1clamd.conf(5) Clam AntiVirus clamd.conf(5)
2
3
4
6 clamd.conf - Configuration file for Clam AntiVirus Daemon
7
9 clamd.conf configures the Clam AntiVirus daemon, clamd(8).
10
12 The file consists of comments and options with arguments. Each line
13 which starts with a hash (#) symbol is ignored by the parser. Options
14 and arguments are case sensitive and of the form Option Argument. The
15 arguments are of the following types:
16
17 BOOL Boolean value (yes/no or true/false or 1/0).
18
19 STRING String without blank characters.
20
21 SIZE Size in bytes. You can use 'M' or 'm' modifiers for megabytes
22 and 'K' or 'k' for kilobytes. To specify the size in bytes just
23 don't use modifiers.
24
25 NUMBER Unsigned integer.
26
28 When some option is not used (commented out or not included in the con‐
29 figuration file at all) clamd takes a default action.
30
31 Example
32 If this option is set clamd will not run.
33
34 LogFile STRING
35 Save all reports to a log file.
36 Default: disabled
37
38 LogFileUnlock BOOL
39 By default the log file is locked for writing and only a single
40 daemon process can write to it. This option disables the lock.
41 Default: no
42
43 LogFileMaxSize SIZE
44 Maximum size of the log file.
45 Value of 0 disables the limit.
46 Default: 1048576
47
48 LogTime BOOL
49 Log time for each message.
50 Default: no
51
52 LogClean BOOL
53 Log all clean files.
54 Useful in debugging but drastically increases the log size.
55 Default: no
56
57 LogSyslog BOOL
58 Use the system logger (can work together with LogFile).
59 Default: no
60
61 LogFacility STRING
62 Type of syslog messages
63 Please refer to 'man syslog' for facility names.
64 Default: LOG_LOCAL6
65
66 LogVerbose BOOL
67 Enable verbose logging.
68 Default: no
69
70 LogRotate BOOL
71 Rotate log file. Requires LogFileMaxSize option set prior to
72 this option.
73 Default: no
74
75 ExtendedDetectionInfo BOOL
76 Log additional information about the infected file, such as its
77 size and hash, together with the virus name.
78 Default: no
79
80 PidFile STRING
81 Save the process identifier of a listening daemon (main thread)
82 to a specified file.
83 Default: disabled
84
85 TemporaryDirectory STRING
86 This option allows you to change the default temporary direc‐
87 tory.
88 Default: system specific (usually /tmp or /var/tmp).
89
90 DatabaseDirectory STRING
91 This option allows you to change the default database directory.
92 If you enable it, please make sure it points to the same direc‐
93 tory in both clamd and freshclam.
94 Default: defined at configuration (/usr/local/share/clamav)
95
96 OfficialDatabaseOnly BOOL
97 Only load the official signatures published by the ClamAV
98 project.
99 Default: no
100
101 LocalSocket STRING
102 Path to a local (Unix) socket the daemon will listen on.
103 Default: disabled
104
105 LocalSocketGroup STRING
106 Sets the group ownership on the unix socket.
107 Default: the primary group of the user running clamd
108
109 LocalSocketMode STRING
110 Sets the permissions on the unix socket to the specified mode.
111 Default: socket is world readable and writable
112
113 FixStaleSocket BOOL
114 Remove stale socket after unclean shutdown.
115 Default: yes
116
117 TCPSocket NUMBER
118 TCP port number the daemon will listen on.
119 Default: disabled
120
121 TCPAddr STRING
122 By default clamd binds to INADDR_ANY.
123 This option allows you to restrict the TCP address and provide
124 some degree of protection from the outside world. This option
125 can be specified multiple times in order to listen on multiple
126 IPs. IPv6 is now supported.
127 Default: disabled
128
129 MaxConnectionQueueLength NUMBER
130 Maximum length the queue of pending connections may grow to.
131 Default: 200
132
133 StreamMaxLength SIZE
134 Close the STREAM session when the data size limit is exceeded.
135 The value should match your MTA's limit for the maximum attach‐
136 ment size.
