diff --git a/clamscan/clamscan.c b/clamscan/clamscan.c index 8fa5acb2d..4d4e2c246 100644 --- a/clamscan/clamscan.c +++ b/clamscan/clamscan.c @@ -255,110 +255,111 @@ void help(void) mprintf(LOGG_INFO, "\n"); mprintf(LOGG_INFO, " clamscan [options] [file/directory/-]\n"); mprintf(LOGG_INFO, "\n"); - mprintf(LOGG_INFO, " --help -h Show this help\n"); - mprintf(LOGG_INFO, " --version -V Print version number\n"); - mprintf(LOGG_INFO, " --verbose -v Be verbose\n"); - mprintf(LOGG_INFO, " --archive-verbose -a Show filenames inside scanned archives\n"); - mprintf(LOGG_INFO, " --debug Enable libclamav's debug messages\n"); - mprintf(LOGG_INFO, " --quiet Only output error messages\n"); + mprintf(LOGG_INFO, " --help -h Show this help.\n"); + mprintf(LOGG_INFO, " --version -V Print version number.\n"); + mprintf(LOGG_INFO, " --verbose -v Be verbose.\n"); + mprintf(LOGG_INFO, " --archive-verbose -a Show filenames inside scanned archives.\n"); + mprintf(LOGG_INFO, " --debug Enable libclamav's debug messages.\n"); + mprintf(LOGG_INFO, " --quiet Only output error messages.\n"); mprintf(LOGG_INFO, " --stdout Write to stdout instead of stderr. Does not affect 'debug' messages.\n"); - mprintf(LOGG_INFO, " --no-summary Disable summary at end of scanning\n"); - mprintf(LOGG_INFO, " --infected -i Only print infected files\n"); - mprintf(LOGG_INFO, " --suppress-ok-results -o Skip printing OK files\n"); - mprintf(LOGG_INFO, " --bell Sound bell on virus detection\n"); + mprintf(LOGG_INFO, " --no-summary Disable summary at end of scanning.\n"); + mprintf(LOGG_INFO, " --infected -i Only print infected files.\n"); + mprintf(LOGG_INFO, " --suppress-ok-results -o Skip printing OK files.\n"); + mprintf(LOGG_INFO, " --bell Sound bell on virus detection.\n"); mprintf(LOGG_INFO, "\n"); - mprintf(LOGG_INFO, " --tempdir=DIRECTORY Create temporary files in DIRECTORY\n"); - mprintf(LOGG_INFO, " --leave-temps[=yes/no(*)] Do not remove temporary files\n"); - mprintf(LOGG_INFO, " --force-to-disk[=yes/no(*)] Create temporary files for nested file scans that would otherwise be in-memory only\n"); + mprintf(LOGG_INFO, " --tempdir=DIRECTORY Create temporary files in DIRECTORY.\n"); + mprintf(LOGG_INFO, " --leave-temps[=yes/no(*)] Do not remove temporary files.\n"); + mprintf(LOGG_INFO, " --force-to-disk[=yes/no(*)] Create temporary files for nested file scans that would otherwise be in-memory only.\n"); mprintf(LOGG_INFO, " --gen-json[=yes/no(*)] Generate JSON metadata for the scanned file(s). For testing & development use ONLY.\n"); mprintf(LOGG_INFO, " JSON will be printed if --debug is enabled.\n"); mprintf(LOGG_INFO, " A JSON file will dropped to the temp directory if --leave-temps is enabled.\n"); mprintf(LOGG_INFO, " --json-store-html-uris[=yes(*)/no] Store html URIs in metadata.\n"); - mprintf(LOGG_INFO, " URLs will be written to the metadata.json file in an array called 'URIs'\n"); - mprintf(LOGG_INFO, " --json-store-pdf-uris[=yes(*)/no] Store pdf URIs in metadata.\n"); - mprintf(LOGG_INFO, " URLs will be written to the metadata.json file in an array called 'URIs'\n"); - mprintf(LOGG_INFO, " --database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all supported db files from DIR\n"); - mprintf(LOGG_INFO, " --official-db-only[=yes/no(*)] Only load official signatures\n"); + mprintf(LOGG_INFO, " URIs will be written to the metadata.json file in an array called 'URIs'.