1clamd.conf(5) Clam AntiVirus clamd.conf(5)
2
6 clamd.conf - Configuration file for Clam AntiVirus Daemon
7
9 clamd.conf configures the Clam AntiVirus daemon, clamd(8).
10
12 The file consists of comments and options with arguments. Each line
13 which starts with a hash (#) symbol is ignored by the parser. Options
14 and arguments are case sensitive and of the form Option Argument. The
15 arguments are of the following types:
16 BOOL Boolean value (yes/no or true/false or 1/0).
18 STRING String without blank characters.
20 SIZE Size in bytes. You can use 'M' or 'm' modifiers for megabytes
22 and 'K' or 'k' for kilobytes. To specify the size in bytes just
23 don't use modifiers.
24 NUMBER Unsigned integer.
26
28 When some option is not used (commented out or not included in the con‐
29 figuration file at all) clamd takes a default action.
30 Example
32 If this option is set clamd will not run.
33 LogFile STRING
35 Save all reports to a log file.
36 Default: disabled
37 LogFileUnlock BOOL
39 By default the log file is locked for writing and only a single
40 daemon process can write to it. This option disables the lock.
41 Default: no
42 LogFileMaxSize SIZE
44 Maximum size of the log file.
45 Value of 0 disables the limit.
46 Default: 1048576
47 LogTime BOOL
49 Log time for each message.
50 Default: no
51 LogClean BOOL
53 Log all clean files.
54 Useful in debugging but drastically increases the log size.
55 Default: no
56 LogSyslog BOOL
58 Use the system logger (can work together with LogFile).
59 Default: no
60 LogFacility STRING
62 Type of syslog messages
63 Please refer to 'man syslog' for facility names.
64 Default: LOG_LOCAL6
65 LogVerbose BOOL
67 Enable verbose logging.
68 Default: no
69 LogRotate BOOL
71 Rotate log file. Requires LogFileMaxSize option set prior to
72 this option.
73 Default: no
74 ExtendedDetectionInfo BOOL
76 Log additional information about the infected file, such as its
77 size and hash, together with the virus name.
78 Default: no
79 PidFile STRING
81 Save the process identifier of a listening daemon (main thread)
82 to a specified file.
83 Default: disabled
84 TemporaryDirectory STRING
86 This option allows you to change the default temporary direc‐
87 tory.
88 Default: system specific (usually /tmp or /var/tmp).
89 DatabaseDirectory STRING
91 This option allows you to change the default database directory.
92 If you enable it, please make sure it points to the same direc‐
93 tory in both clamd and freshclam.
94 Default: defined at configuration (/usr/local/share/clamav)
95 OfficialDatabaseOnly BOOL
97 Only load the official signatures published by the ClamAV
98 project.
99 Default: no
100 LocalSocket STRING
102 Path to a local (Unix) socket the daemon will listen on.
103 Default: disabled
104 LocalSocketGroup STRING
106 Sets the group ownership on the unix socket.
107 Default: the primary group of the user running clamd
108 LocalSocketMode STRING
110 Sets the permissions on the unix socket to the specified mode.
111 Default: socket is world readable and writable
112 FixStaleSocket BOOL
114 Remove stale socket after unclean shutdown.
115 Default: yes
116 TCPSocket NUMBER
118 TCP port number the daemon will listen on.
119 Default: disabled
120 TCPAddr STRING
122 By default clamd binds to INADDR_ANY.
123 This option allows you to restrict the TCP address and provide
124 some degree of protection from the outside world. This option
125 can be specified multiple times in order to listen on multiple
126 IPs. IPv6 is now supported.
127 Default: disabled
128 MaxConnectionQueueLength NUMBER
130 Maximum length the queue of pending connections may grow to.
131 Default: 200
132 StreamMaxLength SIZE
134 Close the STREAM session when the data size limit is exceeded.
135 The value should match your MTA's limit for the maximum attach‐
136 ment size.
137 Default: 25M
138 StreamMinPort NUMBER
140 The STREAM command uses an FTP-like protocol.
141 This option sets the lower boundary for the port range.
142 Default: 1024
143 StreamMaxPort NUMBER
145 This option sets the upper boundary for the port range.
146 Default: 2048
147 MaxThreads NUMBER
149 Maximum number of threads running at the same time.
150 Default: 10
151 ReadTimeout NUMBER
153 This option specifies the time (in seconds) after which clamd
154 should timeout if a client doesn't provide any data.
