Zoner Antivirus – The Latest Technology

The program core has a modern design, contains a state-of-the-art code emulator, and boasts a unique heuristic analyzer, designed precisely to meet the threats of today.


zavcli - Zoner AntiVirus command-line interface


zavcli [OPTIONS] PATH...


Zavcli is a command-line client for Zoner AntiVirus daemon (ZAVd). All PATHs are scanned for viruses and results are printed to standard output.


-v, --version
display zavcli version information and exit
-V, --version-zavd
display ZAVd version information and exit
-h, --help
display this help and exit
-n, --no-recurse
do not traverse directories


These options override default values set for ZAVd in its configuration file:
continue to scan current file after an infection found
perform heuristic analysis (can detect a previously unknown virus)
run PE emulator to check binaries
decompress archives and check their content
decompress files compressed by runtime-packers (e.g. UPX)
use Generic Detection Language to check files
enable heuristic phishing detection
scan the whole file (not only the first few MB)
unpack only SIZE bytes from an archive
unpack up to NUM files from an archive
stop after reaching NUM level of nested archives (i.e. archive in archive in ...)
stop scanning afer TIME seconds and return partial results (will be limited by global ZAVd configuration)
how thorough the scanner should be: fastest, normal, advanced or brute
do not omit /dev directory (not recommended)
do not omit /proc directory (not recommended)
do not omit /sys directory (not recommended)


-t, --threads=NUM
run zavcli in NUM threads (faster, if ZAVd runs more scanner instances)
-w, --timeout=TIME
disconnect from ZAVd after TIME seconds (default: 300)


-q, --quiet
be quiet (only error messages are printed)
-s, --stats
print overall statistics after scanning is done (number of clean files, infected files, errors, etc.)
-i, --scan-info
print scan time and filesize for every scanned file (e.g. " 0.000.123 12345 /tmp/file")
instead of only printing found virus names, print also infected sub-files (useful for archives)
use colorized terminal output
show only RESTYPES scan results, hide the rest
suppress RESTYPES scan results, show the rest
Possible RESTYPES:
clean - files without any infection
infected - malware pattern found
probinfected - probably infected files (a known but uncertain pattern detected)
suspicious - suspicious files (mostly executables and phishing files)
nonstandard - files that are not really suspicious, but somehow different from normal files
unknown - files with an unknown type of infection, caused by old ZAVd/ZAVCli with newer ZAVCore
scanerror - files causing an error during scanning
timeout - files where a user-defined timeout has been reached during scanning
all - all of the above


do not follow symbolic links
do not follow mountpoints (do not change the device, specified by the PATH argument)
do not scan files larger than SIZE (default: unlimited), you can append units: 'B', 'k', 'M' or 'G'
do not scan files smaller than SIZE (default: 0), you can append units: 'B', 'k', 'M' or 'G'


-c, --config-dir=DIR
path to ZAVd configuration files, used to adjust maximum number of threads and to find ZAVd socket, by default zavcli tries '/etc/zav' and '~/.zav'
-z, --zavd-socket=FILE
path to ZAVd socket, which is needed to scan files; use this option instead of -c when calling zavcli externally, this way no configuration file is parsed (faster)
when ZAVd cannot be reached, retry N times (default: 1)
when ZAVd cannot be reached, try again after TIME seconds (default: 1)
remove files having RESTYPES results after scanning (use with caution)
copy files after scanning, OPTS are of the form RESTYPE=DIR


Scan '/bin' directory and a '/tmp/test' file:

zavcli /bin /tmp/test

Scan '/tmp/test' directory, remove all infected files and save all suspicious and nonstandard ones:

zavcli --remove=infected --copy=nonstandard=/tmp/nstd,suspicious=/tmp/susp /tmp/test

Scan your home directory using colors and hide all clean and nonstandard results:

zavcli --no-show=clean,nonstandard --color ~

Scan all files up to 10MB on '/mnt/usb' showing only infected results, using the fastest scanning:

zavcli --show=infected --scan-level=fastest --maxsize=10M /mnt/usb


These return codes apply either to a single file (if only one file specified) or represent the most important result from all files that have been scanned during execution (if more files/directories specified).

0: - clean - all files clean, no errors

1: - error - zavcli encountered an error (glibc call or syscall)

2: - scanerror - ZAVd returned an error

11: - infected - file has been infected by a known virus

12: - probably infected - file has been infected by a virus, but the detection is not doubtless

13: - suspicious - file looks supicious (virus-like behaviour of a binary, phishing attempts, possible exploits)

14: - nonstandard - file has some non-standard attributes, but is not really suspicious (only few symptoms)

15: - unknown - file has been infected by an unknown type of infection (caused by obsolete ZAVd version)

16: - timeout - the scanning has timed out


Written by Jaromir Smrcek.


Report bugs to Jaromir Smrcek <>. Start your 'Subject:' by 'ZAV' and please include the output of 'zavcli -V'.


zavd(8), zavd.conf(5)

Shield your Android

Current Virus Activity


Current Version

ZAV Core:
ZAV Database:
Zoner Antivirus

Zoner Sandbox

If you suspect that a file might be infected and you thus want to determine what a given program is doing, you can send a file for us to analyze. We will evaluate the given program's behavior and send you back detailed results.