Subversion Repositories configs

##

## Example config file for the Clam AV daemon

## Please read the clamd.conf(5) manual before editing this file.

##

# Comment or remove the line below.

Example

# Uncomment this option to enable logging.

# LogFile must be writable for the user running daemon.

# A full path is required.

# Default: disabled

#LogFile /tmp/clamd.log

# By default the log file is locked for writing - the lock protects against

# running clamd multiple times (if want to run another clamd, please

# copy the configuration file, change the LogFile variable, and run

# the daemon with --config-file option).

# This option disables log file locking.

# Default: no

#LogFileUnlock yes

# Maximum size of the log file.

# Value of 0 disables the limit.

# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size

# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log

# rotation (the LogRotate option) will always be enabled.

# Default: 1M

#LogFileMaxSize 2M

# Log time with each message.

# Default: no

#LogTime yes

# Also log clean files. Useful in debugging but drastically increases the

# log size.

# Default: no

#LogClean yes

# Use system logger (can work together with LogFile).

# Default: no

#LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'

# for facility names.

# Default: LOG_LOCAL6

#LogFacility LOG_MAIL

# Enable verbose logging.

# Default: no

#LogVerbose yes

# Enable log rotation. Always enabled when LogFileMaxSize is enabled.

# Default: no

#LogRotate yes

# Enable Prelude output.

# Default: no

#PreludeEnable yes

#

# Set the name of the analyzer used by prelude-admin.

# Default: ClamAV

#PreludeAnalyzerName ClamAV

# Log additional information about the infected file, such as its

# size and hash, together with the virus name.

#ExtendedDetectionInfo yes

# This option allows you to save a process identifier of the listening

# daemon (main thread).

# This file will be owned by root, as long as clamd was started by root.

# It is recommended that the directory where this file is stored is

# also owned by root to keep other users from tampering with it.

# Default: disabled

#PidFile /var/run/clamd.pid

# Optional path to the global temporary directory.

# Default: system specific (usually /tmp or /var/tmp).

#TemporaryDirectory /var/tmp

# Path to the database directory.

# Default: hardcoded (depends on installation options)

#DatabaseDirectory /var/lib/clamav

# Only load the official signatures published by the ClamAV project.

# Default: no

#OfficialDatabaseOnly no

# The daemon can work in local mode, network mode or both.

# Due to security reasons we recommend the local mode.

# Path to a local socket file the daemon will listen on.

# Default: disabled (must be specified by a user)

#LocalSocket /tmp/clamd.socket

# Sets the group ownership on the unix socket.

# Default: disabled (the primary group of the user running clamd)

#LocalSocketGroup virusgroup

# Sets the permissions on the unix socket to the specified mode.

# Default: disabled (socket is world accessible)

#LocalSocketMode 660

# Remove stale socket after unclean shutdown.

# Default: yes

#FixStaleSocket yes

# TCP port address.

# Default: no

#TCPSocket 3310

# TCP address.

# By default we bind to INADDR_ANY, probably not wise.

# Enable the following to provide some degree of protection

# from the outside world. This option can be specified multiple

# times if you want to listen on multiple IPs. IPv6 is now supported.

# Default: no

#TCPAddr 127.0.0.1

# Maximum length the queue of pending connections may grow to.

# Default: 200

#MaxConnectionQueueLength 30

# Clamd uses FTP-like protocol to receive data from remote clients.

# If you are using clamav-milter to balance load between remote clamd daemons

# on firewall servers you may need to tune the options below.

# Close the connection when the data size limit is exceeded.

# The value should match your MTA's limit for a maximum attachment size.

# Default: 25M

#StreamMaxLength 10M

# Limit port range.

# Default: 1024

#StreamMinPort 30000

# Default: 2048

#StreamMaxPort 32000

# Maximum number of threads running at the same time.

# Default: 10

#MaxThreads 20

# Waiting for data from a client socket will timeout after this time (seconds).

# Default: 120

#ReadTimeout 300

# This option specifies the time (in seconds) after which clamd should

# timeout if a client doesn't provide any initial command after connecting.

# Default: 30

#CommandReadTimeout 30

# This option specifies how long to wait (in milliseconds) if the send buffer

# is full.

# Keep this value low to prevent clamd hanging.

#

# Default: 500

#SendBufTimeout 200

# Maximum number of queued items (including those being processed by

# MaxThreads threads).

# It is recommended to have this value at least twice MaxThreads if possible.

# WARNING: you shouldn't increase this too much to avoid running out  of file

# descriptors, the following condition should hold:

# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual

# max is 1024).

#

# Default: 100

#MaxQueue 200

# Waiting for a new job will timeout after this time (seconds).

# Default: 30

#IdleTimeout 60

# Don't scan files and directories matching regex

# This directive can be used multiple times

# Default: scan all

#ExcludePath ^/proc/

#ExcludePath ^/sys/

# Maximum depth directories are scanned at.

# Default: 15

#MaxDirectoryRecursion 20

# Follow directory symlinks.

# Default: no

#FollowDirectorySymlinks yes

# Follow regular file symlinks.

# Default: no

#FollowFileSymlinks yes

# Scan files and directories on other filesystems.

# Default: yes

#CrossFilesystems yes

# Perform a database check.

# Default: 600 (10 min)

#SelfCheck 600

# Enable non-blocking (multi-threaded/concurrent) database reloads.

# This feature will temporarily load a second scanning engine while scanning

# continues using the first engine. Once loaded, the new engine takes over.

# The old engine is removed as soon as all scans using the old engine have

# completed.

# This feature requires more RAM, so this option is provided in case users are

# willing to block scans during reload in exchange for lower RAM requirements.

# Default: yes

#ConcurrentDatabaseReload no

# Execute a command when virus is found. In the command string %v will

# be replaced with the virus name.

# Default: no

#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

# Run as another user (clamd must be started by root for this option to work)

# Default: don't drop privileges

#User clamav

# Stop daemon when libclamav reports out of memory condition.

#ExitOnOOM yes

# Don't fork into background.

# Default: no

#Foreground yes

# Enable debug messages in libclamav.

# Default: no

#Debug yes

# Do not remove temporary files (for debug purposes).

# Default: no

#LeaveTemporaryFiles yes

# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject

# any ALLMATCHSCAN command as invalid.

# Default: yes

#AllowAllMatchScan no

# Detect Possibly Unwanted Applications.

# Default: no

#DetectPUA yes

# Exclude a specific PUA category. This directive can be used multiple times.

# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for

# the complete list of PUA categories.

# Default: Load all categories (if DetectPUA is activated)

#ExcludePUA NetTool

#ExcludePUA PWTool

# Only include a specific PUA category. This directive can be used multiple

# times.

# Default: Load all categories (if DetectPUA is activated)

#IncludePUA Spy

#IncludePUA Scanner

#IncludePUA RAT

# This option causes memory or nested map scans to dump the content to disk.

# If you turn on this option, more data is written to disk and is available

# when the LeaveTemporaryFiles option is enabled.

#ForceToDisk yes

# This option allows you to disable the caching feature of the engine. By

# default, the engine will store an MD5 in a cache of any files that are

# not flagged as virus or that hit limits checks. Disabling the cache will

# have a negative performance impact on large scans.

# Default: no

#DisableCache yes

# In some cases (eg. complex malware, exploits in graphic files, and others),

# ClamAV uses special algorithms to detect abnormal patterns and behaviors that

# may be malicious.  This option enables alerting on such heuristically

# detected potential threats.

# Default: yes

#HeuristicAlerts yes

# Allow heuristic alerts to take precedence.

# When enabled, if a heuristic scan (such as phishingScan) detects

# a possible virus/phish it will stop scan immediately. Recommended, saves CPU

# scan-time.

# When disabled, virus/phish detected by heuristic scans will be reported only

# at the end of a scan. If an archive contains both a heuristically detected

# virus/phish, and a real malware, the real malware will be reported

#

# Keep this disabled if you intend to handle "*.Heuristics.*" viruses

# differently from "real" malware.

# If a non-heuristically-detected virus (signature-based) is found first,

# the scan is interrupted immediately, regardless of this config option.

#

# Default: no

#HeuristicScanPrecedence yes

##

## Heuristic Alerts

##

# With this option clamav will try to detect broken executables (both PE and

# ELF) and alert on them with the Broken.Executable heuristic signature.

# Default: no

#AlertBrokenExecutables yes

# Alert on encrypted archives _and_ documents with heuristic signature

# (encrypted .zip, .7zip, .rar, .pdf).

# Default: no

#AlertEncrypted yes

# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip,

# .rar).

# Default: no

#AlertEncryptedArchive yes

# Alert on encrypted archives with heuristic signature (encrypted .pdf).

# Default: no

#AlertEncryptedDoc yes

# With this option enabled OLE2 files containing VBA macros, which were not

# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".

