next up previous contents
Next: Signature Tool Up: Usage Previous: Archives and compressed files   Contents

Output format

clamd uses clamscan compatible (see below) output format.
	zolw@Wierszokleta:~$ telnet localhost 3310
	Trying 127.0.0.1...
	Connected to localhost.
	Escape character is '^]'.
	SCAN /home/zolw/infected
	/home/zolw/infected/sobre.com: W32/Magistr.B FOUND
	Connection closed by foreign host.
In SCAN mode it closes the connection when first virus is found. In the case of archives, the output is exactly the same as with normal files:
	SCAN /home/zolw/Clam/test/test2.zip
	/home/zolw/Clam/test/test2.zip: ClamAV-Test-Signature FOUND
CONTSCAN displays all infected files found.
Error messages are printed in the following format:
	SCAN /no/such/file
	/no/such/file: Can't stat() the file ERROR
and they can be easily parsed.

clamscan writes all messages (only help is written to stdout by default) to stderr. In some situations you may want to redirect it to stdout with -stdout. stdout in contrast to stderr is buffered, that's why clamscan flushes this buffer after each message, to prevent the creation of trashes on the output. During scanning it writes something like this:

	/TEST/test: OK
	/TEST/Makefile: OK
	/TEST/getopt.c: OK
	/TEST/virfile: Phantom #1 FOUND
When a virus is found, its name is printed between filename: and FOUND. If a virus is found in an archive scanned with an external unpacker it's noticed with Infected Archive. "Infected Archives" are not counted as infected files - just files in them are. Please note the difference between an internal unarchiving - because it's realized transparently by the libclamav, clamscan doesn't even know the file is an archive.


next up previous contents
Next: Signature Tool Up: Usage Previous: Archives and compressed files   Contents
Tomasz Kojm 2003-06-21