1clamd.conf(5)                   Clam AntiVirus                   clamd.conf(5)
2
3
4

NAME

6       clamd.conf - Configuration file for Clam AntiVirus Daemon
7

DESCRIPTION

9       clamd.conf configures the Clam AntiVirus daemon, clamd(8).
10

FILE FORMAT

12       The  file  consists  of  comments and options with arguments. Each line
13       which starts with a hash (#) symbol is ignored by the  parser.  Options
14       and  arguments  are case sensitive and of the form Option Argument. The
15       arguments are of the following types:
16
17       BOOL   Boolean value (yes/no or true/false or 1/0).
18
19       STRING String without blank characters.
20
21       SIZE   Size in bytes. You can use 'M' or 'm'  modifiers  for  megabytes
22              and  'K' or 'k' for kilobytes. To specify the size in bytes just
23              don't use modifiers.
24
25       NUMBER Unsigned integer.
26

DIRECTIVES

28       When some option is not used (commented out or not included in the con‐
29       figuration file at all) clamd takes a default action.
30
31       Example
32              If this option is set clamd will not run.
33
34       LogFile STRING
35              Save all reports to a log file.
36              Default: disabled
37
38       LogFileUnlock BOOL
39              By  default the log file is locked for writing and only a single
40              daemon process can write to it. This option disables the lock.
41              Default: no
42
43       LogFileMaxSize SIZE
44              Maximum size of the log file.
45              Value of 0 disables the limit.
46              Default: 1048576
47
48       LogTime BOOL
49              Log time for each message.
50              Default: no
51
52       LogClean BOOL
53              Log all clean files.
54              Useful in debugging but drastically increases the log size.
55              Default: no
56
57       LogSyslog BOOL
58              Use the system logger (can work together with LogFile).
59              Default: no
60
61       LogFacility STRING
62              Type of syslog messages
63              Please refer to 'man syslog' for facility names.
64              Default: LOG_LOCAL6
65
66       LogVerbose BOOL
67              Enable verbose logging.
68              Default: no
69
70       LogRotate BOOL
71              Rotate log file. Requires LogFileMaxSize  option  set  prior  to
72              this option.
73              Default: no
74
75       ExtendedDetectionInfo BOOL
76              Log  additional information about the infected file, such as its
77              size and hash, together with the virus name.
78              Default: no
79
80       PidFile STRING
81              Save the process identifier of a listening daemon (main  thread)
82              to a specified file.
83              Default: disabled
84
85       TemporaryDirectory STRING
86              This  option  allows  you to change the default temporary direc‐
87              tory.
88              Default: system specific (usually /tmp or /var/tmp).
89
90       DatabaseDirectory STRING
91              This option allows you to change the default database directory.
92              If  you enable it, please make sure it points to the same direc‐
93              tory in both clamd and freshclam.
94              Default: defined at configuration (/usr/local/share/clamav)
95
96       OfficialDatabaseOnly BOOL
97              Only load  the  official  signatures  published  by  the  ClamAV
98              project.
99              Default: no
100
101       LocalSocket STRING
102              Path to a local (Unix) socket the daemon will listen on.
103              Default: disabled
104
105       LocalSocketGroup STRING
106              Sets the group ownership on the unix socket.
107              Default: the primary group of the user running clamd
108
109       LocalSocketMode STRING
110              Sets the permissions on the unix socket to the specified mode.
111              Default: socket is world readable and writable
112
113       FixStaleSocket BOOL
114              Remove stale socket after unclean shutdown.
115              Default: yes
116
117       TCPSocket NUMBER
118              TCP port number the daemon will listen on.
119              Default: disabled
120
121       TCPAddr STRING
122              By default clamd binds to INADDR_ANY.
123              This  option  allows you to restrict the TCP address and provide
124              some degree of protection from the outside  world.  This  option
125              can  be  specified multiple times in order to listen on multiple
126              IPs. IPv6 is now supported.
127              Default: disabled
128
129       MaxConnectionQueueLength NUMBER
130              Maximum length the queue of pending connections may grow to.
131              Default: 200
132
133       StreamMaxLength SIZE
134              Close the STREAM session when the data size limit is exceeded.
135              The value should match your MTA's limit for the maximum  attach‐
136              ment size.
137              Default: 25M
138
139       StreamMinPort NUMBER