155 Default: 120
156 CommandReadTimeout NUMBER
158 This option specifies the time (in seconds) after which clamd
159 should timeout if a client doesn't provide any initial command
160 after connecting. The default is set to 30 to avoid timeouts
161 with TCP sockets when processing large messages. If using a
162 Unix socket, the value can be changed to 5. Note: the timeout
163 for subsequents commands, and/or data chunks is specified by
164 ReadTimeout.
165 Default: 30
166 SendBufTimeout NUMBER
168 This option specifies how long to wait (in milliseconds) if the
169 send buffer is full. Keep this value low to prevent clamd hang‐
170 ing.
171 Default: 500
172 MaxQueue NUMBER
174 Maximum number of queued items (including those being processed
175 by MaxThreads threads). It is recommended to have this value at
176 least twice MaxThreads if possible.
177 WARNING: you shouldn't increase this too much to avoid running
178 out of file descriptors, the following condition should hold:
179 MaxThreads*MaxRecursion + MaxQueue - MaxThreads + 6 <
180 RLIMIT_NOFILE. RLIMIT_NOFILE is the maximum number of open file
181 descriptors (usually 1024), set by ulimit -n.
182 Default: 100
183 IdleTimeout NUMBER
185 This option specifies how long (in seconds) the process should
186 wait for a new job.
187 Default: 30
188 ExcludePath REGEX
190 Don't scan files and directories matching REGEX. This directive
191 can be used multiple times.
192 Default: disabled
193 MaxDirectoryRecursion NUMBER
195 Maximum depth directories are scanned at.
196 Default: 15
197 FollowDirectorySymlinks BOOL
199 Follow directory symlinks.
200 Default: no
201 CrossFilesystems BOOL
203 Scan files and directories on other filesystems.
204 Default: yes
205 FollowFileSymlinks BOOL
207 Follow regular file symlinks.
208 Default: no
209 SelfCheck NUMBER
211 This option specifies the time intervals (in seconds) in which
212 clamd should perform a database check.
213 Default: 600
214 VirusEvent COMMAND
216 Execute a command when a virus is found. In the command string
217 %v will be replaced with the virus name. Additionally, two envi‐
218 ronment variables will be defined: $CLAM_VIRUSEVENT_FILENAME and
219 $CLAM_VIRUSEVENT_VIRUSNAME.
220 Default: disabled
221 ExitOnOOM BOOL
223 Stop daemon when libclamav reports out of memory condition.
224 Default: no
225 AllowAllMatchScan BOOL
227 Permit use of the ALLMATCHSCAN command.
228 Default: yes
229 Foreground BOOL
231 Don't fork into background.
232 Default: no
233 Debug BOOL
235 Enable debug messages from libclamav.
236 Default: no
237 LeaveTemporaryFiles BOOL
239 Do not remove temporary files (for debugging purpose).
240 Default: no
241 User STRING
243 Run the daemon as a specified user (the process must be started
244 by root).
245 Default: disabled
246 Bytecode BOOL
248 With this option enabled ClamAV will load bytecode from the
249 database. It is highly recommended you keep this option turned
250 on, otherwise you may miss detections for many new viruses.
251 Default: yes
252 BytecodeSecurity STRING
254 Set bytecode security level.
255 Possible values:
256 TrustSigned - trust bytecode loaded from signed .c[lv]d
257 files and insert runtime safety checks for bytecode loaded
258 from other sources,
259 Paranoid - don't trust any bytecode, insert runtime checks
260 for all.
261 Recommended: TrustSigned, because bytecode in .cvd files already
262 has these checks.
263 Default: TrustSigned
264 BytecodeTimeout NUMBER
266 Set bytecode timeout in milliseconds.
267 Default: 5000
268 BytecodeUnsigned BOOL
270 Allow loading bytecode from outside digitally signed .c[lv]d
271 files.
272 Default: no
273 BytecodeMode STRING
275 Set bytecode execution mode.
276 Possible values:
277 Auto - automatically choose JIT if possible, fallback to
278 interpreter
279 ForceJIT - always choose JIT, fail if not possible
280 ForceInterpreter - always choose interpreter
281 Test - run with both JIT and interpreter and compare
282 results. Make all failures fatal.
283 Default: Auto
284 DetectPUA BOOL
286 Detect Possibly Unwanted Applications.
287 Default: No
288 ExcludePUA CATEGORY
290 Exclude a specific PUA category. This directive can be used mul‐
291 tiple times. See https://www.clamav.net/documents/potentially-
292 unwanted-applications-pua for the complete list of PUA cate‐
293 gories.
294 Default: disabled
295 IncludePUA CATEGORY
297 Only include a specific PUA category. This directive can be used
298 multiple times. See https://www.clamav.net/documents/poten‐
299 tially-unwanted-applications-pua for the complete list of PUA
300 categories.
