| clamd.conf(5) - phpMan
clamd.conf(5) Clam AntiVirus clamd.conf(5)
NAME
clamd.conf - Configuration file for Clam AntiVirus Daemon
DESCRIPTION
clamd.conf configures the Clam AntiVirus daemon, clamd(8).
FILE FORMAT
The file consists of comments and options with arguments. Each line which starts with a
hash (#) symbol is ignored by the parser. Options and arguments are case sensitive and of
the form Option Argument. The arguments are of the following types:
BOOL Boolean value (yes/no or true/false or 1/0).
STRING String without blank characters.
SIZE Size in bytes. You can use 'M' or 'm' modifiers for megabytes and 'K' or 'k' for
kilobytes. To specify the size in bytes just don't use modifiers.
NUMBER Unsigned integer.
DIRECTIVES
When some option is not used (commented out or not included in the configuration file at
all) clamd takes a default action.
Example
If this option is set clamd will not run.
LogFile STRING
Save all reports to a log file.
Default: disabled
LogFileUnlock BOOL
By default the log file is locked for writing and only a single daemon process can
write to it. This option disables the lock.
Default: no
LogFileMaxSize SIZE
Maximum size of the log file.
Value of 0 disables the limit.
Default: 1048576
LogTime BOOL
Log time for each message.
Default: no
LogClean BOOL
Log all clean files.
Useful in debugging but drastically increases the log size.
Default: no
LogSyslog BOOL
Use the system logger (can work together with LogFile).
Default: no
LogFacility STRING
Type of syslog messages
Please refer to 'man syslog' for facility names.
Default: LOG_LOCAL6
LogVerbose BOOL
Enable verbose logging.
Default: no
LogRotate BOOL
Rotate log file. Requires LogFileMaxSize option set prior to this option.
Default: no
ExtendedDetectionInfo BOOL
Log additional information about the infected file, such as its size and hash,
together with the virus name.
Default: no
PidFile STRING
Save the process identifier of a listening daemon (main thread) to a specified
file.
Default: disabled
TemporaryDirectory STRING
This option allows you to change the default temporary directory.
Default: system specific (usually /tmp or /var/tmp).
DatabaseDirectory STRING
This option allows you to change the default database directory. If you enable it,
please make sure it points to the same directory in both clamd and freshclam.
Default: defined at configuration (/usr/local/share/clamav)
OfficialDatabaseOnly BOOL
Only load the official signatures published by the ClamAV project.
Default: no
LocalSocket STRING
Path to a local (Unix) socket the daemon will listen on.
Default: disabled
LocalSocketGroup STRING
Sets the group ownership on the unix socket.
Default: the primary group of the user running clamd
LocalSocketMode STRING
Sets the permissions on the unix socket to the specified mode.
Default: socket is world readable and writable
FixStaleSocket BOOL
Remove stale socket after unclean shutdown.
Default: yes
TCPSocket NUMBER
TCP port number the daemon will listen on.
Default: disabled
TCPAddr STRING
By default clamd binds to INADDR_ANY.
This option allows you to restrict the TCP address and provide some degree of pro‐
tection from the outside world. This option can be specified multiple times in
order to listen on multiple IPs. IPv6 is now supported.
Default: disabled
MaxConnectionQueueLength NUMBER
Maximum length the queue of pending connections may grow to.
Default: 200
StreamMaxLength SIZE
Close the STREAM session when the data size limit is exceeded.
The value should match your MTA's limit for the maximum attachment size.
Default: 25M
StreamMinPort NUMBER
The STREAM command uses an FTP-like protocol.
This option sets the lower boundary for the port range.
Default: 1024
StreamMaxPort NUMBER
This option sets the upper boundary for the port range.
Default: 2048
MaxThreads NUMBER
Maximum number of threads running at the same time.
Default: 10
ReadTimeout NUMBER
This option specifies the time (in seconds) after which clamd should timeout if a
client doesn't provide any data.
