1clamd.conf(5) Clam AntiVirus clamd.conf(5)
2
6 clamd.conf - Configuration file for Clam AntiVirus Daemon
7
9 clamd.conf configures the Clam AntiVirus daemon, clamd(8).
10
12 The file consists of comments and options with arguments. Each line
13 which starts with a hash (#) symbol is ignored by the parser. Options
14 and arguments are case sensitive and of the form Option Argument. The
15 arguments are of the following types:
16 BOOL Boolean value (yes/no or true/false or 1/0).
18 STRING String without blank characters.
20 SIZE Size in bytes. You can use 'M' or 'm' modifiers for megabytes
22 and 'K' or 'k' for kilobytes.
23 NUMBER Unsigned integer.
25
27 When some option is not used (commented out or not included in the con‐
28 figuration file at all) clamd takes a default action.
29 Example
31 If this option is set clamd will not run.
32 LogFile STRING
34 Enable logging to selected file.
35 Default: no
36 LogFileUnlock BOOL
38 Disable a system lock that protects against running clamd with
39 the same configuration file multiple times.
40 Default: no
41 LogFileMaxSize SIZE
43 Limit the size of the log file. The logger will be automatically
44 disabled if the file is greater than SIZE. Value of 0 disables
45 the limit.
46 Default: 1M
47 LogTime BOOL
49 Log time for each message.
50 Default: no
51 LogClean BOOL
53 Log clean files.
54 Default: no
55 LogSyslog BOOL
57 Use system logger (can work together with LogFile).
58 Default: no
59 LogFacility STRING
61 Specify the type of syslog messages - please refer to 'man sys‐
62 log' for facility names.
63 Default: LOG_LOCAL6
64 LogVerbose BOOL
66 Enable verbose logging.
67 Default: no
68 ExtendedDetectionInfo BOOL
70 Log additional information about the infected file, such as its
71 size and hash, together with the virus name.
72 Default: no
73 PidFile STRING
75 Save the process identifier of a listening daemon (main thread)
76 to a specified file.
77 Default: no
78 TemporaryDirectory STRING
80 Optional path to the global temporary directory.
81 Default: system specific (usually /tmp or /var/tmp).
82 DatabaseDirectory STRING
84 Path to a directory containing database files.
85 OfficialDatabaseOnly BOOL
87 Only load the official signatures published by the ClamAV
88 project.
89 Default: no
90 LocalSocket STRING
92 Path to a local (Unix) socket the daemon will listen on.
93 Default: no
94 LocalSocketGroup STRING
96 Sets the group ownership on the unix socket.
97 Default: the primary group of the user running clamd
98 LocalSocketMode STRING
100 Sets the permissions on the unix socket to the specified mode.
101 Default: socket is world readable and writable
102 FixStaleSocket BOOL
104 Remove stale socket after unclean shutdown.
105 Default: yes
106 TCPSocket NUMBER
108 TCP port number the daemon will listen on.
109 Default: no
110 TCPAddr STRING
112 TCP socket address to bind to. By default clamd binds to
113 INADDR_ANY.
114 Default: no
115 MaxConnectionQueueLength NUMBER
117 Maximum length the queue of pending connections may grow to.
118 Default: 200
119 MaxThreads NUMBER
121 Maximum number of threads running at the same time.
122 Default: 10
123 ReadTimeout NUMBER
125 Waiting for data from a client socket will timeout after this
126 time (seconds).
127 Default: 120
128 CommandReadTimeout NUMBER
130 This option specifies the time (in seconds) after which clamd
131 should timeout if a client doesn't provide any initial command
132 after connecting. Note: the timeout for subsequents commands,
133 and/or data chunks is specified by ReadTimeout.
134 Default: 5
135 SendBufTimeout NUMBER
137 This option specifies how long to wait (in milliseconds) if the
138 send buffer is full. Keep this value low to prevent clamd hang‐
139 ing.
140 Default: 500
141 MaxQueue NUMBER
143 Maximum number of queued items (including those being processed
144 by MaxThreads threads). It is recommended to have this value at
145 least twice MaxThreads if possible.