301 Default: disabled
302 HeuristicAlerts BOOL
304 In some cases (eg. complex malware, exploits in graphic files,
305 and others), ClamAV uses special algorithms to provide accurate
306 detection. This option controls the algorithmic detection.
307 Default: yes
308 HeuristicScanPrecedence BOOL
310 Allow heuristic match to take precedence. When enabled, if a
311 heuristic scan (such as phishingScan) detects a possible
312 virus/phishing it will stop scanning immediately. Recommended,
313 saves CPU scan-time. When disabled, virus/phishing detected by
314 heuristic scans will be reported only at the end of a scan. If
315 an archive contains both a heuristically detected virus/phish‐
316 ing, and a real malware, the real malware will be reported. Keep
317 this disabled if you intend to handle "*.Heuristics.*" viruses
318 differently from "real" malware. If a non-heuristically-detected
319 virus (signature-based) is found first, the scan is interrupted
320 immediately, regardless of this config option.
321 Default: no
322 ScanPE BOOL
324 PE stands for Portable Executable - it's an executable file for‐
325 mat used in all 32 and 64-bit versions of Windows operating sys‐
326 tems. This option allows ClamAV to perform a deeper analysis of
327 executable files and it's also required for decompression of
328 popular executable packers such as UPX.
329 If you turn off this option, the original files will still be
330 scanned, but without additional processing.
331 Default: yes
332 ScanELF BOOL
334 Executable and Linking Format is a standard format for UN*X exe‐
335 cutables. This option allows you to control the scanning of ELF
336 files.
337 If you turn off this option, the original files will still be
338 scanned, but without additional processing.
339 Default: yes
340 ScanMail BOOL
342 Enable scanning of mail files.
343 If you turn off this option, the original files will still be
344 scanned, but without parsing individual messages/attachments.
345 Default: yes
346 ScanPartialMessages BOOL
348 Scan RFC1341 messages split over many emails. You will need to
349 periodically clean up $TemporaryDirectory/clamav-partial direc‐
350 tory. WARNING: This option may open your system to a DoS attack.
351 Never use it on loaded servers.
352 Default: no
353 PhishingSignatures BOOL
355 Enable email signature-based phishing detection.
356 Default: yes
357 PhishingScanURLs BOOL
359 Enable URL signature-based phishing detection (Phishing.Heuris‐
360 tics.Email.*)
361 Default: yes
362 StructuredDataDetection BOOL
364 Enable the DLP module.
365 Default: no
366 StructuredMinCreditCardCount NUMBER
368 This option sets the lowest number of Credit Card numbers found
369 in a file to generate a detect.
370 Default: 3
371 StructuredMinSSNCount NUMBER
373 This option sets the lowest number of Social Security Numbers
374 found in a file to generate a detect.
375 Default: 3
376 StructuredSSNFormatNormal BOOL
378 With this option enabled the DLP module will search for valid
379 SSNs formatted as xxx-yy-zzzz.
380 Default: Yes
381 StructuredSSNFormatStripped BOOL
383 With this option enabled the DLP module will search for valid
384 SSNs formatted as xxxyyzzzz.
385 Default: No
386 ScanHTML BOOL
388 Perform HTML/JavaScript/ScriptEncoder normalisation and decryp‐
389 tion.
390 If you turn off this option, the original files will still be
391 scanned, but without additional processing.
392 Default: yes
393 ScanOLE2 BOOL
395 This option enables scanning of OLE2 files, such as Microsoft
396 Office documents and .msi files.
397 If you turn off this option, the original files will still be
398 scanned, but without additional processing.
399 Default: yes
400 ScanPDF BOOL
402 This option enables scanning within PDF files.
403 If you turn off this option, the original files will still be
404 scanned, but without additional processing.
405 Default: yes
406 ScanSWF BOOL
408 This option enables scanning within SWF files.
409 If you turn off this option, the original files will still be
410 scanned, but without decoding and additional processing.
411 Default: yes
412 ScanXMLDOCS BOOL
414 This option enables scanning xml-based document files supported
415 by libclamav.
416 If you turn off this option, the original files will still be
417 scanned, but without additional processing.
418 Default: yes
419 ScanHWP3 BOOL
421 This option enables scanning HWP3 files.
422 If you turn off this option, the original files will still be
423 scanned, but without additional processing.
424 Default: yes
425 ScanArchive BOOL
427 Scan within archives and compressed files.
428 If you turn off this option, the original files will still be
429 scanned, but without unpacking and additional processing.
