Blame | Last modification | View Log | RSS feed
#### Example config file for the Clam AV daemon## Please read the clamd.conf(5) manual before editing this file.### Comment or remove the line below.Example# Uncomment this option to enable logging.# LogFile must be writable for the user running daemon.# A full path is required.# Default: disabled#LogFile /tmp/clamd.log# By default the log file is locked for writing - the lock protects against# running clamd multiple times (if want to run another clamd, please# copy the configuration file, change the LogFile variable, and run# the daemon with --config-file option).# This option disables log file locking.# Default: no#LogFileUnlock yes# Maximum size of the log file.# Value of 0 disables the limit.# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log# rotation (the LogRotate option) will always be enabled.# Default: 1M#LogFileMaxSize 2M# Log time with each message.# Default: no#LogTime yes# Also log clean files. Useful in debugging but drastically increases the# log size.# Default: no#LogClean yes# Use system logger (can work together with LogFile).# Default: no#LogSyslog yes# Specify the type of syslog messages - please refer to 'man syslog'# for facility names.# Default: LOG_LOCAL6#LogFacility LOG_MAIL# Enable verbose logging.# Default: no#LogVerbose yes# Enable log rotation. Always enabled when LogFileMaxSize is enabled.# Default: no#LogRotate yes# Enable Prelude output.# Default: no#PreludeEnable yes## Set the name of the analyzer used by prelude-admin.# Default: ClamAV#PreludeAnalyzerName ClamAV# Log additional information about the infected file, such as its# size and hash, together with the virus name.#ExtendedDetectionInfo yes# This option allows you to save a process identifier of the listening# daemon (main thread).# This file will be owned by root, as long as clamd was started by root.# It is recommended that the directory where this file is stored is# also owned by root to keep other users from tampering with it.# Default: disabled#PidFile /var/run/clamd.pid# Optional path to the global temporary directory.# Default: system specific (usually /tmp or /var/tmp).#TemporaryDirectory /var/tmp# Path to the database directory.# Default: hardcoded (depends on installation options)#DatabaseDirectory /var/lib/clamav# Only load the official signatures published by the ClamAV project.# Default: no#OfficialDatabaseOnly no# The daemon can work in local mode, network mode or both.# Due to security reasons we recommend the local mode.# Path to a local socket file the daemon will listen on.# Default: disabled (must be specified by a user)#LocalSocket /tmp/clamd.socket# Sets the group ownership on the unix socket.# Default: disabled (the primary group of the user running clamd)#LocalSocketGroup virusgroup# Sets the permissions on the unix socket to the specified mode.# Default: disabled (socket is world accessible)#LocalSocketMode 660# Remove stale socket after unclean shutdown.# Default: yes#FixStaleSocket yes# TCP port address.# Default: no#TCPSocket 3310# TCP address.# By default we bind to INADDR_ANY, probably not wise.# Enable the following to provide some degree of protection# from the outside world. This option can be specified multiple# times if you want to listen on multiple IPs. IPv6 is now supported.# Default: no#TCPAddr 127.0.0.1# Maximum length the queue of pending connections may grow to.# Default: 200#MaxConnectionQueueLength 30# Clamd uses FTP-like protocol to receive data from remote clients.# If you are using clamav-milter to balance load between remote clamd daemons# on firewall servers you may need to tune the options below.# Close the connection when the data size limit is exceeded.# The value should match your MTA's limit for a maximum attachment size.# Default: 25M#StreamMaxLength 10M# Limit port range.# Default: 1024#StreamMinPort 30000# Default: 2048#StreamMaxPort 32000# Maximum number of threads running at the same time.# Default: 10#MaxThreads 20# Waiting for data from a client socket will timeout after this time (seconds).# Default: 120#ReadTimeout 300# This option specifies the time (in seconds) after which clamd should# timeout if a client doesn't provide any initial command after connecting.# Default: 30#CommandReadTimeout 30# This option specifies how long to wait (in milliseconds) if the send buffer# is full.# Keep this value low to prevent clamd hanging.## Default: 500#SendBufTimeout 200# Maximum number of queued items (including those being processed by# MaxThreads threads).# It is recommended to have this value at least twice MaxThreads if possible.# WARNING: you shouldn't increase this too much to avoid running out of file# descriptors, the following condition should hold:# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual# max is 1024).## Default: 100#MaxQueue 200# Waiting for a new job will timeout after this time (seconds).# Default: 30#IdleTimeout 60# Don't scan files and directories matching regex# This directive can be used multiple times# Default: scan all#ExcludePath ^/proc/#ExcludePath ^/sys/# Maximum depth directories are scanned at.