\n"); + mprintf(LOGG_INFO, " --json-store-pdf-uris[=yes(*)/no] Store pdf URIs in metadata.\n"); + mprintf(LOGG_INFO, " URIs will be written to the metadata.json file in an array called 'URIs'.\n"); + mprintf(LOGG_INFO, " --json-store-extra-hashes[=yes(*)/no] Store md5 and sha1 in addition to sha2-256 in metadata.\n"); + mprintf(LOGG_INFO, " --database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all supported db files from DIR.\n"); + mprintf(LOGG_INFO, " --official-db-only[=yes/no(*)] Only load official signatures.\n"); mprintf(LOGG_INFO, " --fail-if-cvd-older-than=days Return with a nonzero error code if virus database outdated.\n"); - mprintf(LOGG_INFO, " --log=FILE -l FILE Save scan report to FILE\n"); - mprintf(LOGG_INFO, " --recursive[=yes/no(*)] -r Scan subdirectories recursively\n"); - mprintf(LOGG_INFO, " --allmatch[=yes/no(*)] -z Continue scanning within file after finding a match\n"); - mprintf(LOGG_INFO, " --cross-fs[=yes(*)/no] Scan files and directories on other filesystems\n"); - mprintf(LOGG_INFO, " --follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)\n"); - mprintf(LOGG_INFO, " --follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)\n"); - mprintf(LOGG_INFO, " --file-list=FILE -f FILE Scan files from FILE\n"); + mprintf(LOGG_INFO, " --log=FILE -l FILE Save scan report to FILE.\n"); + mprintf(LOGG_INFO, " --recursive[=yes/no(*)] -r Scan subdirectories recursively.\n"); + mprintf(LOGG_INFO, " --allmatch[=yes/no(*)] -z Continue scanning within file after finding a match.\n"); + mprintf(LOGG_INFO, " --cross-fs[=yes(*)/no] Scan files and directories on other filesystems.\n"); + mprintf(LOGG_INFO, " --follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always).\n"); + mprintf(LOGG_INFO, " --follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always).\n"); + mprintf(LOGG_INFO, " --file-list=FILE -f FILE Scan files from FILE.\n"); mprintf(LOGG_INFO, " --remove[=yes/no(*)] Remove infected files. Be careful!\n"); - mprintf(LOGG_INFO, " --move=DIRECTORY Move infected files into DIRECTORY\n"); - mprintf(LOGG_INFO, " --copy=DIRECTORY Copy infected files into DIRECTORY\n"); - mprintf(LOGG_INFO, " --exclude=REGEX Don't scan file names matching REGEX\n"); - mprintf(LOGG_INFO, " --exclude-dir=REGEX Don't scan directories matching REGEX\n"); - mprintf(LOGG_INFO, " --include=REGEX Only scan file names matching REGEX\n"); - mprintf(LOGG_INFO, " --include-dir=REGEX Only scan directories matching REGEX\n"); + mprintf(LOGG_INFO, " --move=DIRECTORY Move infected files into DIRECTORY.\n"); + mprintf(LOGG_INFO, " --copy=DIRECTORY Copy infected files into DIRECTORY.\n"); + mprintf(LOGG_INFO, " --exclude=REGEX Don't scan file names matching REGEX.\n"); + mprintf(LOGG_INFO, " --exclude-dir=REGEX Don't scan directories matching REGEX.\n"); + mprintf(LOGG_INFO, " --include=REGEX Only scan file names matching REGEX.\n"); + mprintf(LOGG_INFO, " --include-dir=REGEX Only scan directories matching REGEX.