140              The STREAM command uses an FTP-like protocol.
141              This option sets the lower boundary for the port range.
142              Default: 1024
143
144       StreamMaxPort NUMBER
145              This option sets the upper boundary for the port range.
146              Default: 2048
147
148       MaxThreads NUMBER
149              Maximum number of threads running at the same time.
150              Default: 10
151
152       ReadTimeout NUMBER
153              This  option  specifies  the time (in seconds) after which clamd
154              should timeout if a client doesn't provide any data.
155              Default: 120
156
157       CommandReadTimeout NUMBER
158              This option specifies the time (in seconds)  after  which  clamd
159              should  timeout  if a client doesn't provide any initial command
160              after connecting.  The default is set to 30  to  avoid  timeouts
161              with  TCP  sockets  when  processing large messages.  If using a
162              Unix socket, the value can be changed to 5.  Note:  the  timeout
163              for  subsequents  commands,  and/or  data chunks is specified by
164              ReadTimeout.
165              Default: 30
166
167       SendBufTimeout NUMBER
168              This option specifies how long to wait (in milliseconds) if  the
169              send buffer is full.  Keep this value low to prevent clamd hang‐
170              ing.
171              Default: 500
172
173       MaxQueue NUMBER
174              Maximum number of queued items (including those being  processed
175              by MaxThreads threads).  It is recommended to have this value at
176              least twice MaxThreads if possible.
177              WARNING: you shouldn't increase this too much to  avoid  running
178              out  of  file  descriptors, the following condition should hold:
179              MaxThreads*MaxRecursion  +  MaxQueue  -   MaxThreads   +   6   <
180              RLIMIT_NOFILE.  RLIMIT_NOFILE is the maximum number of open file
181              descriptors (usually 1024), set by ulimit -n.
182              Default: 100
183
184       IdleTimeout NUMBER
185              This option specifies how long (in seconds) the  process  should
186              wait for a new job.
187              Default: 30
188
189       ExcludePath REGEX
190              Don't  scan files and directories matching REGEX. This directive
191              can be used multiple times.
192              Default: disabled
193
194       MaxDirectoryRecursion NUMBER
195              Maximum depth directories are scanned at.
196              Default: 15
197
198       FollowDirectorySymlinks BOOL
199              Follow directory symlinks.
200              Default: no
201
202       CrossFilesystems BOOL
203              Scan files and directories on other filesystems.
204              Default: yes
205
206       FollowFileSymlinks BOOL
207              Follow regular file symlinks.
208              Default: no
209
210       SelfCheck NUMBER
211              This option specifies the time intervals (in seconds)  in  which
212              clamd should perform a database check.
213              Default: 600
214
215       VirusEvent COMMAND
216              Execute  a  command when a virus is found. In the command string
217              %v will be replaced with the virus name. Additionally, two envi‐
218              ronment variables will be defined: $CLAM_VIRUSEVENT_FILENAME and
219              $CLAM_VIRUSEVENT_VIRUSNAME.
220              Default: disabled
221
222       ExitOnOOM BOOL
223              Stop daemon when libclamav reports out of memory condition.
224              Default: no
225
226       AllowAllMatchScan BOOL
227              Permit use of the ALLMATCHSCAN command.
228              Default: yes
229
230       Foreground BOOL
231              Don't fork into background.
232              Default: no
233
234       Debug BOOL
235              Enable debug messages from libclamav.
236              Default: no
237
238       LeaveTemporaryFiles BOOL
239              Do not remove temporary files (for debugging purpose).
240              Default: no
241
242       User STRING
243              Run the daemon as a specified user (the process must be  started
244              by root).
245              Default: disabled
246
247       Bytecode BOOL
248              With  this  option  enabled  ClamAV  will load bytecode from the
249              database. It is highly recommended you keep this  option  turned
250              on, otherwise you may miss detections for many new viruses.
251              Default: yes
252
253       BytecodeSecurity STRING
254              Set bytecode security level.
255              Possible values:
256                  TrustSigned  -  trust  bytecode  loaded  from signed .c[lv]d
257                  files and insert runtime safety checks for  bytecode  loaded
258                  from other sources,
259                  Paranoid  -  don't trust any bytecode, insert runtime checks
260                  for all.
261              Recommended: TrustSigned, because bytecode in .cvd files already