# Default: 15#MaxDirectoryRecursion 20# Follow directory symlinks.# Default: no#FollowDirectorySymlinks yes# Follow regular file symlinks.# Default: no#FollowFileSymlinks yes# Scan files and directories on other filesystems.# Default: yes#CrossFilesystems yes# Perform a database check.# Default: 600 (10 min)#SelfCheck 600# Enable non-blocking (multi-threaded/concurrent) database reloads.# This feature will temporarily load a second scanning engine while scanning# continues using the first engine. Once loaded, the new engine takes over.# The old engine is removed as soon as all scans using the old engine have# completed.# This feature requires more RAM, so this option is provided in case users are# willing to block scans during reload in exchange for lower RAM requirements.# Default: yes#ConcurrentDatabaseReload no# Execute a command when virus is found. In the command string %v will# be replaced with the virus name.# Default: no#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"# Run as another user (clamd must be started by root for this option to work)# Default: don't drop privileges#User clamav# Stop daemon when libclamav reports out of memory condition.#ExitOnOOM yes# Don't fork into background.# Default: no#Foreground yes# Enable debug messages in libclamav.# Default: no#Debug yes# Do not remove temporary files (for debug purposes).# Default: no#LeaveTemporaryFiles yes# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject# any ALLMATCHSCAN command as invalid.# Default: yes#AllowAllMatchScan no# Detect Possibly Unwanted Applications.# Default: no#DetectPUA yes# Exclude a specific PUA category. This directive can be used multiple times.# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for# the complete list of PUA categories.# Default: Load all categories (if DetectPUA is activated)#ExcludePUA NetTool#ExcludePUA PWTool# Only include a specific PUA category. This directive can be used multiple# times.# Default: Load all categories (if DetectPUA is activated)#IncludePUA Spy#IncludePUA Scanner#IncludePUA RAT# This option causes memory or nested map scans to dump the content to disk.# If you turn on this option, more data is written to disk and is available# when the LeaveTemporaryFiles option is enabled.#ForceToDisk yes# This option allows you to disable the caching feature of the engine. By# default, the engine will store an MD5 in a cache of any files that are# not flagged as virus or that hit limits checks. Disabling the cache will# have a negative performance impact on large scans.# Default: no#DisableCache yes# In some cases (eg. complex malware, exploits in graphic files, and others),# ClamAV uses special algorithms to detect abnormal patterns and behaviors that# may be malicious. This option enables alerting on such heuristically# detected potential threats.# Default: yes#HeuristicAlerts yes# Allow heuristic alerts to take precedence.# When enabled, if a heuristic scan (such as phishingScan) detects# a possible virus/phish it will stop scan immediately. Recommended, saves CPU# scan-time.# When disabled, virus/phish detected by heuristic scans will be reported only# at the end of a scan. If an archive contains both a heuristically detected# virus/phish, and a real malware, the real malware will be reported## Keep this disabled if you intend to handle "*.Heuristics.*" viruses# differently from "real" malware.# If a non-heuristically-detected virus (signature-based) is found first,# the scan is interrupted immediately, regardless of this config option.## Default: no#HeuristicScanPrecedence yes#### Heuristic Alerts### With this option clamav will try to detect broken executables (both PE and# ELF) and alert on them with the Broken.Executable heuristic signature.# Default: no#AlertBrokenExecutables yes# Alert on encrypted archives _and_ documents with heuristic signature# (encrypted .zip, .7zip, .rar, .pdf).# Default: no#AlertEncrypted yes# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip,# .rar).# Default: no#AlertEncryptedArchive yes# Alert on encrypted archives with heuristic signature (encrypted .pdf).# Default: no#AlertEncryptedDoc yes# With this option enabled OLE2 files containing VBA macros, which were not# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".# Default: no#AlertOLE2Macros yes# Alert on SSL mismatches in URLs, even if the URL isn't in the database.# This can lead to false positives.# Default: no#AlertPhishingSSLMismatch yes# Alert on cloaked URLs, even if URL isn't in database.# This can lead to false positives.# Default: no#AlertPhishingCloak yes# Alert on raw DMG image files containing partition intersections# Default: no#AlertPartitionIntersection yes#### Executable files### PE stands for Portable Executable - it's an executable file format used# in all 32 and 64-bit versions of Windows operating systems. This option# allows ClamAV to perform a deeper analysis of executable files and it's also# required for decompression of popular executable packers such as UPX, FSG,# and Petite. If you turn off this option, the original files will still be# scanned, but without additional processing.