Configuring command line scans (Linux)

This Article Applies to:

  • Avast Business Antivirus

Scan manual page

Scan is the basic command line scanner that comes with Avast for Linux. It searches the given PATH(s) for infected files and reports such files to the standard output. If no PATH is given, the scan paths are read from the standard input, line by line.

The scan tool is a client that connects to the Avast scan service; it cannot work separately without a running scan service.

The manual scan page format is:

scan [-s SOCKET] [-e PATH] [-abfipux] [PATH]...

scan [-s SOCKET] [-a] -U [URL]...

scan [-s SOCKET] -V

scan -h | -v

Options

  • -h: Print short usage info and exit
  • -v: Print program version and exit
  • -V: Print the virus definitions (VPS) version and exit. The VPS version is retrieved from the scan service
  • -U: Check URLs. Checks whether an URL is malicious
    • The URL is checked against a blacklist, so no network request to the given URL is done
  • -s SOCKET: Use SOCKET to connect to the scan service. The default scan socket path is /Library/Application Support/Avast/run/scan.sock
  • -e PATH: Exclude PATH from the scan. Use this option multiple times when more than one exclude path is required
  • -a: Print all scanned files/URLs, not just infected.
  • -b: Report decompression bombs as infections. When set, files suspected of being decompression bombs are reported as infected, not as errors.
  • -f: Scan full files. When set, the entire file contents are scanned, not just the relevant file parts.
  • -i: Print verbose infection info. When set, verbose info about all infections found in the scanned file is printed.
  • -l LEVEL: Set heuristics level to LEVEL (0-100)
  • -p: Print archive content. When set, the files in an archive are listed separately, with the scan status for each shown
  • -u: Report potentially unwanted programs (PUP). When set, PUP files are reported as infected
  • -x: Do not extract archives. When set, compressed files are not extracted during scan

Output format

Every detected malicious file is reported on a separate line in the format: PATH INFECTION.

  • If all files are printed using the -a option, then the clean files have an "[OK]" string as the infection name and files that could not be scanned (insufficient permissions, corrupted archives, ...) have an "[ERROR]" string as the infection name.
  • Files that were excluded from the scan using the -e option have an "[EXCLUDED]" string as the infection name.

If the -p option is set, PATH contains the archive path delimited by a "|>".

Access rights

It is the scan service that is accessing the files being scanned, not the scan utility itself. Therefore, the scan service must have access rights to the scanned files. Connections to the scan service may be restricted to clients with the same UID/GID if enabled in the scan service configuration.

Exit status

  • 0: if no infected files are found
  • 1: if infected files are found
  • 2: if an error occurred

Infected status takes precedence over error status, thus a scan where some file could not be scanned and some infection was found returns 1.