262              has these checks.
263              Default: TrustSigned
264
265       BytecodeTimeout NUMBER
266              Set bytecode timeout in milliseconds.
267              Default: 5000
268
269       BytecodeUnsigned BOOL
270              Allow  loading  bytecode  from  outside digitally signed .c[lv]d
271              files.
272              Default: no
273
274       BytecodeMode STRING
275              Set bytecode execution mode.
276              Possible values:
277                  Auto - automatically choose JIT  if  possible,  fallback  to
278                  interpreter
279                  ForceJIT - always choose JIT, fail if not possible
280                  ForceInterpreter - always choose interpreter
281                  Test  -  run  with  both  JIT  and  interpreter  and compare
282                  results. Make all failures fatal.
283              Default: Auto
284
285       DetectPUA BOOL
286              Detect Possibly Unwanted Applications.
287              Default: No
288
289       ExcludePUA CATEGORY
290              Exclude a specific PUA category. This directive can be used mul‐
291              tiple  times.  See https://www.clamav.net/documents/potentially-
292              unwanted-applications-pua for the complete  list  of  PUA  cate‐
293              gories.
294              Default: disabled
295
296       IncludePUA CATEGORY
297              Only include a specific PUA category. This directive can be used
298              multiple  times.   See   https://www.clamav.net/documents/poten
299              tially-unwanted-applications-pua  for  the  complete list of PUA
300              categories.
301              Default: disabled
302
303       HeuristicAlerts BOOL
304              In some cases (eg. complex malware, exploits in  graphic  files,
305              and  others), ClamAV uses special algorithms to provide accurate
306              detection. This option controls the algorithmic detection.
307              Default: yes
308
309       HeuristicScanPrecedence BOOL
310              Allow heuristic match to take precedence.  When  enabled,  if  a
311              heuristic   scan  (such  as  phishingScan)  detects  a  possible
312              virus/phishing it will stop scanning  immediately.  Recommended,
313              saves  CPU  scan-time. When disabled, virus/phishing detected by
314              heuristic scans will be reported only at the end of a  scan.  If
315              an  archive  contains both a heuristically detected virus/phish‐
316              ing, and a real malware, the real malware will be reported. Keep
317              this  disabled  if you intend to handle "*.Heuristics.*" viruses
318              differently from "real" malware. If a non-heuristically-detected
319              virus  (signature-based) is found first, the scan is interrupted
320              immediately, regardless of this config option.
321              Default: no
322
323       ScanPE BOOL
324              PE stands for Portable Executable - it's an executable file for‐
325              mat used in all 32 and 64-bit versions of Windows operating sys‐
326              tems. This option allows ClamAV to perform a deeper analysis  of
327              executable  files  and  it's  also required for decompression of
328              popular executable packers such as UPX.
329              If you turn off this option, the original files  will  still  be
330              scanned, but without additional processing.
331              Default: yes
332
333       ScanELF BOOL
334              Executable and Linking Format is a standard format for UN*X exe‐
335              cutables. This option allows you to control the scanning of  ELF
336              files.
337              If  you  turn  off this option, the original files will still be
338              scanned, but without additional processing.
339              Default: yes
340
341       ScanMail BOOL
342              Enable scanning of mail files.
343              If you turn off this option, the original files  will  still  be
344              scanned, but without parsing individual messages/attachments.
345              Default: yes
346
347       ScanPartialMessages BOOL
348              Scan  RFC1341  messages split over many emails. You will need to
349              periodically clean up $TemporaryDirectory/clamav-partial  direc‐
350              tory. WARNING: This option may open your system to a DoS attack.
351              Never use it on loaded servers.
352              Default: no
353
354       PhishingSignatures BOOL
355              Enable email signature-based phishing detection.
356              Default: yes
357
358       PhishingScanURLs BOOL
359              Enable URL signature-based phishing detection  (Phishing.Heuris‐
360              tics.Email.*)
361              Default: yes
362
363       StructuredDataDetection BOOL
364              Enable the DLP module.
365              Default: no
366
367       StructuredMinCreditCardCount NUMBER
368              This  option sets the lowest number of Credit Card numbers found