# Default: yes#ScanPE yes# Certain PE files contain an authenticode signature. By default, we check# the signature chain in the PE file against a database of trusted and# revoked certificates if the file being scanned is marked as a virus.# If any certificate in the chain validates against any trusted root, but# does not match any revoked certificate, the file is marked as whitelisted.# If the file does match a revoked certificate, the file is marked as virus.# The following setting completely turns off authenticode verification.# Default: no#DisableCertCheck yes# Executable and Linking Format is a standard format for UN*X executables.# This option allows you to control the scanning of ELF files.# If you turn off this option, the original files will still be scanned, but# without additional processing.# Default: yes#ScanELF yes#### Documents### This option enables scanning of OLE2 files, such as Microsoft Office# documents and .msi files.# If you turn off this option, the original files will still be scanned, but# without additional processing.# Default: yes#ScanOLE2 yes# This option enables scanning within PDF files.# If you turn off this option, the original files will still be scanned, but# without decoding and additional processing.# Default: yes#ScanPDF yes# This option enables scanning within SWF files.# If you turn off this option, the original files will still be scanned, but# without decoding and additional processing.# Default: yes#ScanSWF yes# This option enables scanning xml-based document files supported by libclamav.# If you turn off this option, the original files will still be scanned, but# without additional processing.# Default: yes#ScanXMLDOCS yes# This option enables scanning of HWP3 files.# If you turn off this option, the original files will still be scanned, but# without additional processing.# Default: yes#ScanHWP3 yes#### Mail files### Enable internal e-mail scanner.# If you turn off this option, the original files will still be scanned, but# without parsing individual messages/attachments.# Default: yes#ScanMail yes# Scan RFC1341 messages split over many emails.# You will need to periodically clean up $TemporaryDirectory/clamav-partial# directory.# WARNING: This option may open your system to a DoS attack.# Never use it on loaded servers.# Default: no#ScanPartialMessages yes# With this option enabled ClamAV will try to detect phishing attempts by using# HTML.Phishing and Email.Phishing NDB signatures.# Default: yes#PhishingSignatures no# With this option enabled ClamAV will try to detect phishing attempts by# analyzing URLs found in emails using WDB and PDB signature databases.# Default: yes#PhishingScanURLs no#### Data Loss Prevention (DLP)### Enable the DLP module# Default: No#StructuredDataDetection yes# This option sets the lowest number of Credit Card numbers found in a file# to generate a detect.# Default: 3#StructuredMinCreditCardCount 5# With this option enabled the DLP module will search for valid Credit Card# numbers only. Debit and Private Label cards will not be searched.# Default: no#StructuredCCOnly yes# This option sets the lowest number of Social Security Numbers found# in a file to generate a detect.# Default: 3#StructuredMinSSNCount 5# With this option enabled the DLP module will search for valid# SSNs formatted as xxx-yy-zzzz# Default: yes#StructuredSSNFormatNormal yes# With this option enabled the DLP module will search for valid# SSNs formatted as xxxyyzzzz# Default: no#StructuredSSNFormatStripped yes#### HTML### Perform HTML normalisation and decryption of MS Script Encoder code.# Default: yes# If you turn off this option, the original files will still be scanned, but# without additional processing.#ScanHTML yes#### Archives### ClamAV can scan within archives and compressed files.# If you turn off this option, the original files will still be scanned, but# without unpacking and additional processing.# Default: yes#ScanArchive yes#### Limits### The options below protect your system against Denial of Service attacks# using archive bombs.# This option sets the maximum amount of time to a scan may take.# In this version, this field only affects the scan time of ZIP archives.# Value of 0 disables the limit.# Note: disabling this limit or setting it too high may result allow scanning# of certain files to lock up the scanning process/threads resulting in a# Denial of Service.# Time is in milliseconds.# Default: 120000#MaxScanTime 300000# This option sets the maximum amount of data to be scanned for each input# file. Archives and other containers are recursively extracted and scanned# up to this value.# Value of 0 disables the limit# Note: disabling this limit or setting it too high may result in severe damage# to the system.