430 Default: yes
431 AlertBrokenExecutables BOOL
433 Alert on broken executable files (PE & ELF).
434 Default: no
435 AlertEncrypted BOOL
437 Alert on encrypted archives and documents (encrypted .zip,
438 .7zip, .rar, .pdf).
439 Default: no
440 AlertEncryptedArchive BOOL
442 Alert on encrypted archives (encrypted .zip, .7zip, .rar).
443 Default: no
444 AlertEncryptedDoc BOOL
446 Alert on encrypted documents (encrypted .pdf).
447 Default: no
448 AlertOLE2Macros BOOL
450 Alert on OLE2 files containing VBA macros (Heuristics.OLE2.Con‐
451 tainsMacros).
452 Default: no
453 AlertExceedsMax BOOL
455 Alert on files that exceed max file size, max scan size, or max
456 recursion limit (Heuristics.Limits.Exceeded).
457 Default: no
458 AlertPhishingSSLMismatch BOOL
460 Alert on emails containing SSL mismatches in URLs (might lead to
461 false positives!).
462 Default: no
463 AlertPhishingCloak BOOL
465 Alert on emails containing cloaked URLs (might lead to some
466 false positives).
467 Default: no
468 AlertPartitionIntersection BOOL
470 Alert on raw DMG image files containing partition intersections.
471 Default: no
472 ForceToDisk
474 This option causes memory or nested map scans to dump the con‐
475 tent to disk.
476 If you turn on this option, more data is written to disk and is
477 available when the leave-temps option is enabled at the cost of
478 more disk writes.
479 Default: no
480 MaxScanSize SIZE
482 Sets the maximum amount of data to be scanned for each input
483 file. Archives and other containers are recursively extracted
484 and scanned up to this value. The size of an archive plus the
485 sum of the sizes of all files within archive count toward the
486 scan size. For example, a 1M uncompressed archive containing a
487 single 1M inner file counts as 2M toward the max scan size.
488 Warning: disabling this limit or setting it too high may result
489 in severe damage to the system.
490 Default: 100M
491 MaxFileSize SIZE
493 Files larger than this limit won't be scanned. Affects the input
494 file itself as well as files contained inside it (when the input
495 file is an archive, a document or some other kind of container).
496 Warning: disabling this limit or setting it too high may result
497 in severe damage to the system.
498 Default: 25M
499 MaxRecursion NUMBER
501 Nested archives are scanned recursively, e.g. if a Zip archive
502 contains a RAR file, all files within it will also be scanned.
503 This options specifies how deeply the process should be contin‐
504 ued. Warning: setting this limit too high may result in severe
505 damage to the system.
506 Default: 16
507 MaxFiles NUMBER
509 Number of files to be scanned within an archive, a document, or
510 any other kind of container. Warning: disabling this limit or
511 setting it too high may result in severe damage to the system.
512 Default: 10000
513 MaxEmbeddedPE SIZE
515 This option sets the maximum size of a file to check for embed‐
516 ded PE.
517 Files larger than this value will skip the additional analysis
518 step.
519 Negative values are not allowed.
520 Default: 10M
521 MaxHTMLNormalize SIZE
523 This option sets the maximum size of a HTML file to normalize.
524 HTML files larger than this value will not be normalized or
525 scanned.
526 Negative values are not allowed.
527 Default: 10M
528 MaxHTMLNoTags SIZE
530 This option sets the maximum size of a normalized HTML file to
531 scan.
532 HTML files larger than this value after normalization will not
533 be scanned.
534 Negative values are not allowed.
535 Default: 2M
536 MaxScriptNormalize SIZE
538 This option sets the maximum size of a script file to normalize.
539 Script content larger than this value will not be normalized or
540 scanned.
541 Negative values are not allowed.
542 Default: 5M
543 MaxZipTypeRcg SIZE
545 This option sets the maximum size of a ZIP file to reanalyze
546 type recognition.
547 ZIP files larger than this value will skip the step to poten‐
548 tially reanalyze as PE.
549 Negative values are not allowed.
550 WARNING: setting this limit too high may result in severe damage
551 or impact performance.
552 Default: 1M
553 MaxPartitions SIZE
555 This option sets the maximum number of partitions of a raw disk
556 image to be scanned.
557 Raw disk images with more partitions than this value will have
558 up to the value partitions scanned.
559 Negative values are not allowed.
560 WARNING: setting this limit too high may result in severe damage
561 or impact performance.
562 Default: 50
563 MaxIconsPE SIZE
565 This option sets the maximum number of icons within a PE to be
566 scanned.
567 PE files with more icons than this value will have up to the
568 value number icons scanned.
569 Negative values are not allowed.
570 WARNING: setting this limit too high may result in severe damage
571 or impact performance.