369              in a file to generate a detect.
370              Default: 3
371
372       StructuredMinSSNCount NUMBER
373              This option sets the lowest number of  Social  Security  Numbers
374              found in a file to generate a detect.
375              Default: 3
376
377       StructuredSSNFormatNormal BOOL
378              With  this  option  enabled the DLP module will search for valid
379              SSNs formatted as xxx-yy-zzzz.
380              Default: Yes
381
382       StructuredSSNFormatStripped BOOL
383              With this option enabled the DLP module will  search  for  valid
384              SSNs formatted as xxxyyzzzz.
385              Default: No
386
387       ScanHTML BOOL
388              Perform  HTML/JavaScript/ScriptEncoder normalisation and decryp‐
389              tion.
390              If you turn off this option, the original files  will  still  be
391              scanned, but without additional processing.
392              Default: yes
393
394       ScanOLE2 BOOL
395              This  option  enables  scanning of OLE2 files, such as Microsoft
396              Office documents and .msi files.
397              If you turn off this option, the original files  will  still  be
398              scanned, but without additional processing.
399              Default: yes
400
401       ScanPDF BOOL
402              This option enables scanning within PDF files.
403              If  you  turn  off this option, the original files will still be
404              scanned, but without additional processing.
405              Default: yes
406
407       ScanSWF BOOL
408              This option enables scanning within SWF files.
409              If you turn off this option, the original files  will  still  be
410              scanned, but without decoding and additional processing.
411              Default: yes
412
413       ScanXMLDOCS BOOL
414              This  option enables scanning xml-based document files supported
415              by libclamav.
416              If you turn off this option, the original files  will  still  be
417              scanned, but without additional processing.
418              Default: yes
419
420       ScanHWP3 BOOL
421              This option enables scanning HWP3 files.
422              If  you  turn  off this option, the original files will still be
423              scanned, but without additional processing.
424              Default: yes
425
426       ScanArchive BOOL
427              Scan within archives and compressed files.
428              If you turn off this option, the original files  will  still  be
429              scanned, but without unpacking and additional processing.
430              Default: yes
431
432       AlertBrokenExecutables BOOL
433              Alert on broken executable files (PE & ELF).
434              Default: no
435
436       AlertEncrypted BOOL
437              Alert  on  encrypted  archives  and  documents  (encrypted .zip,
438              .7zip, .rar, .pdf).
439              Default: no
440
441       AlertEncryptedArchive BOOL
442              Alert on encrypted archives (encrypted .zip, .7zip, .rar).
443              Default: no
444
445       AlertEncryptedDoc BOOL
446              Alert on encrypted documents (encrypted .pdf).
447              Default: no
448
449       AlertOLE2Macros BOOL
450              Alert on OLE2 files containing VBA macros  (Heuristics.OLE2.Con‐
451              tainsMacros).
452              Default: no
453
454       AlertExceedsMax BOOL
455              Alert  on files that exceed max file size, max scan size, or max
456              recursion limit (Heuristics.Limits.Exceeded).
457              Default: no
458
459       AlertPhishingSSLMismatch BOOL
460              Alert on emails containing SSL mismatches in URLs (might lead to
461              false positives!).
462              Default: no
463
464       AlertPhishingCloak BOOL
465              Alert  on  emails  containing  cloaked  URLs (might lead to some
466              false positives).
467              Default: no
468
469       AlertPartitionIntersection BOOL
470              Alert on raw DMG image files containing partition intersections.
471              Default: no
472
473       ForceToDisk
474              This option causes memory or nested map scans to dump  the  con‐
475              tent to disk.
476              If  you turn on this option, more data is written to disk and is
477              available when the leave-temps option is enabled at the cost  of
478              more disk writes.
479              Default: no
480
481       MaxScanSize SIZE
482              Sets  the  maximum  amount  of data to be scanned for each input
483              file. Archives and other containers  are  recursively  extracted
484              and  scanned  up  to this value. The size of an archive plus the
485              sum of the sizes of all files within archive  count  toward  the
486              scan  size.  For example, a 1M uncompressed archive containing a
487              single 1M inner file counts as 2M  toward  the  max  scan  size.
