ClamAV — clamav.ximg.app

ClamAV

ClamAV is the world's most widely deployed open-source antivirus toolkit. Originally created by Tomasz Kojm in 2001, it is now maintained by Cisco Talos. It provides on-access and on-demand scanning, a signature database updated multiple times daily, and deep integration with email gateways including Postfix, Sendmail, and Exim.

Since 2001 Cisco Talos Linux · macOS · Windows Email · Files · Archives

9M+

Signatures

24/7

DB Updates

100+

File Formats

2001

Founded

GPL

License

Core Components

clamscan

Command-line virus scanner. Loads the signature database at startup, scans files/directories, and reports results. Best for one-off scans; use clamdscan for repeated scanning to avoid DB reload overhead.

clamd

On-demand scanning daemon. Keeps signatures loaded in memory and accepts scan requests over a Unix socket or TCP. Required for mail filter integration (clamav-milter, amavisd) and high-throughput scanning.

freshclam

Signature database updater. Runs as a daemon or from cron, pulling incremental CVD/CLD patches from database.clamav.net. Verifies digital signatures on every update.

clamdscan

Client for clamd. Sends file paths to the running daemon via socket — no DB reload, dramatically faster than clamscan for bulk scanning. Supports --multiscan for parallel threads.

sigtool

Signature tool for DB inspection and creation. Unpack CVD files, compute checksums, create custom .ndb/.hdb/.ldb signatures, and test them against samples.

clamav-milter

Sendmail/Postfix milter plugin that hooks into the SMTP conversation. Scans email attachments before delivery and can reject, quarantine, or tag infected messages in real time.

Detection Capabilities

Category	What It Catches	Method
Viruses & Malware	Traditional file-infecting viruses, worms, trojans	Hash + byte signature
Phishing	Phishing URLs in email bodies and HTML	URL blocklist / heuristic
Packed Executables	UPX, FSG, MEW, and 40+ other packers	Unpacker + scan
Archives	ZIP, RAR, 7z, TAR, CAB, BZ2, XZ, ISO, OLE2	Recursive extraction
Office Macros	VBA macros in DOCX, XLSX, PPTX, ODF	Macro extraction
Email (MIME)	Multipart MIME, Base64/QP-encoded attachments	MIME decode + scan
PDF	Embedded JS, malicious streams, embedded executables	PDF parser
Android APK	Malicious APKs — dex bytecode signatures	DEX parser
Scripts	Obfuscated JS, PowerShell, shell scripts	Heuristic + signature
HTML	Browser exploits, iframe injections, malicious redirects	HTML normalizer

History

2001Tomasz Kojm releases ClamAV 0.01 as an open-source project. Initial focus: Unix mail gateway scanning.

2004ClamAV Foundation formed; project gains commercial sponsorship. First Windows port released.

2007Sourcefire acquires ClamAV. Development accelerates; clamd daemon and milter integration mature.

2013Cisco acquires Sourcefire for $2.7B. ClamAV moves under Cisco's Talos Intelligence group.

2018ClamAV 0.100 — major performance improvements, YARA rule support, JSON metadata output.

2022ClamAV 1.0.0 — first stable major release; CVE-2023-20032 heap overflow patch drives rapid adoption of 1.x.

2024ClamAV 1.4.x — improved memory safety, bytecode engine updates, extended container scanning support.

clamscan — Standalone Scanner

BASIC USAGE

Scan a single file, directory, or the whole filesystem. clamscan loads the DB each run.

# Scan a single file
clamscan /path/to/file.exe

# Recursively scan a directory
clamscan -r /home/user/downloads

# Scan and move infected files to quarantine
clamscan -r --move=/quarantine /var/www

# Scan only infected, suppress OK lines
clamscan -r --infected /home

# Scan a stream from stdin
cat suspicious.pdf | clamscan --stdin

USEFUL FLAGS

Flag	Description
`-r, --recursive`	Scan directories recursively
`-i, --infected`	Print only infected files
`--remove`	Delete infected files (use with caution)
`--move=DIR`	Move infected files to DIR
`--copy=DIR`	Copy infected files to DIR (keep original)
`--max-filesize=N`	Max file size to scan (MB)
`--max-scansize=N`	Max data scanned per file (MB)
`--bell`	Sound alert on detection
`--log=FILE`	Write scan report to FILE
`--no-summary`	Suppress scan summary at end
`--bytecode=no`	Disable bytecode interpreter
`--exclude=REGEX`	Skip files matching pattern
`--include=REGEX`	Only scan files matching pattern
`--detect-pua`	Enable PUA (Potentially Unwanted App) detection

clamdscan — Daemon Client

Sends scan requests to a running clamd instance. Much faster than clamscan — no DB reload per scan.