137 Default: 25M
138
139 StreamMinPort NUMBER
140 The STREAM command uses an FTP-like protocol.
141 This option sets the lower boundary for the port range.
142 Default: 1024
143
144 StreamMaxPort NUMBER
145 This option sets the upper boundary for the port range.
146 Default: 2048
147
148 MaxThreads NUMBER
149 Maximum number of threads running at the same time.
150 Default: 10
151
152 ReadTimeout NUMBER
153 This option specifies the time (in seconds) after which clamd
154 should timeout if a client doesn't provide any data.
155 Default: 120
156
157 CommandReadTimeout NUMBER
158 This option specifies the time (in seconds) after which clamd
159 should timeout if a client doesn't provide any initial command
160 after connecting. The default is set to 30 to avoid timeouts
161 with TCP sockets when processing large messages. If using a
162 Unix socket, the value can be changed to 5. Note: the timeout
163 for subsequents commands, and/or data chunks is specified by
164 ReadTimeout.
165 Default: 30
166
167 SendBufTimeout NUMBER
168 This option specifies how long to wait (in milliseconds) if the
169 send buffer is full. Keep this value low to prevent clamd hang‐
170 ing.
171 Default: 500
172
173 MaxQueue NUMBER
174 Maximum number of queued items (including those being processed
175 by MaxThreads threads). It is recommended to have this value at
176 least twice MaxThreads if possible.
177 WARNING: you shouldn't increase this too much to avoid running
178 out of file descriptors, the following condition should hold:
179 MaxThreads*MaxRecursion + MaxQueue - MaxThreads + 6 <
180 RLIMIT_NOFILE. RLIMIT_NOFILE is the maximum number of open file
181 descriptors (usually 1024), set by ulimit -n.
182 Default: 100
183
184 IdleTimeout NUMBER
185 This option specifies how long (in seconds) the process should
186 wait for a new job.
187 Default: 30
188
189 ExcludePath REGEX
190 Don't scan files and directories matching REGEX. This directive
191 can be used multiple times.
192 Default: disabled
193
194 MaxDirectoryRecursion NUMBER
195 Maximum depth directories are scanned at.
196 Default: 15
197
198 FollowDirectorySymlinks BOOL
199 Follow directory symlinks.
200 Default: no
201
202 CrossFilesystems BOOL
203 Scan files and directories on other filesystems.
204 Default: yes
205
206 FollowFileSymlinks BOOL
207 Follow regular file symlinks.
208 Default: no
209
210 SelfCheck NUMBER
211 This option specifies the time intervals (in seconds) in which
212 clamd should perform a database check.
213 Default: 600
214
215 VirusEvent COMMAND
216 Execute a command when a virus is found. In the command string
217 %v will be replaced with the virus name. Additionally, two envi‐
218 ronment variables will be defined: $CLAM_VIRUSEVENT_FILENAME and
219 $CLAM_VIRUSEVENT_VIRUSNAME.
220 Default: disabled
221
222 ExitOnOOM BOOL
223 Stop daemon when libclamav reports out of memory condition.
224 Default: no
225
226 AllowAllMatchScan BOOL
227 Permit use of the ALLMATCHSCAN command.
228 Default: yes
229
230 Foreground BOOL
231 Don't fork into background.
232 Default: no
233
234 Debug BOOL
235 Enable debug messages from libclamav.
236 Default: no
237
238 LeaveTemporaryFiles BOOL
239 Do not remove temporary files (for debugging purpose).
240 Default: no
241
242 User STRING
243 Run the daemon as a specified user (the process must be started
244 by root).
245 Default: disabled
246
247 Bytecode BOOL
248 With this option enabled ClamAV will load bytecode from the
249 database. It is highly recommended you keep this option turned
250 on, otherwise you may miss detections for many new viruses.
251 Default: yes
252
253 BytecodeSecurity STRING
254 Set bytecode security level.
255 Possible values:
256 TrustSigned - trust bytecode loaded from signed .c[lv]d
257 files and insert runtime safety checks for bytecode loaded
258 from other sources,
259 Paranoid - don't trust any bytecode, insert runtime checks
260 for all.
261 Recommended: TrustSigned, because bytecode in .cvd files already
262 has these checks.