Default: 120
CommandReadTimeout NUMBER
This option specifies the time (in seconds) after which clamd should timeout if a
client doesn't provide any initial command after connecting. Note: the timeout for
subsequents commands, and/or data chunks is specified by ReadTimeout.
Default: 5
SendBufTimeout NUMBER
This option specifies how long to wait (in milliseconds) if the send buffer is
full. Keep this value low to prevent clamd hanging.
Default: 500
MaxQueue NUMBER
Maximum number of queued items (including those being processed by MaxThreads
threads). It is recommended to have this value at least twice MaxThreads if possi‐
ble.
WARNING: you shouldn't increase this too much to avoid running out of file descrip‐
tors, the following condition should hold: MaxThreads*MaxRecursion + MaxQueue -
MaxThreads + 6 < RLIMIT_NOFILE. RLIMIT_NOFILE is the maximum number of open file
descriptors (usually 1024), set by ulimit -n.
Default: 100
IdleTimeout NUMBER
This option specifies how long (in seconds) the process should wait for a new job.
Default: 30
ExcludePath REGEX
Don't scan files and directories matching REGEX. This directive can be used multi‐
ple times.
Default: disabled
MaxDirectoryRecursion NUMBER
Maximum depth directories are scanned at.
Default: 15
FollowDirectorySymlinks BOOL
Follow directory symlinks.
Default: no
CrossFilesystems BOOL
Scan files and directories on other filesystems.
Default: yes
FollowFileSymlinks BOOL
Follow regular file symlinks.
Default: no
SelfCheck NUMBER
This option specifies the time intervals (in seconds) in which clamd should perform
a database check.
Default: 600
VirusEvent COMMAND
Execute a command when a virus is found. In the command string %v will be replaced
with the virus name. Additionally, two environment variables will be defined:
$CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNAME.
Default: disabled
ExitOnOOM BOOL
Stop daemon when libclamav reports out of memory condition.
Default: no
AllowAllMatchScan BOOL
Permit use of the ALLMATCHSCAN command.
Default: yes
Foreground BOOL
Don't fork into background.
Default: no
Debug BOOL
Enable debug messages from libclamav.
Default: no
LeaveTemporaryFiles BOOL
Do not remove temporary files (for debugging purpose).
Default: no
User STRING
Run the daemon as a specified user (the process must be started by root).
Default: disabled
Bytecode BOOL
With this option enabled ClamAV will load bytecode from the database. It is highly
recommended you keep this option turned on, otherwise you may miss detections for
many new viruses.
Default: yes
BytecodeSecurity STRING
Set bytecode security level.
Possible values:
TrustSigned - trust bytecode loaded from signed .c[lv]d files and insert run‐
time safety checks for bytecode loaded from other sources,
Paranoid - don't trust any bytecode, insert runtime checks for all.
Recommended: TrustSigned, because bytecode in .cvd files already has these checks.
Default: TrustSigned
BytecodeTimeout NUMBER
Set bytecode timeout in milliseconds.
Default: 5000
BytecodeUnsigned BOOL
Allow loading bytecode from outside digitally signed .c[lv]d files.
Default: no
BytecodeMode STRING
Set bytecode execution mode.
Possible values:
Auto - automatically choose JIT if possible, fallback to interpreter
ForceJIT - always choose JIT, fail if not possible
ForceInterpreter - always choose interpreter
Test - run with both JIT and interpreter and compare results. Make all failures
fatal.
Default: Auto
DetectPUA BOOL
Detect Possibly Unwanted Applications.
Default: No
ExcludePUA CATEGORY
Exclude a specific PUA category. This directive can be used multiple times. See
https://www.clamav.net/documents/potentially-unwanted-applications-pua for the com‐
plete list of PUA categories.
Default: disabled
IncludePUA CATEGORY
Only include a specific PUA category. This directive can be used multiple times.
See https://www.clamav.net/documents/potentially-unwanted-applications-pua for the
complete list of PUA categories.