\n"); #ifdef _WIN32 - mprintf(LOGG_INFO, " --memory Scan loaded executable modules\n"); - mprintf(LOGG_INFO, " --kill Kill/Unload infected loaded modules\n"); - mprintf(LOGG_INFO, " --unload Unload infected modules from processes\n"); + mprintf(LOGG_INFO, " --memory Scan loaded executable modules.\n"); + mprintf(LOGG_INFO, " --kill Kill/Unload infected loaded modules.\n"); + mprintf(LOGG_INFO, " --unload Unload infected modules from processes.\n"); #endif mprintf(LOGG_INFO, "\n"); - mprintf(LOGG_INFO, " --bytecode[=yes(*)/no] Load bytecode from the database\n"); - mprintf(LOGG_INFO, " --bytecode-unsigned[=yes/no(*)] Load unsigned bytecode\n"); + mprintf(LOGG_INFO, " --bytecode[=yes(*)/no] Load bytecode from the database.\n"); + mprintf(LOGG_INFO, " --bytecode-unsigned[=yes/no(*)] Load unsigned bytecode.\n"); mprintf(LOGG_INFO, " **Caution**: You should NEVER run bytecode signatures from untrusted sources.\n"); mprintf(LOGG_INFO, " Doing so may result in arbitrary code execution.\n"); - mprintf(LOGG_INFO, " --bytecode-timeout=N Set bytecode timeout (in milliseconds)\n"); - mprintf(LOGG_INFO, " --statistics[=none(*)/bytecode/pcre] Collect and print execution statistics\n"); - mprintf(LOGG_INFO, " --detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications\n"); - mprintf(LOGG_INFO, " --exclude-pua=CAT Skip PUA sigs of category CAT\n"); - mprintf(LOGG_INFO, " --include-pua=CAT Load PUA sigs of category CAT\n"); - mprintf(LOGG_INFO, " --detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card)\n"); - mprintf(LOGG_INFO, " --structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)\n"); - mprintf(LOGG_INFO, " --structured-ssn-count=N Min SSN count to generate a detect\n"); - mprintf(LOGG_INFO, " --structured-cc-count=N Min CC count to generate a detect\n"); - mprintf(LOGG_INFO, " --structured-cc-mode=X CC mode (0=credit debit and private label, 1=credit cards only\n"); - mprintf(LOGG_INFO, " --scan-mail[=yes(*)/no] Scan mail files\n"); - mprintf(LOGG_INFO, " --phishing-sigs[=yes(*)/no] Enable email signature-based phishing detection\n"); - mprintf(LOGG_INFO, " --phishing-scan-urls[=yes(*)/no] Enable URL signature-based phishing detection\n"); - mprintf(LOGG_INFO, " --heuristic-alerts[=yes(*)/no] Heuristic alerts\n"); - mprintf(LOGG_INFO, " --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found\n"); - mprintf(LOGG_INFO, " --normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility\n"); - mprintf(LOGG_INFO, " --scan-pe[=yes(*)/no] Scan PE files\n"); - mprintf(LOGG_INFO, " --scan-elf[=yes(*)/no] Scan ELF files\n"); - mprintf(LOGG_INFO, " --scan-ole2[=yes(*)/no] Scan OLE2 containers\n"); - mprintf(LOGG_INFO, " --scan-pdf[=yes(*)/no] Scan PDF files\n"); - mprintf(LOGG_INFO, " --scan-swf[=yes(*)/no] Scan SWF files\n"); - mprintf(LOGG_INFO, " --scan-html[=yes(*)/no] Scan HTML files\n"); - mprintf(LOGG_INFO, " --scan-xmldocs[=yes(*)/no] Scan xml-based document files\n"); - mprintf(LOGG_INFO, " --scan-hwp3[=yes(*)/no] Scan HWP3 files\n"); - mprintf(LOGG_INFO, " --scan-onenote[=yes(*)/no] Scan OneNote files\n"); - mprintf(LOGG_INFO, " --scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)\n"); - mprintf(LOGG_INFO, " --scan-image[=yes(*)/no] Scan image (graphics) files\n"); - mprintf(LOGG_INFO, " --scan-image-fuzzy-hash[=yes(*)/no] Detect