table of contents
clamd.conf(5) | Clam AntiVirus | clamd.conf(5) |
NAME¶
clamd.conf - Configuration file for Clam AntiVirus DaemonDESCRIPTION¶
clamd.conf configures the Clam AntiVirus daemon, clamd(8).FILE FORMAT¶
The file consists of comments and options with arguments. Each line which starts with a hash ( #) symbol is ignored by the parser. Options and arguments are case sensitive and of the form Option Argument. The arguments are of the following types:- BOOL
- Boolean value (yes/no or true/false or 1/0).
- STRING
- String without blank characters.
- SIZE
- Size in bytes. You can use 'M' or 'm' modifiers for megabytes and 'K' or 'k' for kilobytes. To specify the size in bytes just don't use modifiers.
- NUMBER
- Unsigned integer.
DIRECTIVES¶
When some option is not used (commented out or not included in the configuration file at all) clamd takes a default action.- Example
- If this option is set clamd will not run.
- LogFile STRING
- Save all reports to a log file.
- LogFileUnlock BOOL
- By default the log file is locked for writing and only a single daemon
process can write to it. This option disables the lock.
- LogFileMaxSize SIZE
- Maximum size of the log file.
- LogTime BOOL
- Log time for each message.
- LogClean BOOL
- Log all clean files.
- LogSyslog BOOL
- Use the system logger (can work together with LogFile).
- LogFacility STRING
- Type of syslog messages
- LogVerbose BOOL
- Enable verbose logging.
- LogRotate BOOL
- Rotate log file. Requires LogFileMaxSize option set prior to this option.
- ExtendedDetectionInfo BOOL
- Log additional information about the infected file, such as its size and
hash, together with the virus name.
- PidFile STRING
- Save the process identifier of a listening daemon (main thread) to a
specified file.
- TemporaryDirectory STRING
- This option allows you to change the default temporary directory.
- DatabaseDirectory STRING
- This option allows you to change the default database directory. If you
enable it, please make sure it points to the same directory in both clamd
and freshclam.
- OfficialDatabaseOnly BOOL
- Only load the official signatures published by the ClamAV project.
- LocalSocket STRING
- Path to a local (Unix) socket the daemon will listen on.
- LocalSocketGroup STRING
- Sets the group ownership on the unix socket.
- LocalSocketMode STRING
- Sets the permissions on the unix socket to the specified mode.
- FixStaleSocket BOOL
- Remove stale socket after unclean shutdown.
- TCPSocket NUMBER
- TCP port number the daemon will listen on.
- TCPAddr STRING
- By default clamd binds to INADDR_ANY.
- MaxConnectionQueueLength NUMBER
- Maximum length the queue of pending connections may grow to.
- StreamMaxLength SIZE
- Close the STREAM session when the data size limit is exceeded.
- StreamMinPort NUMBER
- The STREAM command uses an FTP-like protocol.
- StreamMaxPort NUMBER
- This option sets the upper boundary for the port range.
- MaxThreads NUMBER
- Maximum number of threads running at the same time.
- ReadTimeout NUMBER
- This option specifies the time (in seconds) after which clamd should
timeout if a client doesn't provide any data.
- CommandReadTimeout NUMBER
- This option specifies the time (in seconds) after which clamd should
timeout if a client doesn't provide any initial command after connecting.
Note: the timeout for subsequents commands, and/or data chunks is
specified by ReadTimeout.
- SendBufTimeout NUMBER
- This option specifies how long to wait (in milliseconds) if the send
buffer is full. Keep this value low to prevent clamd hanging.
- MaxQueue NUMBER
- Maximum number of queued items (including those being processed by
MaxThreads threads). It is recommended to have this value at least twice
MaxThreads if possible.
- IdleTimeout NUMBER
- This option specifies how long (in seconds) the process should wait for a
new job.
- ExcludePath REGEX
- Don't scan files and directories matching REGEX. This directive can be
used multiple times.
- MaxDirectoryRecursion NUMBER
- Maximum depth directories are scanned at.
- FollowDirectorySymlinks BOOL
- Follow directory symlinks.
- CrossFilesystems BOOL
- Scan files and directories on other filesystems.
- FollowFileSymlinks BOOL
- Follow regular file symlinks.
- SelfCheck NUMBER
- This option specifies the time intervals (in seconds) in which clamd
should perform a database check.
- VirusEvent COMMAND
- Execute a command when a virus is found. In the command string %v will be
replaced with the virus name. Additionally, two environment variables will
be defined: $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNAME.
- ExitOnOOM BOOL
- Stop daemon when libclamav reports out of memory condition.
- AllowAllMatchScan BOOL
- Permit use of the ALLMATCHSCAN command.
- Foreground BOOL
- Don't fork into background.
- Debug BOOL
- Enable debug messages from libclamav.
