Zoner Antivirus – The Latest Technology

The program core has a modern design, contains a state-of-the-art code emulator, and boasts a unique heuristic analyzer, designed precisely to meet the threats of today.


libzavld - Zoner AntiVirus LD_PRELOAD library


Libzavld is a LD_PRELOAD library used with Zoner AntiVirus daemon (ZAVd) to provide process-based on-access scanning.

This library can be attached to any dynamically-linked program via LD_PRELOAD environment variable or /etc/ configuration file. It intercepts (hooks) any direct call (i.e. not those called from libraries preloaded after this one) to close() or fclose() and if the filedescriptor has been open for writing to a regular file, it is sent to ZAVd to be scanned.

To ensure that the descriptor could be read from, any call to open(), open64(), creat(), creat64(), fopen(), fopen64(), freopen() and freopen64() is intercepted and the readable-flag is forced. You can disable this behaviour by defining environment variable ZAVLD_NOFORCE.

If you have problems using the library, verbose mode (usable only for testing as it writes to a standard output and standard error output) can be turned on by defining environment variable ZAVLD_VERBOSE to 1 (print errors) or 2 (print informational messages).

The library sends only writable descriptors for regular files. To determine which files to be scanned, the filename is resolved and filtered on ZAVd's side.

ZAVd has to be contacted via an UNIX socket. The address of the socket is taken from a configuration file. libzavld tries default locations, but you can specify a configuration directory by ZAVD_ETCPATH environment variable.

A PID is sent to ZAVd to be logged with the file path. By default, originating process' PID is used. However sometimes it is better to use the PID of the process you started with LD_PRELOAD variable (i.e. ftp or web servers that use worker processes). You can enforce this behaviour by defining ZAVLD_ROOTPID environment variable.


The default usage:
LD_PRELOAD=/opt/zav/lib/ program <args>

Run without enforcing read access to all descriptors (can block ZAVd from scanning the file):

ZAVLD_NOFORCE=1 LD_PRELOAD=/opt/zav/lib/ program <args>

Show errors:

ZAVLD_DEBUG=1 LD_PRELOAD=/opt/zav/lib/ program <args>


If you want to use libzavld with daemons started via init scripts, you have to edit such scripts. In case of simple shell scripts, just apply the same technique as shown above.

start-stop-daemon initscripts have to be edited using --env arguments, e.g. start-stop-daemon --start --env LD_PRELOAD=/opt/zav/lib/ --exec program.


The library connects to ZAVd on initialization. If ZAVd is restarted, reconnection is needed, but in chrooted environment, no reconnection is possible, you have to restart such programs. In the case of some daemons (like FTP), chroot is only applied for children processeses, so the reconnection is done by the parent eventually and new spawned children can function normally.

On ZAVd's side /proc access is needed, but due tot he bug in Linux kernels <2.6.22, it is inaccessible for setuid programs. Either update (or patch your kernel) or install ZAVd as a given user and do not make it change user:group on startup.


The complete source code for is available in your doc/ directory (/opt/zav/doc/ by default). The library has been compiled using gcc -std=c99 -ldl -fPIC -shared -o zavld.c.


Written by Jaromir Smrcek.


Report bugs to Jaromir Smrcek <>. Start your 'Subject:' by 'ZAV' and please include the output of 'zavcli -V'.


zavd(8), zavd.conf(5), zavld.conf(5)

Shield your Android

Current Virus Activity


Current Version

ZAV Core:
ZAV Database:
Zoner Antivirus

Zoner Sandbox

If you suspect that a file might be infected and you thus want to determine what a given program is doing, you can send a file for us to analyze. We will evaluate the given program's behavior and send you back detailed results.