# Default: no

#AlertOLE2Macros yes

# Alert on SSL mismatches in URLs, even if the URL isn't in the database.

# This can lead to false positives.

# Default: no

#AlertPhishingSSLMismatch yes

# Alert on cloaked URLs, even if URL isn't in database.

# This can lead to false positives.

# Default: no

#AlertPhishingCloak yes

# Alert on raw DMG image files containing partition intersections

# Default: no

#AlertPartitionIntersection yes

##

## Executable files

##

# PE stands for Portable Executable - it's an executable file format used

# in all 32 and 64-bit versions of Windows operating systems. This option

# allows ClamAV to perform a deeper analysis of executable files and it's also

# required for decompression of popular executable packers such as UPX, FSG,

# and Petite. If you turn off this option, the original files will still be

# scanned, but without additional processing.

# Default: yes

#ScanPE yes

# Certain PE files contain an authenticode signature. By default, we check

# the signature chain in the PE file against a database of trusted and

# revoked certificates if the file being scanned is marked as a virus.

# If any certificate in the chain validates against any trusted root, but

# does not match any revoked certificate, the file is marked as whitelisted.

# If the file does match a revoked certificate, the file is marked as virus.

# The following setting completely turns off authenticode verification.

# Default: no

#DisableCertCheck yes

# Executable and Linking Format is a standard format for UN*X executables.

# This option allows you to control the scanning of ELF files.

# If you turn off this option, the original files will still be scanned, but

# without additional processing.

# Default: yes

#ScanELF yes

##

## Documents

##

# This option enables scanning of OLE2 files, such as Microsoft Office

# documents and .msi files.

# If you turn off this option, the original files will still be scanned, but

# without additional processing.

# Default: yes

#ScanOLE2 yes

# This option enables scanning within PDF files.

# If you turn off this option, the original files will still be scanned, but

# without decoding and additional processing.

# Default: yes

#ScanPDF yes

# This option enables scanning within SWF files.

# If you turn off this option, the original files will still be scanned, but

# without decoding and additional processing.

# Default: yes

#ScanSWF yes

# This option enables scanning xml-based document files supported by libclamav.

# If you turn off this option, the original files will still be scanned, but

# without additional processing.

# Default: yes

#ScanXMLDOCS yes

# This option enables scanning of HWP3 files.

# If you turn off this option, the original files will still be scanned, but

# without additional processing.

# Default: yes

#ScanHWP3 yes

##

## Mail files

##

# Enable internal e-mail scanner.

# If you turn off this option, the original files will still be scanned, but

# without parsing individual messages/attachments.

# Default: yes

#ScanMail yes

# Scan RFC1341 messages split over many emails.

# You will need to periodically clean up $TemporaryDirectory/clamav-partial

# directory.

# WARNING: This option may open your system to a DoS attack.

#	   Never use it on loaded servers.

# Default: no

#ScanPartialMessages yes

# With this option enabled ClamAV will try to detect phishing attempts by using

# HTML.Phishing and Email.Phishing NDB signatures.

# Default: yes

#PhishingSignatures no

# With this option enabled ClamAV will try to detect phishing attempts by

# analyzing URLs found in emails using WDB and PDB signature databases.

# Default: yes

#PhishingScanURLs no

##

## Data Loss Prevention (DLP)

##

# Enable the DLP module

# Default: No

#StructuredDataDetection yes

# This option sets the lowest number of Credit Card numbers found in a file

# to generate a detect.

# Default: 3

#StructuredMinCreditCardCount 5

# With this option enabled the DLP module will search for valid Credit Card

# numbers only. Debit and Private Label cards will not be searched.

# Default: no

#StructuredCCOnly yes