146 WARNING: you shouldn't increase this too much to avoid running
147 out of file descriptors, the following condition should hold:
148 MaxThreads*MaxRecursion + MaxQueue - MaxThreads + 6 <
149 RLIMIT_NOFILE. RLIMIT_NOFILE is the maximum number of open file
150 descriptors (usually 1024), set by ulimit -n.
151 Default: 100
152 IdleTimeout NUMBER
154 Waiting for a new job will timeout after this time (seconds).
155 Default: 30
156 ExcludePath REGEX
158 Don't scan files and directories matching REGEX. This directive
159 can be used multiple times.
160 Default: scan all
161 MaxDirectoryRecursion NUMBER
163 Maximum depth directories are scanned at.
164 Default: 15
165 FollowDirectorySymlinks BOOL
167 Follow directory symlinks.
168 Default: no
169 CrossFilesystems BOOL
171 Scan files and directories on other filesystems.
172 Default: yes
173 FollowFileSymlinks BOOL
175 Follow regular file symlinks.
176 Default: no
177 SelfCheck NUMBER
179 Perform a database check.
180 Default: 1800
181 VirusEvent COMMAND
183 Execute COMMAND when a virus is found. In the command string %v
184 will be replaced with the virus name.
185 Default: no
186 ExitOnOOM BOOL
188 Stop daemon when libclamav reports out of memory condition.
189 Default: no
190 User STRING
192 Run as another user (clamd must be started by root to make this
193 option working).
194 Default: no
195 AllowSupplementaryGroups BOOL
197 Initialize supplementary group access (clamd must be started by
198 root).
199 Default: no
200 Foreground BOOL
202 Don't fork into background.
203 Default: no
204 Debug BOOL
206 Enable debug messages from libclamav.
207 LeaveTemporaryFiles BOOL
209 Do not remove temporary files (for debug purpose).
210 Default: no
211 StreamMaxLength SIZE
213 Clamd uses FTP-like protocol to receive data from remote
214 clients. If you are using clamav-milter to balance load between
215 remote clamd daemons on firewall servers you may need to tune
216 the Stream* options. This option allows you to specify the upper
217 limit for data size that will be transfered to remote daemon
218 when scanning a single file. It should match your MTA's limit
219 for a maximum attachment size.
220 Default: 10M
221 StreamMinPort NUMBER
223 Limit data port range.
224 Default: 1024
225 StreamMaxPort NUMBER
227 Limit data port range.
228 Default: 2048
229 Bytecode BOOL
231 With this option enabled ClamAV will load bytecode from the
232 database. It is highly recommended you keep this option turned
233 on, otherwise you may miss detections for many new viruses.
234 Default: yes
235 BytecodeSecurity STRING
237 Set bytecode security level. Possible values: TrustSigned: trust
238 bytecode loaded from signed .c[lv]d files and insert runtime
239 safety checks for bytecode loaded from other sources, Paranoid:
240 don't trust any bytecode, insert runtime checks for all. The
241 recommended setting is TrustSigned, because bytecode in .cvd
242 files already has safety checks inserted into it.
243 Default: TrustSigned
244 BytecodeUnsigned BOOL
246 Allow loading bytecode from outside digitally signed .c[lv]d
247 files.
248 Default: no
249 BytecodeTimeout NUMBER
251 Set bytecode timeout in milliseconds.
252 Default: 5000
253 DetectPUA BOOL
255 Detect Possibly Unwanted Applications.
256 Default: No
257 ExcludePUA CATEGORY
259 Exclude a specific PUA category. This directive can be used mul‐
260 tiple times. See http://www.clamav.net/support/pua for the com‐
261 plete list of PUA categories.
262 Default: Load all categories (if DetectPUA is activated)
263 IncludePUA CATEGORY
265 Only include a specific PUA category. This directive can be used
266 multiple times. See http://www.clamav.net/support/pua for the
267 complete list of PUA categories.