# Default: 100M#MaxScanSize 150M# Files larger than this limit won't be scanned. Affects the input file itself# as well as files contained inside it (when the input file is an archive, a# document or some other kind of container).# Value of 0 disables the limit.# Note: disabling this limit or setting it too high may result in severe damage# to the system.# Default: 25M#MaxFileSize 30M# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR# file, all files within it will also be scanned. This options specifies how# deeply the process should be continued.# Note: setting this limit too high may result in severe damage to the system.# Default: 16#MaxRecursion 10# Number of files to be scanned within an archive, a document, or any other# container file.# Value of 0 disables the limit.# Note: disabling this limit or setting it too high may result in severe damage# to the system.# Default: 10000#MaxFiles 15000# Maximum size of a file to check for embedded PE. Files larger than this value# will skip the additional analysis step.# Note: disabling this limit or setting it too high may result in severe damage# to the system.# Default: 10M#MaxEmbeddedPE 10M# Maximum size of a HTML file to normalize. HTML files larger than this value# will not be normalized or scanned.# Note: disabling this limit or setting it too high may result in severe damage# to the system.# Default: 10M#MaxHTMLNormalize 10M# Maximum size of a normalized HTML file to scan. HTML files larger than this# value after normalization will not be scanned.# Note: disabling this limit or setting it too high may result in severe damage# to the system.# Default: 2M#MaxHTMLNoTags 2M# Maximum size of a script file to normalize. Script content larger than this# value will not be normalized or scanned.# Note: disabling this limit or setting it too high may result in severe damage# to the system.# Default: 5M#MaxScriptNormalize 5M# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger# than this value will skip the step to potentially reanalyze as PE.# Note: disabling this limit or setting it too high may result in severe damage# to the system.# Default: 1M#MaxZipTypeRcg 1M# This option sets the maximum number of partitions of a raw disk image to be# scanned.# Raw disk images with more partitions than this value will have up to# the value number partitions scanned. Negative values are not allowed.# Note: setting this limit too high may result in severe damage or impact# performance.# Default: 50#MaxPartitions 128# This option sets the maximum number of icons within a PE to be scanned.# PE files with more icons than this value will have up to the value number# icons scanned.# Negative values are not allowed.# WARNING: setting this limit too high may result in severe damage or impact# performance.# Default: 100#MaxIconsPE 200# This option sets the maximum recursive calls for HWP3 parsing during# scanning. HWP3 files using more than this limit will be terminated and# alert the user.# Scans will be unable to scan any HWP3 attachments if the recursive limit# is reached.# Negative values are not allowed.# WARNING: setting this limit too high may result in severe damage or impact# performance.# Default: 16#MaxRecHWP3 16# This option sets the maximum calls to the PCRE match function during# an instance of regex matching.# Instances using more than this limit will be terminated and alert the user# but the scan will continue.# For more information on match_limit, see the PCRE documentation.# Negative values are not allowed.# WARNING: setting this limit too high may severely impact performance.# Default: 100000#PCREMatchLimit 20000# This option sets the maximum recursive calls to the PCRE match function# during an instance of regex matching.# Instances using more than this limit will be terminated and alert the user# but the scan will continue.# For more information on match_limit_recursion, see the PCRE documentation.# Negative values are not allowed and values > PCREMatchLimit are superfluous.# WARNING: setting this limit too high may severely impact performance.# Default: 2000#PCRERecMatchLimit 10000# This option sets the maximum filesize for which PCRE subsigs will be# executed. Files exceeding this limit will not have PCRE subsigs executed# unless a subsig is encompassed to a smaller buffer.# Negative values are not allowed.# Setting this value to zero disables the limit.# WARNING: setting this limit too high or disabling it may severely impact# performance.# Default: 25M#PCREMaxFileSize 100M# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or# MaxRecursion limit will be flagged with the virus# "Heuristics.Limits.Exceeded".# Default: no#AlertExceedsMax yes#### On-access Scan Settings### Don't scan files larger than OnAccessMaxFileSize# Value of 0 disables the limit.# Default: 5M#OnAccessMaxFileSize 10M# Max number of scanning threads to allocate to the OnAccess thread pool at# startup. These threads are the ones responsible for creating a connection# with the daemon and kicking off scanning after an event has been processed.# To prevent clamonacc from consuming all clamd's resources keep this lower# than clamd's max threads.