ClamAV Antivirus API Server — API Endpoints (Google Cloud)
All API routes are served under the /api/v1 prefix. After starting the
instance, you can access the API Server using its IP address and port 8080. For
instance, if the IP address is 172.31.39.37, the base URL is
http://172.31.39.37:8080/api/v1.
Breaking change: In earlier versions the routes were unversioned (
/api/clamav/scan/gcs/objectand/api/clamav/scan/file). They now live under/api/v1, the GCS scan route is/api/v1/gcp/scan, and the response body now includes aproviderfield and echoes the request identifiers. See the Release Notes.
Scan Google Cloud Storage objects
Scan an object stored in a GCS bucket by making a request to
http://172.31.39.37:8080/api/v1/gcp/scan.
curl -d '{"bucket": "elm-bucket-virus-scan", "object": "test/virus_test.txt", "stream": true}' -H 'Content-Type: application/json' http://172.31.39.37:8080/api/v1/gcp/scan
Parameter Meanings
The following parameters are used in the request:
bucket
This parameter specifies the name of the GCS bucket from which the file should be retrieved.
object
This parameter represents the object within the GCS bucket. It identifies the specific file that should be downloaded and scanned.
stream
This parameter controls how the server handles the file download process. When set to false, the server downloads the entire file into memory before saving it to disk. Conversely, when set to true, the server streams the file directly to disk in smaller chunks. Streaming is particularly beneficial when dealing with large files, as it reduces the memory required for the download process. This approach enables more efficient resource utilization and allows the server to handle files that might otherwise exceed available memory capacity.
Response
A json format string is returned. The response now includes the provider and
echoes the bucket and object that were scanned. The possible return codes
are 0, 1, 2, and 99.
Clean
{"provider":"gcp","code":0,"message":"OK","bucket":"elm-bucket-virus-scan","object":"test/virus_test.txt"}
Infected
For example, when the Eicar signature is identified, the response would be
{"provider":"gcp","code":1,"message":"Eicar-Signature FOUND","bucket":"elm-bucket-virus-scan","object":"test/virus_test.txt"}
Scan Errors
For example, when having a file access error, the response would be
{"provider":"gcp","code":2,"message":"Can't access file /tmp/test/file","bucket":"elm-bucket-virus-scan","object":"test/virus_test.txt"}
Other Errors
For example, when the service account is not properly configured, the response would be
{"provider":"gcp","code":99,"message":"no credentials in the property bag","bucket":"elm-bucket-virus-scan","object":"test/virus_test.txt"}
A scan that finds malware still returns HTTP
200; the result is carried in the body. A file larger than the API request limit (MAX_SCAN_SIZE_MB, 500MB by default) returns HTTP413and is never scanned. A smaller file that still exceeds ClamAV's own engine limits is instead flagged at HTTP200withcode: 1and aHeuristics.Limits.Exceededmessage — see Scan Size Limits. When the GCP provider is not initialized the server returns HTTP503.
Scan an uploaded file
Scan file bytes directly by streaming the raw file as the request body to
http://172.31.39.37:8080/api/v1/scan/upload. This does not require staging the
file in a GCS bucket.
curl --data-binary @/tmp/test.pdf -H 'Content-Type: application/octet-stream' http://172.31.39.37:8080/api/v1/scan/upload
The response includes the number of bytes scanned:
{"code":0,"message":"OK","size_bytes":12345}
The body is streamed to disk as it arrives and the size limit is enforced
incrementally, so an oversize upload is rejected with HTTP 413 without being
buffered in full.
Scan local files
Scanning a server-local file path is available only when the server is started
with the LOCAL_SCAN_DIR environment variable set to an allowlisted directory.
Requests for paths outside that directory are rejected with HTTP 403.
curl -d '{"file": "/data/scan/test.txt"}' -H 'Content-Type: application/json' http://172.31.39.37:8080/api/v1/scan
Health and liveness
Two probes are provided for load balancers and orchestrators:
GET http://172.31.39.37:8080/api/v1/health— readiness. Scans a probe file withclamdand returns200only when the scanner is working and reports the probe clean; otherwise503.GET http://172.31.39.37:8080/api/v1/livez— liveness. Returns200immediately without touchingclamd.