How can I make a detailed report of ClamAv scan results (location of infected files)?
Solution 1
I use sudo clamscan / --recursive | tee clamscan.log, so that I can both watch the results go by, and inspect the whole output afterward.
Solution 2
Apparently you have to tell ClamAv where to put your report of infected files. Looking at wiki it appears the software isn't stellar and there might be better packages to use if security is your first concern. However ClamAV is open source and free so if budget is priority it is probably the best.
As far as seeing a report of infected files this is what I found in the Community Help Wiki:
Infected files reporting
In case you are recursively scanning the whole /home folder (or even the whole system) from a terminal emulator on your GUI, possibly there will be lots of files. In that case, as the output you will get is not infinite, it probably will help to generate a report containing the paths to all infected files. In that case you can do the following:
sudo clamscan -r /folder/to/scan/ | grep FOUND >> /path/to/save/report/file.txtBe patient if you run that command and it doesn't seem to be working because even if you don't see the complete output it is really scanning the files. When you see the prompt again, that will mean the scan is finished and that you can open the file it has created to check any infected file detected in your system.
As Clamav doesn't disinfect the files, sometimes will be better to just know what are the infected files before putting it on quarantine or removing it. For example, you could be using Wine and by deleting an infected file you could break a program without having saved some data.
Solution 3
If you type man clamscan in a terminal, you will see all the available options. One of them is -i which prints the infected files only. Typing clamscan -ir /folder for example would show you all the infected files in that folder and all subfolders..
Related videos on Youtube
02 : 13
01 : 22
11 : 09
20 : 18
15 : 44
Andrea Lazzarotto
I'm a digital forensics consultant, a software developer, a computer scientist and an avid GIMP/Inkscape user. I created RecuperaBit, a software performing forensic file system reconstruction of NTFS drives. Pronouns My preferred pronoun is nano. I strongly prefer it to vi/vim. However, I won't mind at all if you refer to me as he.
Updated on September 18, 2022Comments
-
Andrea Lazzarotto over 1 year
I'm scanning with ClamAv and I got the following summary:
----------- SCAN SUMMARY ----------- Known viruses: 4724261 Engine version: 0.99 Scanned directories: 128878 Scanned files: 791920 Infected files: 29 Total errors: 25699 Data scanned: 187109.62 MB Data read: 1683517.68 MB (ratio 0.11:1) Time: 19860.535 sec (331 m 0 s)My question is: how to find the infected files? I tried to open stdout but I know no application to do that. I tried to find a log file... couldn't
-
Admin almost 8 yearsWelcome to Ask Ubuntu! Which command did you use to scan? It's been a while, but when I was usingclamscan -avr(IIRC) it was pretty clear about the files. -
Admin almost 8 yearsIf an answer was helpful to you, then please consider marking it as the accepted answer so others may more easily find it in the future. This is also a polite way to thank the person answering your question for helping you out.
-
-
Andrea Lazzarotto almost 8 yearsYou should consider citing the link where you got the information from. :)
-
WinEunuuchs2Unix almost 8 yearsSo right you are @Andrea Lazzarotto, I added the link to Ubuntu Help thread. :) -
Tilman over 6 yearsThe command in the Community Help wiki quote will not just list the infected files, but also all files whose paths contain the string FOUND no matter if they are infected or not.
-
WinEunuuchs2Unix over 6 years@Tilman Would you suggest I delete this answer? I don't mind if it's the best course.
-
Tilman over 6 yearsYes, using the
-ioption as proposed in the other answer looks like the better approach to me. If you have editing access to the Community Help Wiki then could you perhaps improve the article there. -
WinEunuuchs2Unix over 6 years@Tilman I don't have editing access to wiki pages. Notice the command
| grep FOUNDthat limits the report to viruses found. On the surface It appears the wiki page is correct. -
Tilman over 6 yearsIt isn't.
| grep FOUNDmatches string "FOUND" no matter where in the line it appears. So if you have, for example, a file named "404NOTFOUND.html" it will show up in the report even if it isn't infected. Reason for my comment was a query by a user stumbling on exactly that and wondering if he should delete that file because ClamAV reported it as infected (which it didn't). -
Jehanzeb.Malik about 3 yearsAlthough clamav does not log list of scanned files using -i flag it "does" log the errors in reading files. That could be a huge number of errors if you are scanning the whole drive or if you are scanning outside your home directory without sudo privileges.