263 Default: TrustSigned
264
265 BytecodeTimeout NUMBER
266 Set bytecode timeout in milliseconds.
267 Default: 5000
268
269 BytecodeUnsigned BOOL
270 Allow loading bytecode from outside digitally signed .c[lv]d
271 files.
272 Default: no
273
274 BytecodeMode STRING
275 Set bytecode execution mode.
276 Possible values:
277 Auto - automatically choose JIT if possible, fallback to
278 interpreter
279 ForceJIT - always choose JIT, fail if not possible
280 ForceInterpreter - always choose interpreter
281 Test - run with both JIT and interpreter and compare
282 results. Make all failures fatal.
283 Default: Auto
284
285 DetectPUA BOOL
286 Detect Possibly Unwanted Applications.
287 Default: No
288
289 ExcludePUA CATEGORY
290 Exclude a specific PUA category. This directive can be used mul‐
291 tiple times. See https://www.clamav.net/documents/potentially-
292 unwanted-applications-pua for the complete list of PUA cate‐
293 gories.
294 Default: disabled
295
296 IncludePUA CATEGORY
297 Only include a specific PUA category. This directive can be used
298 multiple times. See https://www.clamav.net/documents/poten‐
299 tially-unwanted-applications-pua for the complete list of PUA
300 categories.
301 Default: disabled
302
303 HeuristicAlerts BOOL
304 In some cases (eg. complex malware, exploits in graphic files,
305 and others), ClamAV uses special algorithms to provide accurate
306 detection. This option controls the algorithmic detection.
307 Default: yes
308
309 HeuristicScanPrecedence BOOL
310 Allow heuristic match to take precedence. When enabled, if a
311 heuristic scan (such as phishingScan) detects a possible
312 virus/phishing it will stop scanning immediately. Recommended,
313 saves CPU scan-time. When disabled, virus/phishing detected by
314 heuristic scans will be reported only at the end of a scan. If
315 an archive contains both a heuristically detected virus/phish‐
316 ing, and a real malware, the real malware will be reported. Keep
317 this disabled if you intend to handle "*.Heuristics.*" viruses
318 differently from "real" malware. If a non-heuristically-detected
319 virus (signature-based) is found first, the scan is interrupted
320 immediately, regardless of this config option.
321 Default: no
322
323 ScanPE BOOL
324 PE stands for Portable Executable - it's an executable file for‐
325 mat used in all 32 and 64-bit versions of Windows operating sys‐
326 tems. This option allows ClamAV to perform a deeper analysis of
327 executable files and it's also required for decompression of
328 popular executable packers such as UPX.
329 If you turn off this option, the original files will still be
330 scanned, but without additional processing.
331 Default: yes
332
333 ScanELF BOOL
334 Executable and Linking Format is a standard format for UN*X exe‐
335 cutables. This option allows you to control the scanning of ELF
336 files.
337 If you turn off this option, the original files will still be
338 scanned, but without additional processing.
339 Default: yes
340
341 ScanMail BOOL
342 Enable scanning of mail files.
343 If you turn off this option, the original files will still be
344 scanned, but without parsing individual messages/attachments.
345 Default: yes
346
347 ScanPartialMessages BOOL
348 Scan RFC1341 messages split over many emails. You will need to
349 periodically clean up $TemporaryDirectory/clamav-partial direc‐
350 tory. WARNING: This option may open your system to a DoS attack.
351 Never use it on loaded servers.
352 Default: no
353
354 PhishingSignatures BOOL
355 Enable email signature-based phishing detection.
356 Default: yes
357
358 PhishingScanURLs BOOL
359 Enable URL signature-based phishing detection (Phishing.Heuris‐
360 tics.Email.*)
361 Default: yes
362
363 StructuredDataDetection BOOL
364 Enable the DLP module.
365 Default: no
366
367 StructuredMinCreditCardCount NUMBER
368 This option sets the lowest number of Credit Card numbers found
369 in a file to generate a detect.
370 Default: 3
371
372 StructuredMinSSNCount NUMBER
373 This option sets the lowest number of Social Security Numbers
374 found in a file to generate a detect.