# Scan file via daemon (clamd must be running)
clamdscan /path/to/file

# Parallel scan with all available threads
clamdscan --multiscan --fdpass /var/uploads

# Reload signatures without restarting clamd
clamdscan --reload

# Stream to daemon (useful in scripts / pipes)
clamdscan --stream /tmp/suspect.zip

freshclam — Database Updater

# Manual update
freshclam

# Verbose update with progress
freshclam -v

# Run as daemon (checks every N hours per config)
freshclam -d

# Show current database version
sigtool --info /var/lib/clamav/main.cvd

clamd — Daemon Management

# Start via systemd
systemctl start clamav-daemon

# Enable on boot
systemctl enable clamav-daemon clamav-freshclam

# Check daemon status
systemctl status clamav-daemon

# Test clamd is responding (PING → PONG)
echo PING | nc -U /var/run/clamav/clamd.ctl

# Get clamd version over socket
echo VERSION | nc -U /var/run/clamav/clamd.ctl

sigtool — Signature Utilities

# Unpack a CVD database file
sigtool -u daily.cvd

# Show database info (version, sigs, builder)
sigtool --info daily.cvd

# List all signatures in a DB
sigtool -l daily.cvd

# Generate MD5 hash of a file (for .hdb signatures)
sigtool --md5 malware_sample.exe

# Generate SHA-256 hash (for .hsb signatures)
sigtool --sha256 malware_sample.exe

# Find which signature detected a file
clamscan --debug sample.exe 2>&1 | grep "Detected"

Interactive Scan Demo

# Click "Run Demo Scan" to simulate a clamscan run

Signature Database Files

File	Format	Contents	Size
`main.cvd`	CVD	Core signature set — stable, rarely changes	~160 MB
`daily.cvd`	CVD/CLD	Daily incremental updates — new threats	~60 MB
`bytecode.cvd`	CVD	Bytecode programs for complex detection logic	~400 KB
`*.ndb`	Text	Hex-pattern signatures (custom)	varies
`*.hdb`	Text	MD5 file hash signatures	varies
`*.hsb`	Text	SHA-256 file hash signatures	varies
`*.ldb`	Text	Logical signatures (boolean rules)	varies
`*.yar`	YARA	YARA rules (supported natively)	varies

CVD File Format

CVD (ClamAV Virus Database) — tar.gz archive with a 512-byte header

Header (512 B) Metadata: version, sigcount, build date, MD5, signature

tar.gz body Contains .db / .ndb / .hdb / .ldb files + CHANGES

CLD variant Patch-based incremental update — applied over existing CVD

Signature Types

NDB — Hex-pattern signature

MalwareName:TargetType:Offset:HexSignature

Win.Trojan.Eicar-1:0:*:58354f2149352150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e44415244

TargetType: 0=any, 1=PE, 2=OLE2, 3=HTML, 4=Mail, 5=Graphic, 6=ELF, 7=ASCII, 10=PDF, 12=ZIP
Offset: * = anywhere, 0 = file start, EP+n = entry point + n bytes

HDB — MD5 hash signature

MD5hash:FileSize:MalwareName

44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature

Size in bytes. Fast — hash lookup only, no pattern scanning needed.

LDB — Logical signature

SigName;TargetDescriptions;LogicalExpression;Subs...

Win.Backdoor.Example;Target:1;(0&1)&2;deadbeef*cafebabe;68656c6c6f;776f726c64

LogicalExpression uses & (AND), | (OR), ! (NOT) — combine multiple sub-patterns for precision.
Greatly reduces false positives compared to single-pattern matching.

HSB — SHA-256 hash signature

SHA256hash:FileSize:MalwareName

275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Eicar-Test-Signature

Creating Custom Signatures

# 1. Get hex bytes of a known-bad string
echo -n "eval(base64_decode" | xxd -p
# → 6576616c28626173653634_6465636f6465

# 2. Create .ndb file
echo "PHP.Obfuscated.Base64Eval:7:*:6576616c28626173653634" > custom.ndb

# 3. Test signature
clamscan --database=custom.ndb testfile.php

# 4. Deploy — copy to ClamAV DB dir
cp custom.ndb /var/lib/clamav/
clamdscan --reload

EICAR Test File

The EICAR standard test string — safe, non-malicious, detected by all AV engines as "EICAR-Test-Signature"

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Save as eicar.com and scan — ClamAV should report: Eicar-Test-Signature FOUND

Mail Server Integration

Postfix + amavisd-new

The standard production stack. Amavisd acts as a content filter between Postfix instances, calling ClamAV via clamd socket. Re-injects clean mail at port 10025.

clamav-milter

Native milter — hooks into Sendmail/Postfix smtpd_milters at the protocol level. Simpler than amavisd for AV-only setups; no spam scoring.