488              Warning:  disabling this limit or setting it too high may result
489              in severe damage to the system.
490              Default: 100M
491
492       MaxFileSize SIZE
493              Files larger than this limit won't be scanned. Affects the input
494              file itself as well as files contained inside it (when the input
495              file is an archive, a document or some other kind of container).
496              Warning:  disabling this limit or setting it too high may result
497              in severe damage to the system.
498              Default: 25M
499
500       MaxRecursion NUMBER
501              Nested archives are scanned recursively, e.g. if a  Zip  archive
502              contains  a  RAR file, all files within it will also be scanned.
503              This options specifies how deeply the process should be  contin‐
504              ued.  Warning:  setting this limit too high may result in severe
505              damage to the system.
506              Default: 16
507
508       MaxFiles NUMBER
509              Number of files to be scanned within an archive, a document,  or
510              any  other  kind  of container. Warning: disabling this limit or
511              setting it too high may result in severe damage to the system.
512              Default: 10000
513
514       MaxEmbeddedPE SIZE
515              This option sets the maximum size of a file to check for  embed‐
516              ded PE.
517              Files  larger  than this value will skip the additional analysis
518              step.
519              Negative values are not allowed.
520              Default: 10M
521
522       MaxHTMLNormalize SIZE
523              This option sets the maximum size of a HTML file to normalize.
524              HTML files larger than this value  will  not  be  normalized  or
525              scanned.
526              Negative values are not allowed.
527              Default: 10M
528
529       MaxHTMLNoTags SIZE
530              This  option  sets the maximum size of a normalized HTML file to
531              scan.
532              HTML files larger than this value after normalization  will  not
533              be scanned.
534              Negative values are not allowed.
535              Default: 2M
536
537       MaxScriptNormalize SIZE
538              This option sets the maximum size of a script file to normalize.
539              Script  content larger than this value will not be normalized or
540              scanned.
541              Negative values are not allowed.
542              Default: 5M
543
544       MaxZipTypeRcg SIZE
545              This option sets the maximum size of a  ZIP  file  to  reanalyze
546              type recognition.
547              ZIP  files  larger  than this value will skip the step to poten‐
548              tially reanalyze as PE.
549              Negative values are not allowed.
550              WARNING: setting this limit too high may result in severe damage
551              or impact performance.
552              Default: 1M
553
554       MaxPartitions SIZE
555              This  option sets the maximum number of partitions of a raw disk
556              image to be scanned.
557              Raw disk images with more partitions than this value  will  have
558              up to the value partitions scanned.
559              Negative values are not allowed.
560              WARNING: setting this limit too high may result in severe damage
561              or impact performance.
562              Default: 50
563
564       MaxIconsPE SIZE
565              This option sets the maximum number of icons within a PE  to  be
566              scanned.
567              PE  files  with  more  icons than this value will have up to the
568              value number icons scanned.
569              Negative values are not allowed.
570              WARNING: setting this limit too high may result in severe damage
571              or impact performance.
572              Default: 100
573
574       MaxRecHWP3 NUMBER
575              This  option  sets  the  maximum recursive calls to HWP3 parsing
576              function.
577              HWP3 files using more than this limit  will  be  terminated  and
578              alert the user.
579              Scans  will be unable to scan any HWP3 attachments if the recur‐
580              sive limit is reached.
581              Negative values are not allowed.
582              WARNING: setting this limit too high may result in severe damage
583              or impact performance.
584              Default: 16
585
586       PCREMatchLimit NUMBER
587              This  option  sets  the maximum calls to the PCRE match function
588              during an instance of regex matching.
589              Instances using more than this  limit  will  be  terminated  and
590              alert the user but the scan will continue.
591              For more information on match_limit, see the PCRE documentation.
592              Negative values are not allowed.
593              WARNING: setting this limit too high may severely impact perfor‐
594              mance.