375 Default: 3
376
377 StructuredSSNFormatNormal BOOL
378 With this option enabled the DLP module will search for valid
379 SSNs formatted as xxx-yy-zzzz.
380 Default: Yes
381
382 StructuredSSNFormatStripped BOOL
383 With this option enabled the DLP module will search for valid
384 SSNs formatted as xxxyyzzzz.
385 Default: No
386
387 ScanHTML BOOL
388 Perform HTML/JavaScript/ScriptEncoder normalisation and decryp‐
389 tion.
390 If you turn off this option, the original files will still be
391 scanned, but without additional processing.
392 Default: yes
393
394 ScanOLE2 BOOL
395 This option enables scanning of OLE2 files, such as Microsoft
396 Office documents and .msi files.
397 If you turn off this option, the original files will still be
398 scanned, but without additional processing.
399 Default: yes
400
401 ScanPDF BOOL
402 This option enables scanning within PDF files.
403 If you turn off this option, the original files will still be
404 scanned, but without additional processing.
405 Default: yes
406
407 ScanSWF BOOL
408 This option enables scanning within SWF files.
409 If you turn off this option, the original files will still be
410 scanned, but without decoding and additional processing.
411 Default: yes
412
413 ScanXMLDOCS BOOL
414 This option enables scanning xml-based document files supported
415 by libclamav.
416 If you turn off this option, the original files will still be
417 scanned, but without additional processing.
418 Default: yes
419
420 ScanHWP3 BOOL
421 This option enables scanning HWP3 files.
422 If you turn off this option, the original files will still be
423 scanned, but without additional processing.
424 Default: yes
425
426 ScanArchive BOOL
427 Scan within archives and compressed files.
428 If you turn off this option, the original files will still be
429 scanned, but without unpacking and additional processing.
430 Default: yes
431
432 AlertBrokenExecutables BOOL
433 Alert on broken executable files (PE & ELF).
434 Default: no
435
436 AlertEncrypted BOOL
437 Alert on encrypted archives and documents (encrypted .zip,
438 .7zip, .rar, .pdf).
439 Default: no
440
441 AlertEncryptedArchive BOOL
442 Alert on encrypted archives (encrypted .zip, .7zip, .rar).
443 Default: no
444
445 AlertEncryptedDoc BOOL
446 Alert on encrypted documents (encrypted .pdf).
447 Default: no
448
449 AlertOLE2Macros BOOL
450 Alert on OLE2 files containing VBA macros (Heuristics.OLE2.Con‐
451 tainsMacros).
452 Default: no
453
454 AlertExceedsMax BOOL
455 Alert on files that exceed max file size, max scan size, or max
456 recursion limit (Heuristics.Limits.Exceeded).
457 Default: no
458
459 AlertPhishingSSLMismatch BOOL
460 Alert on emails containing SSL mismatches in URLs (might lead to
461 false positives!).
462 Default: no
463
464 AlertPhishingCloak BOOL
465 Alert on emails containing cloaked URLs (might lead to some
466 false positives).
467 Default: no
468
469 AlertPartitionIntersection BOOL
470 Alert on raw DMG image files containing partition intersections.
471 Default: no
472
473 ForceToDisk
474 This option causes memory or nested map scans to dump the con‐
475 tent to disk.
476 If you turn on this option, more data is written to disk and is
477 available when the leave-temps option is enabled at the cost of
478 more disk writes.
479 Default: no
480
481 MaxScanSize SIZE
482 Sets the maximum amount of data to be scanned for each input
483 file. Archives and other containers are recursively extracted
484 and scanned up to this value. The size of an archive plus the
485 sum of the sizes of all files within archive count toward the
486 scan size. For example, a 1M uncompressed archive containing a
487 single 1M inner file counts as 2M toward the max scan size.
488 Warning: disabling this limit or setting it too high may result
489 in severe damage to the system.
490 Default: 100M
491
492 MaxFileSize SIZE
493 Files larger than this limit won't be scanned. Affects the input
494 file itself as well as files contained inside it (when the input
495 file is an archive, a document or some other kind of container).
496 Warning: disabling this limit or setting it too high may result
497 in severe damage to the system.
498 Default: 25M
499
500 MaxRecursion NUMBER
501 Nested archives are scanned recursively, e.g. if a Zip archive
502 contains a RAR file, all files within it will also be scanned.
503 This options specifies how deeply the process should be contin‐
504 ued. Warning: setting this limit too high may result in severe
505 damage to the system.