Exim + ClamAV

Exim has native malware = clamav condition in ACLs. No helper daemon needed — Exim calls clamd directly via its built-in malware scanner interface.

POSTFIX + AMAVISD FLOW


  SMTP in (25)
       │
  [Postfix smtpd]
       │ content_filter = amavis:[127.0.0.1]:10024
       ▼
  [amavisd-new :10024]
       │
       ├── calls clamd → scan for viruses
       ├── calls spamassassin → spam scoring
       │
       ▼
  clean mail re-injected at :10025
       │
  [Postfix smtpd :10025] → local delivery / relay

POSTFIX main.cf SNIPPET

# /etc/postfix/main.cf
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

AMAVISD @av_scanners SNIPPET

# /etc/amavis/conf.d/50-user
@av_scanners = (
  ['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
   qr/\bOK$/, qr/\bFOUND$/,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

Docker Integration

# Minimal ClamAV Docker setup
# docker-compose.yml
services:
  clamav:
    image: clamav/clamav:stable
    ports:
      - "3310:3310"    # clamd TCP port
    volumes:
      - clamav-db:/var/lib/clamav    # persist signatures
    environment:
      - CLAMAV_NO_FRESHCLAM=false

volumes:
  clamav-db:

# Scan a file via TCP clamd in Docker
clamdscan --config-file=- --stream /path/to/file <<EOF
TCPSocket 3310
TCPAddr 127.0.0.1
EOF

REST API Wrappers

Project	Language	Description
clamav-rest	Java	REST wrapper around clamd — POST a file, get JSON result back
python-clamd	Python	Pure Python client for clamd Unix/TCP socket
go-clamav	Go	Go bindings for libclamav + clamd socket client
node-clamscan	Node.js	Async Node.js wrapper — scans buffers, streams, and local paths

PYTHON EXAMPLE

import clamd

# Connect to clamd via Unix socket
cd = clamd.ClamdUnixSocket('/var/run/clamav/clamd.ctl')

# Ping daemon
print(cd.ping())  # → 'PONG'

# Scan a file path
result = cd.scan('/tmp/suspect.pdf')
print(result)
# → {'/tmp/suspect.pdf': ('FOUND', 'Win.Trojan.Example-1')}

# Scan an in-memory buffer (stream)
with open('file.exe', 'rb') as f:
    result = cd.instream(f)
print(result['stream'])  # → ('OK', None) or ('FOUND', 'SigName')

clamd.conf — Key Settings

# /etc/clamav/clamd.conf

# Socket
LocalSocket         /var/run/clamav/clamd.ctl
LocalSocketMode     660
TCPSocket           3310          # enable for TCP (disable for Unix-only)
TCPAddr             127.0.0.1     # listen address

# Database
DatabaseDirectory   /var/lib/clamav
DatabaseAutoReload  yes           # reload sigs when freshclam updates them

# Scan limits
MaxScanSize         400M          # max data scanned per file
MaxFileSize         100M          # skip files larger than this
MaxRecursion        10            # max archive nesting depth
MaxFiles            10000         # max files extracted from archive
MaxEmbeddedPE       10M           # max PE in HTML/OLE2
MaxHTMLNormalize    40M

# Performance
MaxThreads          4             # parallel scan threads
ReadTimeout         60            # seconds to wait for client data
MaxQueue            200           # max queued connections

# Detection options
ScanPE              yes
ScanELF             yes
ScanOLE2            yes           # MS Office documents
ScanPDF             yes
ScanHTML            yes
ScanMail            yes
ScanArchive         yes
DetectPUA           no            # potentially unwanted applications
HeuristicAlerts     yes
Bytecode            yes           # enable bytecode engine

# User/group (must match socket perms)
User                clamav
AllowSupplementaryGroups yes

freshclam.conf — Update Settings

# /etc/clamav/freshclam.conf
DatabaseDirectory   /var/lib/clamav
DatabaseOwner       clamav

# Update servers (round-robin)
DatabaseMirror      database.clamav.net

# Check N times per day (max 12 per policy)
Checks              12

# Notify clamd after update
NotifyClamd         /etc/clamav/clamd.conf

# Log
UpdateLogFile       /var/log/clamav/freshclam.log
LogVerbose          no

Exit Codes

Code	Meaning
0	No viruses found
1	Virus(es) found
2	Error / some files could not be scanned

Installation

# Debian / Ubuntu
apt-get install clamav clamav-daemon clamav-freshclam

# RHEL / Rocky / AlmaLinux
dnf install clamav clamd clamav-update

# macOS (Homebrew)
brew install clamav
cp /opt/homebrew/etc/clamav/freshclam.conf.sample /opt/homebrew/etc/clamav/freshclam.conf

# Docker
docker pull clamav/clamav:stable

# First run — download signatures
freshclam