572 Default: 100
573 MaxRecHWP3 NUMBER
575 This option sets the maximum recursive calls to HWP3 parsing
576 function.
577 HWP3 files using more than this limit will be terminated and
578 alert the user.
579 Scans will be unable to scan any HWP3 attachments if the recur‐
580 sive limit is reached.
581 Negative values are not allowed.
582 WARNING: setting this limit too high may result in severe damage
583 or impact performance.
584 Default: 16
585 PCREMatchLimit NUMBER
587 This option sets the maximum calls to the PCRE match function
588 during an instance of regex matching.
589 Instances using more than this limit will be terminated and
590 alert the user but the scan will continue.
591 For more information on match_limit, see the PCRE documentation.
592 Negative values are not allowed.
593 WARNING: setting this limit too high may severely impact perfor‐
594 mance.
595 Default: 10000
596 PCRERecMatchLimit NUMBER
598 This option sets the maximum recursive calls to the PCRE match
599 function during an instance of regex matching.
600 Instances using more than this limit will be terminated and
601 alert the user but the scan will continue.
602 For more information on match_limit_recursion, see the PCRE doc‐
603 umentation.
604 Negative values are not allowed and values > PCREMatchLimit are
605 superfluous.
606 WARNING: setting this limit too high may severely impact perfor‐
607 mance.
608 Default: 2000
609 PCREMaxFileSize SIZE
611 This option sets the maximum filesize for which PCRE subsigs
612 will be executed.
613 Files exceeding this limit will not have PCRE subsigs executed
614 unless a subsig is encompassed to a smaller buffer.
615 Negative values are not allowed.
616 Setting this value to zero disables the limit.
617 WARNING: setting this limit too high or disabling it may severe‐
618 ly impact performance.
619 Default: 25M
620 ScanOnAccess BOOL
622 This option enables on-access scanning (Linux only)
623 Default: disabled
624 OnAccessIncludePath STRING
626 This option specifies a directory (including all files and
627 directories inside it), which should be scanned on access. This
628 option can be used multiple times.
629 Default: disabled
630 OnAccessExcludePath STRING
632 This option allows excluding directories from on-access scan‐
633 ning. It can be used multiple times.
634 Default: disabled
635 OnAccessExcludeRootUID BOOL
637 With this option you can whitelist the root UID (0). Processes
638 run under root will be able to access all files without trigger‐
639 ing scans or permission denied events.
640 Note that if clamd cannot check the uid of the process that gen‐
641 erated an on-access scan event (e.g., because OnAccessPrevention
642 was not enabled, and the process already exited), clamd will
643 perform a scan. Thus, setting OnAccessExcludeRootUID is not
644 guaranteed to prevent every access by the root user from trig‐
645 gering a scan (unless OnAccessPrevention is enabled).
646 Default: no
647 OnAccessExcludeUID NUMBER
649 With this option you can whitelist specific UIDs. Processes with
650 these UIDs will be able to access all files without triggering
651 scans or permission denied events.
652 This option can be used multiple times (one per line).
653 Note: using a value of 0 on any line will disable this option
654 entirely. To whitelist the root UID (0) please enable the OnAc‐
655 cessExcludeRootUID option.
656 Also note that if clamd cannot check the uid of the process that
657 generated an on-access scan event (e.g., because OnAccessPreven‐
658 tion was not enabled, and the process already exited), clamd
659 will perform a scan. Thus, setting OnAccessExcludeUID is not
660 guaranteed to prevent every access by the specified uid from
661 triggering a scan (unless OnAccessPrevention is enabled).
662 Default: disabled
663 OnAccessMaxFileSize SIZE
665 Files larger than this value will not be scanned in on access.
666 Default: 5M
667 OnAccessMountPath STRING
669 Specifies a mount point (including all files and directories
670 under it), which should be scanned on access. This option can be
671 used multiple times.
672 Default: disabled
673 OnAccessDisableDDD BOOL
675 Disables the dynamic directory determination system which allows
676 for recursively watching include paths.
677 Default: no
678 OnAccessPrevention BOOL
680 Enables fanotify blocking when malicious files are found.
681 Default: disabled
682 DisableCertCheck BOOL
684 Disable authenticode certificate chain verification in PE files.
685 Default: no
686
688 All options expressing a size are limited to max 4GB. Values in excess
689 will be reset to the maximum.
690
692 /etc/clamd.d/scan.conf
693
695 Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>
696
698 clamd(8), clamdscan(1), clamav-milter(8), freshclam(1), fresh‐
699 clam.conf(5)
700ClamAV 0.101.2 December 4, 2013 clamd.conf(5)