Default: disabled
AlgorithmicDetection BOOL
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV
uses special algorithms to provide accurate detection. This option controls the
algorithmic detection.
Default: yes
ScanPE BOOL
PE stands for Portable Executable - it's an executable file format used in all 32
and 64-bit versions of Windows operating systems. This option allows ClamAV to per‐
form a deeper analysis of executable files and it's also required for decompression
of popular executable packers such as UPX.
If you turn off this option, the original files will still be scanned, but without
additional processing.
Default: yes
ScanELF BOOL
Executable and Linking Format is a standard format for UN*X executables. This
option allows you to control the scanning of ELF files.
If you turn off this option, the original files will still be scanned, but without
additional processing.
Default: yes
DetectBrokenExecutables BOOL
With this option clamd will try to detect broken executables (both PE and ELF) and
mark them as Broken.Executable.
Default: no
ScanMail BOOL
Enable scanning of mail files.
If you turn off this option, the original files will still be scanned, but without
parsing individual messages/attachments.
Default: yes
ScanPartialMessages BOOL
Scan RFC1341 messages split over many emails. You will need to periodically clean
up $TemporaryDirectory/clamav-partial directory. WARNING: This option may open your
system to a DoS attack. Never use it on loaded servers.
Default: no
PhishingSignatures BOOL
With this option enabled ClamAV will try to detect phishing attempts by using sig‐
natures.
Default: yes
PhishingScanURLs BOOL
Scan URLs found in mails for phishing attempts using heuristics. This will classify
"Possibly Unwanted" phishing emails as Phishing.Heuristics.Email.*
Default: yes
PhishingAlwaysBlockCloak BOOL
Always block cloaked URLs, even if URL isn't in database. This can lead to false
positives.
Default: no
PhishingAlwaysBlockSSLMismatch BOOL
Always block SSL mismatches in URLs, even if the URL isn't in the database. This
can lead to false positives.
Default: no
PartitionIntersection BOOL
Detect partition intersections in raw disk images using heuristics.
Default: no
HeuristicScanPrecedence BOOL
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such
as phishingScan) detects a possible virus/phishing it will stop scanning immedi‐
ately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by
heuristic scans will be reported only at the end of a scan. If an archive contains
both a heuristically detected virus/phishing, and a real malware, the real malware
will be reported. Keep this disabled if you intend to handle "*.Heuristics.*"
viruses differently from "real" malware. If a non-heuristically-detected virus
(signature-based) is found first, the scan is interrupted immediately, regardless
of this config option.
Default: no
StructuredDataDetection BOOL
Enable the DLP module.
Default: no
StructuredMinCreditCardCount NUMBER
This option sets the lowest number of Credit Card numbers found in a file to gener‐
ate a detect.
Default: 3
StructuredMinSSNCount NUMBER
This option sets the lowest number of Social Security Numbers found in a file to
generate a detect.
Default: 3
StructuredSSNFormatNormal BOOL
With this option enabled the DLP module will search for valid SSNs formatted as
xxx-yy-zzzz.
Default: Yes
StructuredSSNFormatStripped BOOL
With this option enabled the DLP module will search for valid SSNs formatted as
xxxyyzzzz.
Default: No
ScanHTML BOOL
Perform HTML/JavaScript/ScriptEncoder normalisation and decryption.
If you turn off this option, the original files will still be scanned, but without
additional processing.
Default: yes
ScanOLE2 BOOL
This option enables scanning of OLE2 files, such as Microsoft Office documents and
.msi files.
If you turn off this option, the original files will still be scanned, but without
additional processing.
Default: yes
OLE2BlockMacros BOOL
With this option enabled OLE2 files with VBA macros, which were not detected by
signatures will be marked as "Heuristics.OLE2.ContainsMacros".
Default: no
BlockMax BOOL
Flag files with "Heuristics.Limits.Exceeded" when scanning is incomplete due to
exceeding a scan or file size limit.
