usual clamd reply. The reply lines have the same delimiter
157
as the corresponding command had. Clamd will process the commands
158
asynchronously, and reply as soon as it has finished processing.
159
Clamd requires clients to read all the replies it sent, before
160
sending more commands to prevent send() deadlocks. The recommended
161
way to implement a client that uses IDSESSION is with non-blocking
162
sockets, and a select()/poll() loop: whenever send would block,
163
sleep in select/poll until either you can write more data, or read
164
more replies. <SPAN CLASS="textit">Note that using non-blocking sockets without
165
the select/poll loop and alternating recv()/send() doesn't comply
166
with clamd's requirements.</SPAN> If clamd detects that a client has
167
deadlocked, it will close the connection. Note that clamd may
168
close an IDSESSION connection too if the client doesn't follow the
169
protocol's requirements.
171
<LI><SPAN CLASS="textbf">STREAM</SPAN> (deprecated, use <SPAN CLASS="textbf">INSTREAM</SPAN> instead)
173
Scan stream: clamd will return a new port number you should
174
connect to and send data to scan.
178
It's recommended to prefix clamd commands with the letter <SPAN CLASS="textbf">z</SPAN>
179
(eg. zSCAN) to indicate that the command will be delimited by a NULL
180
character and that clamd should continue reading command data until a NULL
181
character is read. The null delimiter assures that the complete command
182
and its entire argument will be processed as a single command. Alternatively
183
commands may be prefixed with the letter <SPAN CLASS="textbf">n</SPAN> (e.g. nSCAN) to use
184
a newline character as the delimiter. Clamd replies will honour the
185
requested terminator in turn. If clamd doesn't recognize the command, or
186
the command doesn't follow the requirements specified below, it will reply
187
with an error message, and close the connection.
189
Clamd can handle the following signals:
192
<LI><SPAN CLASS="textbf">SIGTERM</SPAN> - perform a clean exit
194
<LI><SPAN CLASS="textbf">SIGHUP</SPAN> - reopen the log file
196
<LI><SPAN CLASS="textbf">SIGUSR2</SPAN> - reload the database
200
Clamd should not be started in the background using the shell operator
201
<code>&</code> or external tools. Instead, you should run and wait for clamd
202
to load the database and daemonize itself. After that, clamd is instantly
203
ready to accept connections and perform file scanning.
59
The ClamAV Active Malware Report that was introduced in ClamAV 0.94.1 uses
60
freshclam to send summary data to our server about the malware that has
61
been detected. This data is then used to generate real-time reports on
62
active malware. These reports, along with geographical and historic trends,
63
will be published on <TT><A NAME="tex2html21"
64
HREF="http://www.clamav.net/">http://www.clamav.net/</A></TT>.
67
The more data that we receive from ClamAV users, the more reports, and the
68
better the quality of the reports, will be. To enable the submission of
69
data to us for use in the Active Malware Report, enable
70
SubmitDetectionStats in freshclam.conf, and LogTime and LogFile in
71
clamd.conf. You should only enable this feature if you're running clamd
72
to scan incoming data in your environment.
75
The only private data that is transferred is an IP address, which is used
76
to create the geographical data. The size of the data that is sent is small;
77
it contains just the filename, malware name and time of detection. The data
78
is sent in sets of 10 records, up to 50 records per session. For example,
79
if you have 45 new records, then freshclam will submit 40; if 78 then it
80
will submit the latest 50 entries; and if you have 9 records no statistics
207
85
<DIV CLASS="navigation"><HR>
208
86
<!--Navigation Panel-->
209
<A NAME="tex2html537"
210
88
HREF="node27.html">
211
89
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
212
<A NAME="tex2html533"
214
92
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
215
93
<A NAME="tex2html527"
216
94
HREF="node25.html">
217
95
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
218
<A NAME="tex2html535"
219
97
HREF="node1.html">
220
98
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>
222
<B> Next:</B> <A NAME="tex2html538"
223
HREF="node27.html">Clamdscan</A>
224
<B> Up:</B> <A NAME="tex2html534"
225
HREF="node25.html">Usage</A>
100
<B> Next:</B> <A NAME="tex2html536"
101
HREF="node27.html">Usage</A>
102
<B> Up:</B> <A NAME="tex2html532"
103
HREF="node19.html">Configuration</A>
226
104
<B> Previous:</B> <A NAME="tex2html528"
227
HREF="node25.html">Usage</A>
228
<B> <A NAME="tex2html536"
105
HREF="node25.html">Closest mirrors</A>
106
<B> <A NAME="tex2html534"
229
107
HREF="node1.html">Contents</A></B> </DIV>
230
108
<!--End of Navigation Panel-->