506 Default: 16
507
508 MaxFiles NUMBER
509 Number of files to be scanned within an archive, a document, or
510 any other kind of container. Warning: disabling this limit or
511 setting it too high may result in severe damage to the system.
512 Default: 10000
513
514 MaxEmbeddedPE SIZE
515 This option sets the maximum size of a file to check for embed‐
516 ded PE.
517 Files larger than this value will skip the additional analysis
518 step.
519 Negative values are not allowed.
520 Default: 10M
521
522 MaxHTMLNormalize SIZE
523 This option sets the maximum size of a HTML file to normalize.
524 HTML files larger than this value will not be normalized or
525 scanned.
526 Negative values are not allowed.
527 Default: 10M
528
529 MaxHTMLNoTags SIZE
530 This option sets the maximum size of a normalized HTML file to
531 scan.
532 HTML files larger than this value after normalization will not
533 be scanned.
534 Negative values are not allowed.
535 Default: 2M
536
537 MaxScriptNormalize SIZE
538 This option sets the maximum size of a script file to normalize.
539 Script content larger than this value will not be normalized or
540 scanned.
541 Negative values are not allowed.
542 Default: 5M
543
544 MaxZipTypeRcg SIZE
545 This option sets the maximum size of a ZIP file to reanalyze
546 type recognition.
547 ZIP files larger than this value will skip the step to poten‐
548 tially reanalyze as PE.
549 Negative values are not allowed.
550 WARNING: setting this limit too high may result in severe damage
551 or impact performance.
552 Default: 1M
553
554 MaxPartitions SIZE
555 This option sets the maximum number of partitions of a raw disk
556 image to be scanned.
557 Raw disk images with more partitions than this value will have
558 up to the value partitions scanned.
559 Negative values are not allowed.
560 WARNING: setting this limit too high may result in severe damage
561 or impact performance.
562 Default: 50
563
564 MaxIconsPE SIZE
565 This option sets the maximum number of icons within a PE to be
566 scanned.
567 PE files with more icons than this value will have up to the
568 value number icons scanned.
569 Negative values are not allowed.
570 WARNING: setting this limit too high may result in severe damage
571 or impact performance.
572 Default: 100
573
574 MaxRecHWP3 NUMBER
575 This option sets the maximum recursive calls to HWP3 parsing
576 function.
577 HWP3 files using more than this limit will be terminated and
578 alert the user.
579 Scans will be unable to scan any HWP3 attachments if the recur‐
580 sive limit is reached.
581 Negative values are not allowed.
582 WARNING: setting this limit too high may result in severe damage
583 or impact performance.
584 Default: 16
585
586 PCREMatchLimit NUMBER
587 This option sets the maximum calls to the PCRE match function
588 during an instance of regex matching.
589 Instances using more than this limit will be terminated and
590 alert the user but the scan will continue.
591 For more information on match_limit, see the PCRE documentation.
592 Negative values are not allowed.
593 WARNING: setting this limit too high may severely impact perfor‐
594 mance.
595 Default: 10000
596
597 PCRERecMatchLimit NUMBER
598 This option sets the maximum recursive calls to the PCRE match
599 function during an instance of regex matching.
600 Instances using more than this limit will be terminated and
601 alert the user but the scan will continue.
602 For more information on match_limit_recursion, see the PCRE doc‐
603 umentation.
604 Negative values are not allowed and values > PCREMatchLimit are
605 superfluous.
606 WARNING: setting this limit too high may severely impact perfor‐
607 mance.
608 Default: 2000
609
610 PCREMaxFileSize SIZE
611 This option sets the maximum filesize for which PCRE subsigs
612 will be executed.
613 Files exceeding this limit will not have PCRE subsigs executed
614 unless a subsig is encompassed to a smaller buffer.
615 Negative values are not allowed.
616 Setting this value to zero disables the limit.
617 WARNING: setting this limit too high or disabling it may severe‐
618 ly impact performance.
619 Default: 25M
620
621 OnAccessIncludePath STRING
622 This option specifies a directory (including all files and
623 directories inside it), which should be scanned on access. This
624 option can be used multiple times.