# This option sets the lowest number of Social Security Numbers found

# in a file to generate a detect.

# Default: 3

#StructuredMinSSNCount 5

# With this option enabled the DLP module will search for valid

# SSNs formatted as xxx-yy-zzzz

# Default: yes

#StructuredSSNFormatNormal yes

# With this option enabled the DLP module will search for valid

# SSNs formatted as xxxyyzzzz

# Default: no

#StructuredSSNFormatStripped yes

##

## HTML

##

# Perform HTML normalisation and decryption of MS Script Encoder code.

# Default: yes

# If you turn off this option, the original files will still be scanned, but

# without additional processing.

#ScanHTML yes

##

## Archives

##

# ClamAV can scan within archives and compressed files.

# If you turn off this option, the original files will still be scanned, but

# without unpacking and additional processing.

# Default: yes

#ScanArchive yes

##

## Limits

##

# The options below protect your system against Denial of Service attacks

# using archive bombs.

# This option sets the maximum amount of time to a scan may take.

# In this version, this field only affects the scan time of ZIP archives.

# Value of 0 disables the limit.

# Note: disabling this limit or setting it too high may result allow scanning

# of certain files to lock up the scanning process/threads resulting in a

# Denial of Service.

# Time is in milliseconds.

# Default: 120000

#MaxScanTime 300000

# This option sets the maximum amount of data to be scanned for each input

# file. Archives and other containers are recursively extracted and scanned

# up to this value.

# Value of 0 disables the limit

# Note: disabling this limit or setting it too high may result in severe damage

# to the system.

# Default: 100M

#MaxScanSize 150M

# Files larger than this limit won't be scanned. Affects the input file itself

# as well as files contained inside it (when the input file is an archive, a

# document or some other kind of container).

# Value of 0 disables the limit.

# Note: disabling this limit or setting it too high may result in severe damage

# to the system.

# Default: 25M

#MaxFileSize 30M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR

# file, all files within it will also be scanned. This options specifies how

# deeply the process should be continued.

# Note: setting this limit too high may result in severe damage to the system.

# Default: 16

#MaxRecursion 10

# Number of files to be scanned within an archive, a document, or any other

# container file.

# Value of 0 disables the limit.

# Note: disabling this limit or setting it too high may result in severe damage

# to the system.

# Default: 10000

#MaxFiles 15000

# Maximum size of a file to check for embedded PE. Files larger than this value

# will skip the additional analysis step.

# Note: disabling this limit or setting it too high may result in severe damage

# to the system.

# Default: 10M

#MaxEmbeddedPE 10M

# Maximum size of a HTML file to normalize. HTML files larger than this value

# will not be normalized or scanned.

# Note: disabling this limit or setting it too high may result in severe damage

# to the system.

# Default: 10M

#MaxHTMLNormalize 10M

# Maximum size of a normalized HTML file to scan. HTML files larger than this

# value after normalization will not be scanned.

# Note: disabling this limit or setting it too high may result in severe damage

# to the system.

# Default: 2M

#MaxHTMLNoTags 2M

# Maximum size of a script file to normalize. Script content larger than this

# value will not be normalized or scanned.

# Note: disabling this limit or setting it too high may result in severe damage

# to the system.

# Default: 5M

#MaxScriptNormalize 5M

# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger

# than this value will skip the step to potentially reanalyze as PE.

# Note: disabling this limit or setting it too high may result in severe damage

# to the system.

# Default: 1M

#MaxZipTypeRcg 1M