- LeaveTemporaryFiles BOOL
- Do not remove temporary files (for debugging purpose).
- User STRING
- Run the daemon as a specified user (the process must be started by root).
- Bytecode BOOL
- With this option enabled ClamAV will load bytecode from the database. It
is highly recommended you keep this option turned on, otherwise you may
miss detections for many new viruses.
- BytecodeSecurity STRING
- Set bytecode security level.
Possible values:
TrustSigned - trust bytecode loaded from signed .c[lv]d files and insert
runtime safety checks for bytecode loaded from other sources,
Paranoid - don't trust any bytecode, insert runtime checks for all.
Recommended: TrustSigned, because bytecode in .cvd
files already has these checks.
Default: TrustSigned
- BytecodeTimeout NUMBER
- Set bytecode timeout in milliseconds.
- BytecodeUnsigned BOOL
- Allow loading bytecode from outside digitally signed .c[lv]d files.
- BytecodeMode STRING
- Set bytecode execution mode.
Possible values:
Auto - automatically choose JIT if possible, fallback to interpreter
ForceJIT - always choose JIT, fail if not possible
ForceInterpreter - always choose interpreter
Test - run with both JIT and interpreter and compare results. Make all
failures fatal.
Default: Auto
- DetectPUA BOOL
- Detect Possibly Unwanted Applications.
- ExcludePUA CATEGORY
- Exclude a specific PUA category. This directive can be used multiple
times. See
https://www.clamav.net/documents/potentially-unwanted-applications-pua for
the complete list of PUA categories.
- IncludePUA CATEGORY
- Only include a specific PUA category. This directive can be used multiple
times. See
https://www.clamav.net/documents/potentially-unwanted-applications-pua for
the complete list of PUA categories.
- AlgorithmicDetection BOOL
- In some cases (eg. complex malware, exploits in graphic files, and
others), ClamAV uses special algorithms to provide accurate detection.
This option controls the algorithmic detection.
- ScanPE BOOL
- PE stands for Portable Executable - it's an executable file format used in
all 32 and 64-bit versions of Windows operating systems. This option
allows ClamAV to perform a deeper analysis of executable files and it's
also required for decompression of popular executable packers such as UPX.
- ScanELF BOOL
- Executable and Linking Format is a standard format for UN*X executables.
This option allows you to control the scanning of ELF files.
- DetectBrokenExecutables BOOL
- With this option clamd will try to detect broken executables (both PE and
ELF) and mark them as Broken.Executable.
- ScanMail BOOL
- Enable scanning of mail files.
- ScanPartialMessages BOOL
- Scan RFC1341 messages split over many emails. You will need to
periodically clean up $TemporaryDirectory/clamav-partial directory.
WARNING: This option may open your system to a DoS attack. Never use it
on loaded servers.
- PhishingSignatures BOOL
- With this option enabled ClamAV will try to detect phishing attempts by
using signatures.
- PhishingScanURLs BOOL
- Scan URLs found in mails for phishing attempts using heuristics. This will
classify "Possibly Unwanted" phishing emails as
Phishing.Heuristics.Email.*
- PhishingAlwaysBlockCloak BOOL
- Always block cloaked URLs, even if URL isn't in database. This can lead to
false positives.
- PhishingAlwaysBlockSSLMismatch BOOL
- Always block SSL mismatches in URLs, even if the URL isn't in the
database. This can lead to false positives.
- PartitionIntersection BOOL
- Detect partition intersections in raw disk images using heuristics.
- HeuristicScanPrecedence BOOL
- Allow heuristic match to take precedence. When enabled, if a heuristic
scan (such as phishingScan) detects a possible virus/phishing it will stop
scanning immediately. Recommended, saves CPU scan-time. When disabled,
virus/phishing detected by heuristic scans will be reported only at the
end of a scan. If an archive contains both a heuristically detected
virus/phishing, and a real malware, the real malware will be reported.
Keep this disabled if you intend to handle "*.Heuristics.*"
viruses differently from "real" malware. If a
non-heuristically-detected virus (signature-based) is found first, the
scan is interrupted immediately, regardless of this config option.
- StructuredDataDetection BOOL
- Enable the DLP module.
- StructuredMinCreditCardCount NUMBER
- This option sets the lowest number of Credit Card numbers found in a file
to generate a detect.
- StructuredMinSSNCount NUMBER
- This option sets the lowest number of Social Security Numbers found in a
file to generate a detect.
- StructuredSSNFormatNormal BOOL
- With this option enabled the DLP module will search for valid SSNs
formatted as xxx-yy-zzzz.
- StructuredSSNFormatStripped BOOL
- With this option enabled the DLP module will search for valid SSNs
formatted as xxxyyzzzz.
- ScanHTML BOOL
- Perform HTML/JavaScript/ScriptEncoder normalisation and decryption.