files by calculating image (graphics) fuzzy hashes\n"); - mprintf(LOGG_INFO, " --alert-broken[=yes/no(*)] Alert on broken executable files (PE & ELF)\n"); - mprintf(LOGG_INFO, " --alert-broken-media[=yes/no(*)] Alert on broken graphics files (JPEG, TIFF, PNG, GIF)\n"); - mprintf(LOGG_INFO, " --alert-encrypted[=yes/no(*)] Alert on encrypted archives and documents\n"); - mprintf(LOGG_INFO, " --alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives\n"); - mprintf(LOGG_INFO, " --alert-encrypted-doc[=yes/no(*)] Alert on encrypted documents\n"); - mprintf(LOGG_INFO, " --alert-macros[=yes/no(*)] Alert on OLE2 files containing VBA macros\n"); - mprintf(LOGG_INFO, " --alert-exceeds-max[=yes/no(*)] Alert on files that exceed max file size, max scan size, or max recursion limit\n"); - mprintf(LOGG_INFO, " --alert-phishing-ssl[=yes/no(*)] Alert on emails containing SSL mismatches in URLs\n"); - mprintf(LOGG_INFO, " --alert-phishing-cloak[=yes/no(*)] Alert on emails containing cloaked URLs\n"); - mprintf(LOGG_INFO, " --alert-partition-intersection[=yes/no(*)] Alert on raw DMG image files containing partition intersections\n"); - mprintf(LOGG_INFO, " --nocerts Disable authenticode certificate chain verification in PE files\n"); - mprintf(LOGG_INFO, " --dumpcerts Dump authenticode certificate chain in PE files\n"); + mprintf(LOGG_INFO, " --bytecode-timeout=N Set bytecode timeout (in milliseconds).\n"); + mprintf(LOGG_INFO, " --statistics[=none(*)/bytecode/pcre] Collect and print execution statistics.\n"); + mprintf(LOGG_INFO, " --detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications.\n"); + mprintf(LOGG_INFO, " --exclude-pua=CAT Skip PUA sigs of category CAT.\n"); + mprintf(LOGG_INFO, " --include-pua=CAT Load PUA sigs of category CAT.\n"); + mprintf(LOGG_INFO, " --detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card).\n"); + mprintf(LOGG_INFO, " --structured-ssn-format=X SSN format (0=normal,1=stripped,2=both).\n"); + mprintf(LOGG_INFO, " --structured-ssn-count=N Min SSN count to generate a detect.\n"); + mprintf(LOGG_INFO, " --structured-cc-count=N Min CC count to generate a detect.\n"); + mprintf(LOGG_INFO, " --structured-cc-mode=X CC mode (0=credit debit and private label, 1=credit cards only.\n"); + mprintf(LOGG_INFO, " --scan-mail[=yes(*)/no] Scan mail files.\n"); + mprintf(LOGG_INFO, " --phishing-sigs[=yes(*)/no] Enable email signature-based phishing detection.\n"); + mprintf(LOGG_INFO, " --phishing-scan-urls[=yes(*)/no] Enable URL signature-based phishing detection.\n"); + mprintf(LOGG_INFO, " --heuristic-alerts[=yes(*)/no] Heuristic alerts.\n"); + mprintf(LOGG_INFO, " --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found.\n"); + mprintf(LOGG_INFO, " --normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility.\n"); + mprintf(LOGG_INFO, " --scan-pe[=yes(*)/no] Scan PE files.\n"); + mprintf(LOGG_INFO, " --scan-elf[=yes(*)/no] Scan ELF files.\n"); + mprintf(LOGG_INFO, " --scan-ole2[=yes(*)/no] Scan OLE2 containers.\n"); + mprintf(LOGG_INFO, " --scan-pdf[=yes(*)/no] Scan PDF files.\n"); + mprintf(LOGG_INFO, " --scan-swf[=yes(*)/no] Scan SWF files.\n"); + mprintf(LOGG_INFO, " --scan-html[=yes(*)/no] Scan HTML files.