Default: no
ScanPDF BOOL
This option enables scanning within PDF files.
If you turn off this option, the original files will still be scanned, but without
additional processing.
Default: yes
ScanSWF BOOL
This option enables scanning within SWF files.
If you turn off this option, the original files will still be scanned, but without
decoding and additional processing.
Default: yes
ScanXMLDOCS BOOL
This option enables scanning xml-based document files supported by libclamav.
If you turn off this option, the original files will still be scanned, but without
additional processing.
Default: yes
ScanHWP3 BOOL
This option enables scanning HWP3 files.
If you turn off this option, the original files will still be scanned, but without
additional processing.
Default: yes
ScanArchive BOOL
Scan within archives and compressed files.
If you turn off this option, the original files will still be scanned, but without
unpacking and additional processing.
Default: yes
ArchiveBlockEncrypted BOOL
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
Default: no
ForceToDisk
This option causes memory or nested map scans to dump the content to disk.
If you turn on this option, more data is written to disk and is available when the
leave-temps option is enabled at the cost of more disk writes.
Default: no
MaxScanSize SIZE
Sets the maximum amount of data to be scanned for each input file. Archives and
other containers are recursively extracted and scanned up to this value. The size
of an archive plus the sum of the sizes of all files within archive count toward
the scan size. For example, a 1M uncompressed archive containing a single 1M inner
file counts as 2M toward the max scan size. Warning: disabling this limit or set‐
ting it too high may result in severe damage to the system.
Default: 100M
MaxFileSize SIZE
Files larger than this limit won't be scanned. Affects the input file itself as
well as files contained inside it (when the input file is an archive, a document or
some other kind of container). Warning: disabling this limit or setting it too high
may result in severe damage to the system.
Default: 25M
MaxRecursion NUMBER
Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR file,
all files within it will also be scanned. This options specifies how deeply the
process should be continued. Warning: setting this limit too high may result in
severe damage to the system.
Default: 16
MaxFiles NUMBER
Number of files to be scanned within an archive, a document, or any other kind of
container. Warning: disabling this limit or setting it too high may result in
severe damage to the system.
Default: 10000
MaxEmbeddedPE SIZE
This option sets the maximum size of a file to check for embedded PE.
Files larger than this value will skip the additional analysis step.
Negative values are not allowed.
Default: 10M
MaxHTMLNormalize SIZE
This option sets the maximum size of a HTML file to normalize.
HTML files larger than this value will not be normalized or scanned.
Negative values are not allowed.
Default: 10M
MaxHTMLNoTags SIZE
This option sets the maximum size of a normalized HTML file to scan.
HTML files larger than this value after normalization will not be scanned.
Negative values are not allowed.
Default: 2M
MaxScriptNormalize SIZE
This option sets the maximum size of a script file to normalize.
Script content larger than this value will not be normalized or scanned.
Negative values are not allowed.
Default: 5M
MaxZipTypeRcg SIZE
This option sets the maximum size of a ZIP file to reanalyze type recognition.
ZIP files larger than this value will skip the step to potentially reanalyze as PE.
Negative values are not allowed.
WARNING: setting this limit too high may result in severe damage or impact perfor‐
mance.
Default: 1M
MaxPartitions SIZE
This option sets the maximum number of partitions of a raw disk image to be
scanned.
Raw disk images with more partitions than this value will have up to the value par‐
titions scanned.
Negative values are not allowed.
WARNING: setting this limit too high may result in severe damage or impact perfor‐
mance.
Default: 50
MaxIconsPE SIZE
This option sets the maximum number of icons within a PE to be scanned.
PE files with more icons than this value will have up to the value number icons
scanned.
Negative values are not allowed.
WARNING: setting this limit too high may result in severe damage or impact perfor‐
mance.
Default: 100
MaxRecHWP3 NUMBER
This option sets the maximum recursive calls to HWP3 parsing function.
HWP3 files using more than this limit will be terminated and alert the user.