- ScanOLE2 BOOL
- This option enables scanning of OLE2 files, such as Microsoft Office
documents and .msi files.
- OLE2BlockMacros BOOL
- With this option enabled OLE2 files with VBA macros, which were not
detected by signatures will be marked as
"Heuristics.OLE2.ContainsMacros".
- BlockMax BOOL
-
Flag files with "Heuristics.Limits.Exceeded" when scanning is incomplete due to exceeding a scan or file size limit.
- ScanPDF BOOL
- This option enables scanning within PDF files.
- ScanSWF BOOL
- This option enables scanning within SWF files.
- ScanXMLDOCS BOOL
- This option enables scanning xml-based document files supported by
libclamav.
- ScanHWP3 BOOL
- This option enables scanning HWP3 files.
- ScanArchive BOOL
- Scan within archives and compressed files.
- ArchiveBlockEncrypted BOOL
- Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
- ForceToDisk
- This option causes memory or nested map scans to dump the content to disk.
- MaxScanSize SIZE
- Sets the maximum amount of data to be scanned for each input file.
Archives and other containers are recursively extracted and scanned up to
this value. The size of an archive plus the sum of the sizes of all files
within archive count toward the scan size. For example, a 1M uncompressed
archive containing a single 1M inner file counts as 2M toward the max scan
size. Warning: disabling this limit or setting it too high may result
in severe damage to the system.
- MaxFileSize SIZE
- Files larger than this limit won't be scanned. Affects the input file
itself as well as files contained inside it (when the input file is an
archive, a document or some other kind of container). Warning:
disabling this limit or setting it too high may result in severe damage to
the system.
- MaxRecursion NUMBER
- Nested archives are scanned recursively, e.g. if a Zip archive contains a
RAR file, all files within it will also be scanned. This options specifies
how deeply the process should be continued. Warning: setting this limit
too high may result in severe damage to the system.
- MaxFiles NUMBER
- Number of files to be scanned within an archive, a document, or any other
kind of container. Warning: disabling this limit or setting it too high
may result in severe damage to the system.
- MaxEmbeddedPE SIZE
- This option sets the maximum size of a file to check for embedded PE.
- MaxHTMLNormalize SIZE
- This option sets the maximum size of a HTML file to normalize.
- MaxHTMLNoTags SIZE
- This option sets the maximum size of a normalized HTML file to scan.
- MaxScriptNormalize SIZE
- This option sets the maximum size of a script file to normalize.
- MaxZipTypeRcg SIZE
- This option sets the maximum size of a ZIP file to reanalyze type
recognition.
- MaxPartitions SIZE
- This option sets the maximum number of partitions of a raw disk image to
be scanned.
- MaxIconsPE SIZE
- This option sets the maximum number of icons within a PE to be scanned.
- MaxRecHWP3 NUMBER
- This option sets the maximum recursive calls to HWP3 parsing function.
- PCREMatchLimit NUMBER
- This option sets the maximum calls to the PCRE match function during an
instance of regex matching.
- PCRERecMatchLimit NUMBER
- This option sets the maximum recursive calls to the PCRE match function
during an instance of regex matching.
- PCREMaxFileSize SIZE
- This option sets the maximum filesize for which PCRE subsigs will be
executed.
- ScanOnAccess BOOL
- This option enables on-access scanning (Linux only)
- OnAccessIncludePath STRING
- This option specifies a directory (including all files and directories
inside it), which should be scanned on access. This option can be used
multiple times.
- OnAccessExcludePath STRING
- This option allows excluding directories from on-access scanning. It can
be used multiple times.
- OnAccessExcludeRootUID BOOL
- With this option you can whitelist the root UID (0). Processes run under
root will be able to access all files without triggering scans or
permission denied events.
- OnAccessExcludeUID NUMBER
- With this option you can whitelist specific UIDs. Processes with these
UIDs will be able to access all files without triggering scans or
permission denied events.
- OnAccessMaxFileSize SIZE
- Files larger than this value will not be scanned in on access.
- OnAccessMountPath STRING
- Specifies a mount point (including all files and directories under it),
which should be scanned on access. This option can be used multiple times.
- OnAccessDisableDDD BOOL
- Disables the dynamic directory determination system which allows for
recursively watching include paths.
- OnAccessPrevention BOOL
- Enables fanotify blocking when malicious files are found.
- DisableCertCheck BOOL
- Disable authenticode certificate chain verification in PE files.
NOTES¶
All options expressing a size are limited to max 4GB. Values in excess will be reset to the maximum.FILES¶
/etc/clamav/clamd.confAUTHORS¶
Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>SEE ALSO¶
clamd(8), clamdscan(1), clamav-milter(8), freshclam(1), freshclam.conf(5)December 4, 2013 | ClamAV 0.100.0 |