\n"); + mprintf(LOGG_INFO, " --scan-xmldocs[=yes(*)/no] Scan xml-based document files.\n"); + mprintf(LOGG_INFO, " --scan-hwp3[=yes(*)/no] Scan HWP3 files.\n"); + mprintf(LOGG_INFO, " --scan-onenote[=yes(*)/no] Scan OneNote files.\n"); + mprintf(LOGG_INFO, " --scan-archive[=yes(*)/no] Scan archive files (supported by libclamav).\n"); + mprintf(LOGG_INFO, " --scan-image[=yes(*)/no] Scan image (graphics) files.\n"); + mprintf(LOGG_INFO, " --scan-image-fuzzy-hash[=yes(*)/no] Detect files by calculating image (graphics) fuzzy hashes.\n"); + mprintf(LOGG_INFO, " --alert-broken[=yes/no(*)] Alert on broken executable files (PE & ELF).\n"); + mprintf(LOGG_INFO, " --alert-broken-media[=yes/no(*)] Alert on broken graphics files (JPEG, TIFF, PNG, GIF).\n"); + mprintf(LOGG_INFO, " --alert-encrypted[=yes/no(*)] Alert on encrypted archives and documents.\n"); + mprintf(LOGG_INFO, " --alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives.\n"); + mprintf(LOGG_INFO, " --alert-encrypted-doc[=yes/no(*)] Alert on encrypted documents.\n"); + mprintf(LOGG_INFO, " --alert-macros[=yes/no(*)] Alert on OLE2 files containing VBA macros.\n"); + mprintf(LOGG_INFO, " --alert-exceeds-max[=yes/no(*)] Alert on files that exceed max file size, max scan size, or max recursion limit.\n"); + mprintf(LOGG_INFO, " --alert-phishing-ssl[=yes/no(*)] Alert on emails containing SSL mismatches in URLs.\n"); + mprintf(LOGG_INFO, " --alert-phishing-cloak[=yes/no(*)] Alert on emails containing cloaked URLs.\n"); + mprintf(LOGG_INFO, " --alert-partition-intersection[=yes/no(*)] Alert on raw DMG image files containing partition intersections.\n"); + mprintf(LOGG_INFO, " --nocerts Disable authenticode certificate chain verification in PE files.\n"); + mprintf(LOGG_INFO, " --dumpcerts Dump authenticode certificate chain in PE files.\n"); mprintf(LOGG_INFO, "\n"); - mprintf(LOGG_INFO, " --max-scantime=#n Scan time longer than this will be skipped and assumed clean (milliseconds)\n"); - mprintf(LOGG_INFO, " --max-filesize=#n Files larger than this will be skipped and assumed clean\n"); - mprintf(LOGG_INFO, " --max-scansize=#n The maximum amount of data to scan for each container file (**)\n"); - mprintf(LOGG_INFO, " --max-files=#n The maximum number of files to scan for each container file (**)\n"); - mprintf(LOGG_INFO, " --max-recursion=#n Maximum archive recursion level for container file (**)\n"); - mprintf(LOGG_INFO, " --max-dir-recursion=#n Maximum directory recursion level\n"); - mprintf(LOGG_INFO, " --max-embeddedpe=#n Maximum size file to check for embedded PE\n"); - mprintf(LOGG_INFO, " --max-htmlnormalize=#n Maximum size of HTML file to normalize\n"); - mprintf(LOGG_INFO, " --max-htmlnotags=#n Maximum size of normalized HTML file to scan\n"); - mprintf(LOGG_INFO, " --max-scriptnormalize=#n Maximum size of script file to normalize\n"); - mprintf(LOGG_INFO, " --max-ziptypercg=#n Maximum size zip to type reanalyze\n"); - mprintf(LOGG_INFO, " --max-partitions=#n Maximum number of partitions in disk image to be scanned\n"); - mprintf(LOGG_INFO, " --max-iconspe=#n Maximum number of icons in PE file to be scanned\n"); - mprintf(LOGG_INFO, " --max-rechwp3=#n Maximum recursive calls to HWP3 parsing function\n"); + mprintf(LOGG_INFO, " --max-scantime=#n Scan time longer than this will be skipped and assumed clean (milliseconds).