zolw@Wierszokleta:~$ telnet localhost 3310 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SCAN /home/zolw/infected /home/zolw/infected/sobre.com: W32.Magistr.B FOUND Connection closed by foreign host.In the SCAN mode it closes the connection when first virus is found. In the case of archives the output is exactly the same as with normal files because archive support is transparent:
SCAN /home/zolw/Clam/test/test2.zip /home/zolw/Clam/test/test2.zip: ClamAV-Test-Signature FOUNDCONTSCAN displays all infected files found.
SCAN /no/such/file /no/such/file: Can't stat() the file ERRORand they can be easily parsed.
clamscan writes all messages to stderr (only help is
written to stdout by default). You may want to redirect it to
stdout - this is handled with --stdout
. An example
of the clamscan output is:
/tmp/test/removal-tool.exe: Worm.Sober FOUND /tmp/test/md5.o: OK /tmp/test/blob.c: OK /tmp/test/message.c: OK /tmp/test/error.hta: VBS.Inor.D FOUNDWhen a virus is found its name is printed between the
filename:
and
FOUND
strings. If a virus is found in an archive that has been
extracted with an external unpacker it's noticed with
Infected Archive
. "Infected Archives" are not counted as infected
files - only files within them are. Notice the difference with built-in
unarchiver - extraction process is realized transparently by libclamav
and clamscan doesn't know which concrete file is infected - just marks
whole archives as infected.