268 Default: Load all categories (if DetectPUA is activated)
269 AlgorithmicDetection BOOL
271 In some cases (eg. complex malware, exploits in graphic files,
272 and others), ClamAV uses special algorithms to provide accurate
273 detection. This option controls the algorithmic detection.
274 Default: yes
275 ScanPE BOOL
277 PE stands for Portable Executable - it's an executable file for‐
278 mat used in all 32 and 64-bit versions of Windows operating sys‐
279 tems. This option allows ClamAV to perform a deeper analysis of
280 executable files and it's also required for decompression of
281 popular executable packers such as UPX.
282 Default: yes
283 ScanELF BOOL
285 Executable and Linking Format is a standard format for UN*X exe‐
286 cutables. This option allows you to control the scanning of ELF
287 files.
288 Default: yes
289 DetectBrokenExecutables BOOL
291 With this option clamd will try to detect broken executables
292 (both PE and ELF) and mark them as Broken.Executable.
293 Default: no
294 ScanOLE2 BOOL
296 This option enables scanning of OLE2 files, such as Microsoft
297 Office documents and .msi files.
298 Default: yes
299 OLE2BlockMacros BOOL
301 With this option enabled OLE2 files with VBA macros, which were
302 not detected by signatures will be marked as "Heuris‐
303 tics.OLE2.ContainsMacros".
304 Default: no
305 ScanPDF BOOL
307 This option enables scanning within PDF files.
308 Default: yes
309 ScanHTML BOOL
311 Enables HTML detection and normalisation.
312 Default: yes
313 ScanMail BOOL
315 Enable scanning of mail files.
316 Default: yes
317 ScanPartialMessages BOOL
319 Scan RFC1341 messages split over many emails. You will need to
320 periodically clean up $TemporaryDirectory/clamav-partial direc‐
321 tory. WARNING: This option may open your system to a DoS attack.
322 Never use it on loaded servers.
323 Default: no
324 MailMaxRecursion NUMBER (OBSOLETE)
326 WARNING: This option is no longer accepted. See MaxRecursion.
327 PhishingSignatures BOOL
329 With this option enabled ClamAV will try to detect phishing
330 attempts by using signatures.
331 Default: yes
332 PhishingScanURLs BOOL
334 Scan URLs found in mails for phishing attempts using heuristics.
335 This will classify "Possibly Unwanted" phishing emails as Phish‐
336 ing.Heuristics.Email.*
337 Default: yes
338 PhishingAlwaysBlockSSLMismatch BOOL
340 Always block SSL mismatches in URLs, even if the URL isn't in
341 the database. This can lead to false positives.
342 Default: no
343 PhishingAlwaysBlockCloak BOOL
345 Always block cloaked URLs, even if URL isn't in database. This
346 can lead to false positives.
347 Default: no
348 HeuristicScanPrecedence BOOL
350 Allow heuristic match to take precedence. When enabled, if a
351 heuristic scan (such as phishingScan) detects a possible
352 virus/phishing it will stop scanning immediately. Recommended,
353 saves CPU scan-time. When disabled, virus/phishing detected by
354 heuristic scans will be reported only at the end of a scan. If
355 an archive contains both a heuristically detected virus/phish‐
356 ing, and a real malware, the real malware will be reported. Keep
357 this disabled if you intend to handle "*.Heuristics.*" viruses
358 differently from "real" malware. If a non-heuristically-detected
359 virus (signature-based) is found first, the scan is interrupted
360 immediately, regardless of this config option.
361 Default: no
362 StructuredDataDetection BOOL
364 Enable the DLP module.
365 Default: no
366 StructuredMinCreditCardCount NUMBER
368 This option sets the lowest number of Credit Card numbers found
369 in a file to generate a detect.
370 Default: 3
371 StructuredMinSSNCount NUMBER
373 This option sets the lowest number of Social Security Numbers
374 found in a file to generate a detect.