\n"); + mprintf(LOGG_INFO, " --max-filesize=#n Files larger than this will be skipped and assumed clean.\n"); + mprintf(LOGG_INFO, " --max-scansize=#n The maximum amount of data to scan for each container file (**).\n"); + mprintf(LOGG_INFO, " --max-files=#n The maximum number of files to scan for each container file (**).\n"); + mprintf(LOGG_INFO, " --max-recursion=#n Maximum archive recursion level for container file (**).\n"); + mprintf(LOGG_INFO, " --max-dir-recursion=#n Maximum directory recursion level.\n"); + mprintf(LOGG_INFO, " --max-embeddedpe=#n Maximum size file to check for embedded PE.\n"); + mprintf(LOGG_INFO, " --max-htmlnormalize=#n Maximum size of HTML file to normalize.\n"); + mprintf(LOGG_INFO, " --max-htmlnotags=#n Maximum size of normalized HTML file to scan.\n"); + mprintf(LOGG_INFO, " --max-scriptnormalize=#n Maximum size of script file to normalize.\n"); + mprintf(LOGG_INFO, " --max-ziptypercg=#n Maximum size zip to type reanalyze.\n"); + mprintf(LOGG_INFO, " --max-partitions=#n Maximum number of partitions in disk image to be scanned.\n"); + mprintf(LOGG_INFO, " --max-iconspe=#n Maximum number of icons in PE file to be scanned.\n"); + mprintf(LOGG_INFO, " --max-rechwp3=#n Maximum recursive calls to HWP3 parsing function.\n"); mprintf(LOGG_INFO, " --pcre-match-limit=#n Maximum calls to the PCRE match function.\n"); mprintf(LOGG_INFO, " --pcre-recmatch-limit=#n Maximum recursive calls to the PCRE match function.\n"); mprintf(LOGG_INFO, " --pcre-max-filesize=#n Maximum size file to perform PCRE subsig matching.\n"); @@ -380,7 +381,7 @@ void help(void) mprintf(LOGG_INFO, " CA cert needed to verify detached CVD digital signatures.\n"); mprintf(LOGG_INFO, " If not provided, then clamscan will look in the default directory.\n"); mprintf(LOGG_INFO, " --fips-limits Enforce FIPS-like limits on using hash algorithms for\n"); - mprintf(LOGG_INFO, " cryptographic purposes. Will disable MD5 & SHA1\n"); + mprintf(LOGG_INFO, " cryptographic purposes. Will disable MD5 & SHA1.\n"); mprintf(LOGG_INFO, " FP sigs and will require '.sign' files to verify CVD\n"); mprintf(LOGG_INFO, " authenticity.\n"); mprintf(LOGG_INFO, "\n"); diff --git a/docs/man/clamscan.1.in b/docs/man/clamscan.1.in index 3eee5f8b3..4069d9b51 100644 --- a/docs/man/clamscan.1.in +++ b/docs/man/clamscan.1.in @@ -57,6 +57,15 @@ This option causes memory or nested map scans to dump the content to disk. If yo \fB\-\-gen\-json\fR Generate JSON description of scanned file(s). JSON will be printed and also dropped to the temp directory if --leave-temps is enabled. .TP +\fB\-\-json\-store\-html\-uris\fR +Store html URIs in metadata. URIs will be written to the metadata.json file in an array called 'URIs'. +.TP +\fB\-\-json\-store\-pdf\-uris\fR +Store pdf URIs in metadata. URIs will be written to the metadata.json file in an array called 'URIs'. +.TP +\fB\-\-json\-store\-extra\-hashes\fR +Store md5 and sha1 in addition to sha2-256 in metadata. +.TP \fB\-d FILE/DIR, \-\-database=FILE/DIR\fR Load virus database from FILE or load all virus database files from DIR. .TP