Zoner Antivirus – The Latest Technology

The program core has a modern design, contains a state-of-the-art code emulator, and boasts a unique heuristic analyzer, designed precisely to meet the threats of today.

NAME

zavcli - Zoner AntiVirus command-line interface

SYNOPSIS

zavcli [OPTIONS] PATH...

DESCRIPTION

Zavcli is a command-line client for Zoner AntiVirus daemon (ZAVd). All PATHs are scanned for viruses and results are printed to standard output.

BASIC OPTIONS

-v, --version
display zavcli version information and exit
-V, --version-zavd
display ZAVd version information and exit
-h, --help
display this help and exit
-n, --no-recurse
do not traverse directories

SCAN OPTIONS

These options override default values set for ZAVd in its configuration file:
--(no-)scan-full
continue to scan current file after an infection found
--(no-)scan-heuristics
perform heuristic analysis (can detect a previously unknown virus)
--(no-)scan-emulation
run PE emulator to check binaries
--(no-)scan-archives
decompress archives and check their content
--(no-)scan-packers
decompress files compressed by runtime-packers (e.g. UPX)
--(no-)scan-gdl
use Generic Detection Language to check files
--(no-)scan-phishing
enable heuristic phishing detection
--(no-)scan-deep
scan the whole file (not only the first few MB)
--scan-maxsize=SIZE
unpack only SIZE bytes from an archive
--scan-maxfiles=NUM
unpack up to NUM files from an archive
--scan-recursion=NUM
stop after reaching NUM level of nested archives (i.e. archive in archive in ...)
--scan-timeout=TIME
stop scanning afer TIME seconds and return partial results (will be limited by global ZAVd configuration)
--scan-level=LEVEL
how thorough the scanner should be: fastest, normal, advanced or brute
--scan-dev
do not omit /dev directory (not recommended)
--scan-proc
do not omit /proc directory (not recommended)
--scan-sys
do not omit /sys directory (not recommended)

PERFORMANCE OPTIONS

-t, --threads=NUM
run zavcli in NUM threads (faster, if ZAVd runs more scanner instances)
-w, --timeout=TIME
disconnect from ZAVd after TIME seconds (default: 300)

OUTPUT OPTIONS

-q, --quiet
be quiet (only error messages are printed)
-s, --stats
print overall statistics after scanning is done (number of clean files, infected files, errors, etc.)
-i, --scan-info
print scan time and filesize for every scanned file (e.g. " 0.000.123 12345 /tmp/file")
--tree
instead of only printing found virus names, print also infected sub-files (useful for archives)
--color
use colorized terminal output
--show=RESTYPES
show only RESTYPES scan results, hide the rest
--no-show=RESTYPES
suppress RESTYPES scan results, show the rest
Possible RESTYPES:
clean - files without any infection
infected - malware pattern found
probinfected - probably infected files (a known but uncertain pattern detected)
suspicious - suspicious files (mostly executables and phishing files)
nonstandard - files that are not really suspicious, but somehow different from normal files
unknown - files with an unknown type of infection, caused by old ZAVd/ZAVCli with newer ZAVCore
scanerror - files causing an error during scanning
timeout - files where a user-defined timeout has been reached during scanning
all - all of the above

FILTERING OPTIONS

--no-symlinks
do not follow symbolic links
--no-mounts
do not follow mountpoints (do not change the device, specified by the PATH argument)
--maxsize=SIZE
do not scan files larger than SIZE (default: unlimited), you can append units: 'B', 'k', 'M' or 'G'
--minsize=SIZE
do not scan files smaller than SIZE (default: 0), you can append units: 'B', 'k', 'M' or 'G'

ADVANCED OPTIONS

-c, --config-dir=DIR
path to ZAVd configuration files, used to adjust maximum number of threads and to find ZAVd socket, by default zavcli tries '/etc/zav' and '~/.zav'
-z, --zavd-socket=FILE
path to ZAVd socket, which is needed to scan files; use this option instead of -c when calling zavcli externally, this way no configuration file is parsed (faster)
--conn-retries=N
when ZAVd cannot be reached, retry N times (default: 1)
--conn-interval=TIME
when ZAVd cannot be reached, try again after TIME seconds (default: 1)
--remove=RESTYPES
remove files having RESTYPES results after scanning (use with caution)
--copy=OPTS
copy files after scanning, OPTS are of the form RESTYPE=DIR

EXAMPLES

Scan '/bin' directory and a '/tmp/test' file:

zavcli /bin /tmp/test

Scan '/tmp/test' directory, remove all infected files and save all suspicious and nonstandard ones:

zavcli --remove=infected --copy=nonstandard=/tmp/nstd,suspicious=/tmp/susp /tmp/test

Scan your home directory using colors and hide all clean and nonstandard results:

zavcli --no-show=clean,nonstandard --color ~

Scan all files up to 10MB on '/mnt/usb' showing only infected results, using the fastest scanning:

zavcli --show=infected --scan-level=fastest --maxsize=10M /mnt/usb

RETURN CODES

These return codes apply either to a single file (if only one file specified) or represent the most important result from all files that have been scanned during execution (if more files/directories specified).

0: - clean - all files clean, no errors

1: - error - zavcli encountered an error (glibc call or syscall)

2: - scanerror - ZAVd returned an error

11: - infected - file has been infected by a known virus

12: - probably infected - file has been infected by a virus, but the detection is not doubtless

13: - suspicious - file looks supicious (virus-like behaviour of a binary, phishing attempts, possible exploits)

14: - nonstandard - file has some non-standard attributes, but is not really suspicious (only few symptoms)

15: - unknown - file has been infected by an unknown type of infection (caused by obsolete ZAVd version)

16: - timeout - the scanning has timed out

AUTHOR

Written by Jaromir Smrcek.

BUGS

Report bugs to Jaromir Smrcek <jaromir.smrcek@zoner.com>. Start your 'Subject:' by 'ZAV' and please include the output of 'zavcli -V'.

SEE ALSO

zavd(8), zavd.conf(5)

Shield your Android

Current Virus Activity

Heuristics13.0%
I-Worm.Runouce.b7.7%
Dropper.Generic2.ANED7.3%
Trojan.Poison-14625.4%
Trojan.Injector.CK2.5%

Current Version

ZAV Core:
20140818-646
ZAV Database:
20171115-2171315
Zoner Antivirus

Zoner Sandbox

If you suspect that a file might be infected and you thus want to determine what a given program is doing, you can send a file for us to analyze. We will evaluate the given program's behavior and send you back detailed results.