595              Default: 10000
596
597       PCRERecMatchLimit NUMBER
598              This option sets the maximum recursive calls to the  PCRE  match
599              function during an instance of regex matching.
600              Instances  using  more  than  this  limit will be terminated and
601              alert the user but the scan will continue.
602              For more information on match_limit_recursion, see the PCRE doc‐
603              umentation.
604              Negative  values are not allowed and values > PCREMatchLimit are
605              superfluous.
606              WARNING: setting this limit too high may severely impact perfor‐
607              mance.
608              Default: 2000
609
610       PCREMaxFileSize SIZE
611              This  option  sets  the  maximum filesize for which PCRE subsigs
612              will be executed.
613              Files exceeding this limit will not have PCRE  subsigs  executed
614              unless a subsig is encompassed to a smaller buffer.
615              Negative values are not allowed.
616              Setting this value to zero disables the limit.
617              WARNING: setting this limit too high or disabling it may severe‐
618              ly impact performance.
619              Default: 25M
620
621       ScanOnAccess BOOL
622              This option enables on-access scanning (Linux only)
623              Default: disabled
624
625       OnAccessIncludePath STRING
626              This option specifies  a  directory  (including  all  files  and
627              directories  inside it), which should be scanned on access. This
628              option can be used multiple times.
629              Default: disabled
630
631       OnAccessExcludePath STRING
632              This option allows excluding directories  from  on-access  scan‐
633              ning. It can be used multiple times.
634              Default: disabled
635
636       OnAccessExcludeRootUID BOOL
637              With  this  option you can whitelist the root UID (0). Processes
638              run under root will be able to access all files without trigger‐
639              ing scans or permission denied events.
640              Note that if clamd cannot check the uid of the process that gen‐
641              erated an on-access scan event (e.g., because OnAccessPrevention
642              was  not  enabled,  and  the process already exited), clamd will
643              perform a scan.  Thus,  setting  OnAccessExcludeRootUID  is  not
644              guaranteed  to  prevent every access by the root user from trig‐
645              gering a scan (unless OnAccessPrevention is enabled).
646              Default: no
647
648       OnAccessExcludeUID NUMBER
649              With this option you can whitelist specific UIDs. Processes with
650              these  UIDs  will be able to access all files without triggering
651              scans or permission denied events.
652              This option can be used multiple times (one per line).
653              Note: using a value of 0 on any line will  disable  this  option
654              entirely.  To whitelist the root UID (0) please enable the OnAc‐
655              cessExcludeRootUID option.
656              Also note that if clamd cannot check the uid of the process that
657              generated an on-access scan event (e.g., because OnAccessPreven‐
658              tion was not enabled, and the  process  already  exited),  clamd
659              will  perform  a  scan.  Thus, setting OnAccessExcludeUID is not
660              guaranteed to prevent every access by  the  specified  uid  from
661              triggering a scan (unless OnAccessPrevention is enabled).
662              Default: disabled
663
664       OnAccessMaxFileSize SIZE
665              Files larger than this value will not be scanned in on access.
666              Default: 5M
667
668       OnAccessMountPath STRING
669              Specifies  a  mount  point  (including all files and directories
670              under it), which should be scanned on access. This option can be
671              used multiple times.
672              Default: disabled
673
674       OnAccessDisableDDD BOOL
675              Disables the dynamic directory determination system which allows
676              for recursively watching include paths.
677              Default: no
678
679       OnAccessPrevention BOOL
680              Enables fanotify blocking when malicious files are found.
681              Default: disabled
682
683       DisableCertCheck BOOL
684              Disable authenticode certificate chain verification in PE files.
685              Default: no
686

NOTES

688       All options expressing a size are limited to max 4GB. Values in  excess
689       will be reset to the maximum.
690

FILES

692       /etc/clamd.d/scan.conf
693

AUTHORS

695       Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>
696

SEE ALSO

698       clamd(8),    clamdscan(1),   clamav-milter(8),   freshclam(1),   fresh‐
699       clam.conf(5)
700
701
702
703ClamAV 0.101.5                 December 4, 2013                  clamd.conf(5)
Impressum