Port 3310: ClamAV — The antivirus port the Internet agreed on without asking

What This Port Is

Port 3310 is unassigned. IANA's registry — the official ledger that maps port numbers to services — has no entry for it.¹ It sits in the registered port range (1024–49151), where anyone can file a claim, but nobody has.

And yet, if you ask a mail server administrator what port 3310 is, they'll tell you immediately: that's ClamAV.

The Unofficial Tenant: ClamAV's clamd

ClamAV is the open-source antivirus engine that runs beneath a surprising amount of Internet infrastructure.² It's the scanner inside Postfix deployments, the thing checking attachments before your email client ever sees them, the daemon that Nextcloud uses to scan file uploads.

ClamAV's scanning daemon, clamd, defaults to a Unix socket for local communication. But when you need it to accept connections from other machines on the network — other servers, other containers, other services — you point it at a TCP port. By convention, deeply embedded in documentation, configuration templates, and years of forum posts, that port is 3310.³

Nobody mandated this. It's just what people did, and then other people copied it, and now it's effectively standard without ever being official.

Who Uses It

• Postfix + Amavis / MailScanner: Common mail stack integration, scanning messages before delivery
• Exim: Its built-in malware scanner has clamd on localhost:3310 as a documented example
• Rspamd: Its antivirus module defaults to ClamAV on port 3310
• Nextcloud: The Files Antivirus app connects to clamd on TCP 3310 to scan uploads
• Haraka: The SMTP server's ClamAV plugin defaults to 127.0.0.1:3310
• Containerized mail stacks: docker-mailserver, Mailu, and others wire clamd on 3310 out of the box

The Security Reality

ClamAV's TCP mode is not enabled by default, and the reason is spelled out plainly in the configuration file: there's no authentication, and traffic is unencrypted.⁴ The docs note that binding clamd to all interfaces is "probably not wise."

This is why nearly every deployment keeps port 3310 bound to localhost or a private network. If you see port 3310 open on a public-facing interface, that's a misconfiguration worth investigating.

How to Check What's Listening on Port 3310

If you suspect something is bound to this port on your machine:

# Linux/macOS — show process using port 3310
sudo ss -tlnp | grep 3310        # Linux (preferred)
sudo lsof -i :3310               # macOS or Linux

# Windows
netstat -ano | findstr :3310

If clamd is running in TCP mode, you'll see it here. You can verify it's actually ClamAV by connecting and sending the PING command:

echo "PING" | nc localhost 3310
# Expected response: PONG

Why Unassigned Ports Matter

The registered port range exists precisely for this kind of informal coordination. Ports don't need IANA assignments to become de facto standards — they just need enough software to agree. Port 3310 is a small example of how the Internet self-organizes: a project picks a number, ships it as a default, and a decade later the whole ecosystem treats it as load-bearing.⁵

The flip side is that unassigned ports can also be claimed by anything. If port 3310 appears on a machine that doesn't run ClamAV, it's worth asking why.