625 Default: disabled
626
627 OnAccessExcludePath STRING
628 This option allows excluding directories from on-access scan‐
629 ning. It can be used multiple times.
630 Default: disabled
631
632 OnAccessExcludeRootUID BOOL
633 With this option you can whitelist the root UID (0). Processes
634 run under root will be able to access all files without trigger‐
635 ing scans or permission denied events.
636 Note that if clamd cannot check the uid of the process that gen‐
637 erated an on-access scan event (e.g., because OnAccessPrevention
638 was not enabled, and the process already exited), clamd will
639 perform a scan. Thus, setting OnAccessExcludeRootUID is not
640 guaranteed to prevent every access by the root user from trig‐
641 gering a scan (unless OnAccessPrevention is enabled).
642 Default: no
643
644 OnAccessExcludeUID NUMBER
645 With this option you can whitelist specific UIDs. Processes with
646 these UIDs will be able to access all files without triggering
647 scans or permission denied events.
648 This option can be used multiple times (one per line).
649 Note: using a value of 0 on any line will disable this option
650 entirely. To whitelist the root UID (0) please enable the OnAc‐
651 cessExcludeRootUID option.
652 Also note that if clamd cannot check the uid of the process that
653 generated an on-access scan event (e.g., because OnAccessPreven‐
654 tion was not enabled, and the process already exited), clamd
655 will perform a scan. Thus, setting OnAccessExcludeUID is not
656 guaranteed to prevent every access by the specified uid from
657 triggering a scan (unless OnAccessPrevention is enabled).
658 Default: disabled
659
660 OnAccessExcludeUname STRING
661 This option allows exclusions via user names when using the on-
662 access scanning client. It can be used multiple times, and has
663 the same potential race condition limitations of the OnAccessEx‐
664 cludeUID option.
665 Default: disabled
666
667 OnAccessMaxFileSize SIZE
668 Files larger than this value will not be scanned in on access.
669 Default: 5M
670
671 OnAccessMaxThreads NUMBER
672 Max number of scanning threads to allocate to the OnAccess
673 thread pool at startup. These threads are the ones responsible
674 for creating a connection with the daemon and kicking off scan‐
675 ning after an event has been processed. To prevent clamonacc
676 from consuming all clamd's resources keep this lower than
677 clamd's max threads.
678 Default: 5
679
680 OnAccessCurlTimeout NUMBER
681 Max amount of time (in milliseconds) that the OnAccess client
682 should spend for every connect, send, and recieve attempt when
683 communicating with clamd via curl.
684 Default: 5000 (5 seconds)
685
686 OnAccessMountPath STRING
687 Specifies a mount point (including all files and directories
688 under it), which should be scanned on access. This option can be
689 used multiple times.
690 Default: disabled
691
692 OnAccessDisableDDD BOOL
693 Disables the dynamic directory determination system which allows
694 for recursively watching include paths.
695 Default: no
696
697 OnAccessPrevention BOOL
698 Enables fanotify blocking when malicious files are found.
699 Default: disabled
700
701 OnAccessRetryAttempts NUMBER
702 Number of times the OnAccess client will retry a failed scan due
703 to connection problems (or other issues).
704 Default: 0
705
706 OnAccessDenyOnError BOOL
707 When using prevention, if this option is turned on, any errors
708 that occur during scanning will result in the event attempt
709 being denied. This could potentially lead to unwanted system be‐
710 haviour with certain configurations, so the client defaults this
711 to off and prefers allowing access events in case of scan or
712 connection error.
713 Default: no
714
715 OnAccessExtraScanning BOOL
716 Toggles extra scanning and notifications when a file or direc‐
717 tory is created or moved.
718 Requires the DDD system to kick-off extra scans.
719 Default: no
720
721 DisableCertCheck BOOL
722 Disable authenticode certificate chain verification in PE files.
723 Default: no
724
726 All options expressing a size are limited to max 4GB. Values in excess
727 will be reset to the maximum.
728
730 /etc/clamd.d/scan.conf
731
733 Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>
734
736 clamd(8), clamdscan(1), clamav-milter(8), freshclam(1), fresh‐
737 clam.conf(5)
738
739
740
741ClamAV 0.102.2 December 4, 2013 clamd.conf(5)