# This option sets the maximum number of partitions of a raw disk image to be

# scanned.

# Raw disk images with more partitions than this value will have up to

# the value number partitions scanned. Negative values are not allowed.

# Note: setting this limit too high may result in severe damage or impact

# performance.

# Default: 50

#MaxPartitions 128

# This option sets the maximum number of icons within a PE to be scanned.

# PE files with more icons than this value will have up to the value number

# icons scanned.

# Negative values are not allowed.

# WARNING: setting this limit too high may result in severe damage or impact

# performance.

# Default: 100

#MaxIconsPE 200

# This option sets the maximum recursive calls for HWP3 parsing during

# scanning. HWP3 files using more than this limit will be terminated and

# alert the user.

# Scans will be unable to scan any HWP3 attachments if the recursive limit

# is reached.

# Negative values are not allowed.

# WARNING: setting this limit too high may result in severe damage or impact

# performance.

# Default: 16

#MaxRecHWP3 16

# This option sets the maximum calls to the PCRE match function during

# an instance of regex matching.

# Instances using more than this limit will be terminated and alert the user

# but the scan will continue.

# For more information on match_limit, see the PCRE documentation.

# Negative values are not allowed.

# WARNING: setting this limit too high may severely impact performance.

# Default: 100000

#PCREMatchLimit 20000

# This option sets the maximum recursive calls to the PCRE match function

# during an instance of regex matching.

# Instances using more than this limit will be terminated and alert the user

# but the scan will continue.

# For more information on match_limit_recursion, see the PCRE documentation.

# Negative values are not allowed and values > PCREMatchLimit are superfluous.

# WARNING: setting this limit too high may severely impact performance.

# Default: 2000

#PCRERecMatchLimit 10000

# This option sets the maximum filesize for which PCRE subsigs will be

# executed. Files exceeding this limit will not have PCRE subsigs executed

# unless a subsig is encompassed to a smaller buffer.

# Negative values are not allowed.

# Setting this value to zero disables the limit.

# WARNING: setting this limit too high or disabling it may severely impact

# performance.

# Default: 25M

#PCREMaxFileSize 100M

# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or

# MaxRecursion limit will be flagged with the virus

# "Heuristics.Limits.Exceeded".

# Default: no

#AlertExceedsMax yes

##

## On-access Scan Settings

##

# Don't scan files larger than OnAccessMaxFileSize

# Value of 0 disables the limit.

# Default: 5M

#OnAccessMaxFileSize 10M

# Max number of scanning threads to allocate to the OnAccess thread pool at

# startup. These threads are the ones responsible for creating a connection

# with the daemon and kicking off scanning after an event has been processed.

# To prevent clamonacc from consuming all clamd's resources keep this lower

# than clamd's max threads.

# Default: 5

#OnAccessMaxThreads 10

# Max amount of time (in milliseconds) that the OnAccess client should spend

# for every connect, send, and recieve attempt when communicating with clamd

# via curl.

# Default: 5000 (5 seconds)

# OnAccessCurlTimeout 10000

# Toggles dynamic directory determination. Allows for recursively watching

# include paths.

# Default: no

#OnAccessDisableDDD yes

# Set the include paths (all files inside them will be scanned). You can have

# multiple OnAccessIncludePath directives but each directory must be added

# in a separate line.

# Default: disabled

#OnAccessIncludePath /home

#OnAccessIncludePath /students

# Set the exclude paths. All subdirectories are also excluded.

# Default: disabled

#OnAccessExcludePath /home/user

# Modifies fanotify blocking behaviour when handling permission events.

# If off, fanotify will only notify if the file scanned is a virus,

# and not perform any blocking.

# Default: no

#OnAccessPrevention yes