# Default: 5#OnAccessMaxThreads 10# Max amount of time (in milliseconds) that the OnAccess client should spend# for every connect, send, and recieve attempt when communicating with clamd# via curl.# Default: 5000 (5 seconds)# OnAccessCurlTimeout 10000# Toggles dynamic directory determination. Allows for recursively watching# include paths.# Default: no#OnAccessDisableDDD yes# Set the include paths (all files inside them will be scanned). You can have# multiple OnAccessIncludePath directives but each directory must be added# in a separate line.# Default: disabled#OnAccessIncludePath /home#OnAccessIncludePath /students# Set the exclude paths. All subdirectories are also excluded.# Default: disabled#OnAccessExcludePath /home/user# Modifies fanotify blocking behaviour when handling permission events.# If off, fanotify will only notify if the file scanned is a virus,# and not perform any blocking.# Default: no#OnAccessPrevention yes# When using prevention, if this option is turned on, any errors that occur# during scanning will result in the event attempt being denied. This could# potentially lead to unwanted system behaviour with certain configurations,# so the client defaults this to off and prefers allowing access events in# case of scan or connection error.# Default: no#OnAccessDenyOnError yes# Toggles extra scanning and notifications when a file or directory is# created or moved.# Requires the DDD system to kick-off extra scans.# Default: no#OnAccessExtraScanning yes# Set the mount point to be scanned. The mount point specified, or the mount# point containing the specified directory will be watched. If any directories# are specified, this option will preempt (disable and ignore all options# related to) the DDD system. This option will result in verdicts only.# Note that prevention is explicitly disallowed to prevent common, fatal# misconfigurations. (e.g. watching "/" with prevention on and no exclusions# made on vital system directories)# It can be used multiple times.# Default: disabled#OnAccessMountPath /#OnAccessMountPath /home/user# With this option you can whitelist the root UID (0). Processes run under# root with be able to access all files without triggering scans or# permission denied events.# Note that if clamd cannot check the uid of the process that generated an# on-access scan event (e.g., because OnAccessPrevention was not enabled, and# the process already exited), clamd will perform a scan. Thus, setting# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the# root user from triggering a scan (unless OnAccessPrevention is enabled).# Default: no#OnAccessExcludeRootUID no# With this option you can whitelist specific UIDs. Processes with these UIDs# will be able to access all files without triggering scans or permission# denied events.# This option can be used multiple times (one per line).# Using a value of 0 on any line will disable this option entirely.# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID# option.# Also note that if clamd cannot check the uid of the process that generated an# on-access scan event (e.g., because OnAccessPrevention was not enabled, and# the process already exited), clamd will perform a scan. Thus, setting# OnAccessExcludeUID is not *guaranteed* to prevent every access by the# specified uid from triggering a scan (unless OnAccessPrevention is enabled).# Default: disabled#OnAccessExcludeUID -1# This option allows exclusions via user names when using the on-access# scanning client. It can be used multiple times.# It has the same potential race condition limitations of the# OnAccessExcludeUID option.# Default: disabled#OnAccessExcludeUname clamav# Number of times the OnAccess client will retry a failed scan due to# connection problems (or other issues).# Default: 0#OnAccessRetryAttempts 3#### Bytecode### With this option enabled ClamAV will load bytecode from the database.# It is highly recommended you keep this option on, otherwise you'll miss# detections for many new viruses.# Default: yes#Bytecode yes# Set bytecode security level.# Possible values:# None - No security at all, meant for debugging.# DO NOT USE THIS ON PRODUCTION SYSTEMS.# This value is only available if clamav was built# with --enable-debug!# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert# runtime safety checks for bytecode loaded from other sources.# Paranoid - Don't trust any bytecode, insert runtime checks for all.# Recommended: TrustSigned, because bytecode in .cvd files already has these# checks.# Note that by default only signed bytecode is loaded, currently you can only# load unsigned bytecode in --enable-debug mode.## Default: TrustSigned#BytecodeSecurity TrustSigned# Allow loading bytecode from outside digitally signed .c[lv]d files.# **Caution**: You should NEVER run bytecode signatures from untrusted sources.# Doing so may result in arbitrary code execution.# Default: no#BytecodeUnsigned yes# Set bytecode timeout in milliseconds.## Default: 5000# BytecodeTimeout 1000