Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Usage

Table Of Contents

Purpose

This user guide presents an overview of the various ways that libclamav can be used through the tools provided by ClamAV. To learn more about how to better use each facet of ClamAV that interests you, please follow the links provided.

High-Level Software Diagram

flowchart TD
    subgraph CLAMAV[ClamAV Programs, Services, Libraries, and Data]
        DB[(Virus Databases)]
        NET[(ClamAV mirrors / update source)]

        LF[libfreshclam<br/>update library]

        FC[freshclam<br/>updates databases]
        CD[clamd<br/>scanner daemon]
        CS[clamscan<br/>standalone scanner]
        CDS[clamdscan<br/>client for clamd]
        CDT[clamdtop<br/>monitor for clamd]
        COA[clamonacc<br/>on-access scanner]
        CMI[clamav-milter<br/>mail filter]
        ST[sigtool<br/>signature/db utility]
        CBC[clambc<br/>bytecode utility]
        CCF[clamconf<br/>config/report utility]
        CSU[clamsubmit<br/>sample submission tool]

        NET --> FC
        LF --> FC
        FC --> DB

        DB --> CD
        DB --> CS
        DB --> ST
        DB --> CBC

        CDS --> CD
        CDT --> CD
        COA --> CD
        CMI --> CD
    end

Rough Scan Flowchart

flowchart LR
    subgraph DIRECT[Direct scan flow]
        direction LR
        CS[clamscan]
        CS_VERDICT[Scan verdicts / alerts]
        CS_META[Logs / metadata]

        CS -->|report verdict| CS_VERDICT
        CS -->|emit logs / metadata| CS_META
    end

    subgraph CLIENTSERVER[Client/server scan flow]
        direction LR

        subgraph CLIENTS[ ]
            direction TB
            CDS[clamdscan]
            COA[clamonacc]
            CMI[clamav-milter]
        end

        subgraph DAEMON[ ]
            direction TB
            CD[clamd]
        end

        subgraph OUTPUTS[ ]
            direction TB
            CD_VERDICT[Scan verdicts / alerts]
            CD_META[Logs / metadata]
        end

        CDS -->|request scan| CD
        COA -->|request scan| CD
        CMI -->|request scan| CD

        CDS -->|report verdict| CD_VERDICT
        COA -->|report verdict| CD_VERDICT
        CMI -->|report verdict| CD_VERDICT

        CDS -->|emit logs / metadata| CD_META
        COA -->|emit logs / metadata| CD_META
        CMI -->|emit logs / metadata| CD_META
    end

Daemon

The ClamAV Daemon, or clamd, is a multi-threaded daemon that uses libclamav to scan files for viruses. ClamAV provides a number of tools which interface with this daemon. They are, as follows:

  • clamdscan - a simple scanning client
  • clamonacc - provides on-access scanning (aka real-time protection via a clamd instance
  • clamav-milter - a mail filtering plugin for the Sendmail email processing server software to scan emails
  • clamdtop - a resource monitoring interface for clamd

Scanner

ClamAV also provides a command-line tool for simple scanning tasks with libclamav called clamscan. Unlike the daemon, clamscan is not a persistent process and is best suited for use cases where one-time scanning with minimal setup is needed.

Signature Testing and Management

A number of tools allow for testing and management of signatures. Of note are the following:

  • clambc - specifically for testing bytecode
  • sigtool - for general signature testing and analysis
  • freshclam - used to update signature database sets to the latest version

Configuration

The more complex tools ClamAV provides each require some degree of configuration. ClamAV supplies two example configuration files:

  • clamd.conf - for configuring the behavior of the ClamAV Daemon clamd and associated tools
  • freschclam.conf - for configuring the behavior of the signature database update tool, freshclam

Additionally, a tool called clamconf allows users to check the configurations used by each other tool, pulling information from the configuration files listed above, alongside other relevant information.