# When using prevention, if this option is turned on, any errors that occur

# during scanning will result in the event attempt being denied. This could

# potentially lead to unwanted system behaviour with certain configurations,

# so the client defaults this to off and prefers allowing access events in

# case of scan or connection error.

# Default: no

#OnAccessDenyOnError yes

# Toggles extra scanning and notifications when a file or directory is

# created or moved.

# Requires the  DDD system to kick-off extra scans.

# Default: no

#OnAccessExtraScanning yes

# Set the  mount point to be scanned. The mount point specified, or the mount

# point containing the specified directory will be watched. If any directories

# are specified, this option will preempt (disable and ignore all options

# related to) the DDD system. This option will result in verdicts only.

# Note that prevention is explicitly disallowed to prevent common, fatal

# misconfigurations. (e.g. watching "/" with prevention on and no exclusions

# made on vital system directories)

# It can be used multiple times.

# Default: disabled

#OnAccessMountPath /

#OnAccessMountPath /home/user

# With this option you can whitelist the root UID (0). Processes run under

# root with be able to access all files without triggering scans or

# permission denied events.

# Note that if clamd cannot check the uid of the process that generated an

# on-access scan event (e.g., because OnAccessPrevention was not enabled, and

# the process already exited), clamd will perform a scan.  Thus, setting

# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the

# root user from triggering a scan (unless OnAccessPrevention is enabled).

# Default: no

#OnAccessExcludeRootUID no

# With this option you can whitelist specific UIDs. Processes with these UIDs

# will be able to access all files without triggering scans or permission

# denied events.

# This option can be used multiple times (one per line).

# Using a value of 0 on any line will disable this option entirely.

# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID

# option.

# Also note that if clamd cannot check the uid of the process that generated an

# on-access scan event (e.g., because OnAccessPrevention was not enabled, and

# the process already exited), clamd will perform a scan.  Thus, setting

# OnAccessExcludeUID is not *guaranteed* to prevent every access by the

# specified uid from triggering a scan (unless OnAccessPrevention is enabled).

# Default: disabled

#OnAccessExcludeUID -1

# This option allows exclusions via user names when using the on-access

# scanning client. It can be used multiple times.

# It has the same potential race condition limitations of the

# OnAccessExcludeUID option.

# Default: disabled

#OnAccessExcludeUname clamav

# Number of times the OnAccess client will retry a failed scan due to

# connection problems (or other issues).

# Default: 0

#OnAccessRetryAttempts 3

##

## Bytecode

##

# With this option enabled ClamAV will load bytecode from the database.

# It is highly recommended you keep this option on, otherwise you'll miss

# detections for many new viruses.

# Default: yes

#Bytecode yes

# Set bytecode security level.

# Possible values:

#   None -      No security at all, meant for debugging.

#               DO NOT USE THIS ON PRODUCTION SYSTEMS.

#               This value is only available if clamav was built

#               with --enable-debug!

#   TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert

#               runtime safety checks for bytecode loaded from other sources.

#   Paranoid -  Don't trust any bytecode, insert runtime checks for all.

# Recommended: TrustSigned, because bytecode in .cvd files already has these

# checks.

# Note that by default only signed bytecode is loaded, currently you can only

# load unsigned bytecode in --enable-debug mode.

#

# Default: TrustSigned

#BytecodeSecurity TrustSigned

# Allow loading bytecode from outside digitally signed .c[lv]d files.

# **Caution**: You should NEVER run bytecode signatures from untrusted sources.

# Doing so may result in arbitrary code execution.

# Default: no

#BytecodeUnsigned yes

# Set bytecode timeout in milliseconds.

#

# Default: 5000

# BytecodeTimeout 1000