Scans will be unable to scan any HWP3 attachments if the recursive limit is
reached.
Negative values are not allowed.
WARNING: setting this limit too high may result in severe damage or impact perfor‐
mance.
Default: 16
PCREMatchLimit NUMBER
This option sets the maximum calls to the PCRE match function during an instance of
regex matching.
Instances using more than this limit will be terminated and alert the user but the
scan will continue.
For more information on match_limit, see the PCRE documentation.
Negative values are not allowed.
WARNING: setting this limit too high may severely impact performance.
Default: 10000
PCRERecMatchLimit NUMBER
This option sets the maximum recursive calls to the PCRE match function during an
instance of regex matching.
Instances using more than this limit will be terminated and alert the user but the
scan will continue.
For more information on match_limit_recursion, see the PCRE documentation.
Negative values are not allowed and values > PCREMatchLimit are superfluous.
WARNING: setting this limit too high may severely impact performance.
Default: 5000
PCREMaxFileSize SIZE
This option sets the maximum filesize for which PCRE subsigs will be executed.
Files exceeding this limit will not have PCRE subsigs executed unless a subsig is
encompassed to a smaller buffer.
Negative values are not allowed.
Setting this value to zero disables the limit.
WARNING: setting this limit too high or disabling it may severely impact perfor‐
mance.
Default: 25M
ScanOnAccess BOOL
This option enables on-access scanning (Linux only)
Default: disabled
OnAccessIncludePath STRING
This option specifies a directory (including all files and directories inside it),
which should be scanned on access. This option can be used multiple times.
Default: disabled
OnAccessExcludePath STRING
This option allows excluding directories from on-access scanning. It can be used
multiple times.
Default: disabled
OnAccessExcludeRootUID BOOL
With this option you can whitelist the root UID (0). Processes run under root will
be able to access all files without triggering scans or permission denied events.
Note that if clamd cannot check the uid of the process that generated an on-access
scan event (e.g., because OnAccessPrevention was not enabled, and the process
already exited), clamd will perform a scan. Thus, setting OnAccessExcludeRootUID
is not guaranteed to prevent every access by the root user from triggering a scan
(unless OnAccessPrevention is enabled).
Default: no
OnAccessExcludeUID NUMBER
With this option you can whitelist specific UIDs. Processes with these UIDs will be
able to access all files without triggering scans or permission denied events.
This option can be used multiple times (one per line).
Note: using a value of 0 on any line will disable this option entirely. To
whitelist the root UID (0) please enable the OnAccessExcludeRootUID option.
Also note that if clamd cannot check the uid of the process that generated an on-
access scan event (e.g., because OnAccessPrevention was not enabled, and the
process already exited), clamd will perform a scan. Thus, setting OnAccessEx‐
cludeUID is not guaranteed to prevent every access by the specified uid from trig‐
gering a scan (unless OnAccessPrevention is enabled).
Default: disabled
OnAccessMaxFileSize SIZE
Files larger than this value will not be scanned in on access.
Default: 5M
OnAccessMountPath STRING
Specifies a mount point (including all files and directories under it), which
should be scanned on access. This option can be used multiple times.
Default: disabled
OnAccessDisableDDD BOOL
Disables the dynamic directory determination system which allows for recursively
watching include paths.
Default: no
OnAccessPrevention BOOL
Enables fanotify blocking when malicious files are found.
Default: disabled
DisableCertCheck BOOL
Disable authenticode certificate chain verification in PE files.
Default: no
NOTES
All options expressing a size are limited to max 4GB. Values in excess will be reset to
the maximum.
FILES
/etc/clamav/clamd.conf
AUTHORS
Tomasz Kojm <tkojm AT clamav.net>, Kevin Lin <klin AT sourcefire.com>
SEE ALSO
clamd(8), clamdscan(1), clamav-milter(8), freshclam(1), freshclam.conf(5)
ClamAV 0.100.0 December 4, 2013 clamd.conf(5)
|