375 Default: 3
376 StructuredSSNFormatNormal BOOL
378 With this option enabled the DLP module will search for valid
379 SSNs formatted as xxx-yy-zzzz.
380 Default: Yes
381 StructuredSSNFormatStripped BOOL
383 With this option enabled the DLP module will search for valid
384 SSNs formatted as xxxyyzzzz.
385 Default: No
386 ScanArchive BOOL
388 Enable archive scanning.
389 Default: yes
390 ArchiveMaxFileSize (OBSOLETE)
392 WARNING: This option is no longer accepted. See MaxFileSize and
393 MaxScanSize.
394 ArchiveMaxRecursion (OBSOLETE)
396 WARNING: This option is no longer accepted. See MaxRecursion.
397 ArchiveMaxFiles (OBSOLETE)
399 WARNING: This option is no longer accepted. See MaxFiles.
400 ArchiveMaxCompressionRatio (OBSOLETE)
402 WARNING: This option is no longer accepted.
403 ArchiveBlockMax (OBSOLETE)
405 WARNING: This option is no longer accepted.
406 ArchiveLimitMemoryUsage (OBSOLETE)
408 WARNING: This option is no longer accepted.
409 Default: no
410 ArchiveBlockEncrypted BOOL
412 Mark encrypted archives as viruses (Encrypted.Zip,
413 Encrypted.RAR).
414 Default: no
415 MaxScanSize SIZE
417 Sets the maximum amount of data to be scanned for each input
418 file. Archives and other containers are recursively extracted
419 and scanned up to this value. Warning: disabling this limit or
420 setting it too high may result in severe damage to the system.
421 Default: 100M
422 MaxFileSize SIZE
424 Files larger than this limit won't be scanned. Affects the input
425 file itself as well as files contained inside it (when the input
426 file is an archive, a document or some other kind of container).
427 Warning: disabling this limit or setting it too high may result
428 in severe damage to the system.
429 Default: 25M
430 MaxRecursion NUMBER
432 Nested archives are scanned recursively, e.g. if a Zip archive
433 contains a RAR file, all files within it will also be scanned.
434 This options specifies how deeply the process should be contin‐
435 ued. Warning: setting this limit too high may result in severe
436 damage to the system.
437 Default: 16
438 MaxFiles NUMBER
440 Number of files to be scanned within an archive, a document, or
441 any other kind of container. Warning: disabling this limit or
442 setting it too high may result in severe damage to the system.
443 Default: 10000
444 ClamukoScanOnAccess BOOL
446 Enable Clamuko. Dazuko (/dev/dazuko) must be configured and run‐
447 ning.
448 Default: no
449 ClamukoScannerCount NUMBER
451 The number of scanner threads that will be started (DazukoFS
452 only). Having multiple scanner threads allows Clamuko to serve
453 multiple processes simultaneously. This is particularly benefi‐
454 cial on SMP machines.
455 Default: 3
456 ClamukoScanOnOpen BOOL
458 Scan files on open.
459 Default: no
460 ClamukoScanOnClose BOOL
462 Scan files on close.
463 Default: no.
464 ClamukoScanOnExec BOOL
466 Scan files on execute.
467 Default: no
468 ClamukoIncludePath STRING
470 Set the include paths (all files and directories inside them
471 will be scanned). You can have multiple ClamukoIncludePath
472 directives but each directory must be added in a separate line).
473 Default: no
474 ClamukoExcludePath STRING
476 Set the exclude paths. All subdirectories will also be excluded.
477 Default: no ClamukoExcludeUID NUMBER With this option you can
478 whitelist specific UIDs. Processes with these UIDs will be able
479 to access all files. This option can be used multiple times (one
480 per line).
481 Default: no
482 ClamukoMaxFileSize SIZE
484 Ignore files larger than SIZE.
485 Default: 5M
486
488 All options expressing a size are limited to max 4GB. Values in excess
489 will be resetted to the maximum.
490
492 /etc/clamd.conf
493
495 Tomasz Kojm <tkojm@clamav.net>
496
498 clamd(8), clamdscan(1), clamav-milter(8), freshclam(1), fresh‐
499 clam.conf(5)
500ClamAV 0.97.3 February 12, 2007 clamd.conf(5)