DESCRIPTION

clamd.conf configures the Clam AntiVirus daemon, clamd(8).

FILE FORMAT

The file consists of comments and options with arguments. Each line which starts with a hash (#) symbol is ignored by the parser. Options and arguments are case sensitive and of the form Option Argument. The arguments are of the following types:

BOOL

Boolean value (yes/no or true/false or 1/0).

STRING

String without blank characters.

SIZE

Size in bytes. You can use 'M' or 'm' modifiers for megabytes and 'K' or 'k' for kilobytes. To specify the size in bytes just don't use modifiers.

NUMBER

Unsigned integer.

DIRECTIVES

When some option is not used (commented out or not included in the configuration file at all) clamd takes a default action.

Example

If this option is set clamd will not run.

LogFile STRING

Save all reports to a log file.

Default: disabled

LogFileUnlock BOOL

By default the log file is locked for writing and only a single daemon process can write to it. This option disables the lock.

Default: no

LogFileMaxSize SIZE

Maximum size of the log file.

Value of 0 disables the limit.

Default: 1048576

LogTime BOOL

Log time for each message.

Default: no

LogClean BOOL

Log all clean files.

Useful in debugging but drastically increases the log size.

Default: no

LogSyslog BOOL

Use the system logger (can work together with LogFile).

Default: no

LogFacility STRING

Type of syslog messages

Please refer to 'man syslog' for facility names.

Default: LOG_LOCAL6

LogVerbose BOOL

Enable verbose logging.

Default: no

LogRotate BOOL

Rotate log file. Requires LogFileMaxSize option set prior to this option.

Default: no

ExtendedDetectionInfo BOOL

Log additional information about the infected file, such as its size and hash, together with the virus name.

Default: no

PidFile STRING

Save the process identifier of a listening daemon (main thread) to a specified file.

Default: disabled

TemporaryDirectory STRING

This option allows you to change the default temporary directory.

Default: system specific (usually /tmp or /var/tmp).

DatabaseDirectory STRING

This option allows you to change the default database directory. If you enable it, please make sure it points to the same directory in both clamd and freshclam.

Default: defined at configuration (/usr/local/share/clamav)

OfficialDatabaseOnly BOOL

Only load the official signatures published by the ClamAV project.

Default: no

LocalSocket STRING

Path to a local (Unix) socket the daemon will listen on.

Default: disabled

LocalSocketGroup STRING

Sets the group ownership on the unix socket.

Default: the primary group of the user running clamd

LocalSocketMode STRING

Sets the permissions on the unix socket to the specified mode.

Default: socket is world readable and writable

FixStaleSocket BOOL

Remove stale socket after unclean shutdown.

Default: yes

TCPSocket NUMBER

TCP port number the daemon will listen on.

Default: disabled

TCPAddr STRING

By default clamd binds to INADDR_ANY.

This option allows you to restrict the TCP address and provide some degree of protection from the outside world. This option can be specified multiple times in order to listen on multiple IPs. IPv6 is now supported.

Default: disabled

MaxConnectionQueueLength NUMBER

Maximum length the queue of pending connections may grow to.

Default: 200

StreamMaxLength SIZE

Close the STREAM session when the data size limit is exceeded.

The value should match your MTA's limit for the maximum attachment size.

Default: 25M

StreamMinPort NUMBER

The STREAM command uses an FTP-like protocol.

This option sets the lower boundary for the port range.

Default: 1024

StreamMaxPort NUMBER

This option sets the upper boundary for the port range.

Default: 2048

MaxThreads NUMBER

Maximum number of threads running at the same time.

Default: 10

ReadTimeout NUMBER

This option specifies the time (in seconds) after which clamd should timeout if a client doesn't provide any data.

Default: 120

CommandReadTimeout NUMBER

This option specifies the time (in seconds) after which clamd should timeout if a client doesn't provide any initial command after connecting. Note: the timeout for subsequents commands, and/or data chunks is specified by ReadTimeout.

Default: 5

SendBufTimeout NUMBER

This option specifies how long to wait (in milliseconds) if the send buffer is full. Keep this value low to prevent clamd hanging.

Default: 500

MaxQueue NUMBER

Maximum number of queued items (including those being processed by MaxThreads threads). It is recommended to have this value at least twice MaxThreads if possible.

WARNING: you shouldn't increase this too much to avoid running out of file descriptors, the following condition should hold: MaxThreads*MaxRecursion + MaxQueue - MaxThreads + 6 < RLIMIT_NOFILE. RLIMIT_NOFILE is the maximum number of open file descriptors (usually 1024), set by ulimit -n.

Default: 100

IdleTimeout NUMBER

This option specifies how long (in seconds) the process should wait for a new job.

Default: 30

ExcludePath REGEX

Don't scan files and directories matching REGEX. This directive can be used multiple times.

Default: disabled

MaxDirectoryRecursion NUMBER

Maximum depth directories are scanned at.

Default: 15

FollowDirectorySymlinks BOOL

Follow directory symlinks.

Default: no

CrossFilesystems BOOL

Scan files and directories on other filesystems.

Default: yes

FollowFileSymlinks BOOL

Follow regular file symlinks.

Default: no

SelfCheck NUMBER

This option specifies the time intervals (in seconds) in which clamd should perform a database check.

Default: 600

VirusEvent COMMAND

Execute a command when a virus is found. In the command string %v will be replaced with the virus name. Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNAME.

Default: disabled

ExitOnOOM BOOL

Stop daemon when libclamav reports out of memory condition.

Default: no

AllowAllMatchScan BOOL

Permit use of the ALLMATCHSCAN command.

Default: yes

Foreground BOOL

Don't fork into background.

Default: no

Debug BOOL

Enable debug messages from libclamav.

Default: no

LeaveTemporaryFiles BOOL

Do not remove temporary files (for debugging purpose).

Default: no

User STRING

Run the daemon as a specified user (the process must be started by root).

Default: disabled

Bytecode BOOL

With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option turned on, otherwise you may miss detections for many new viruses.

Default: yes

BytecodeSecurity STRING

Set bytecode security level.

Possible values:

TrustSigned - trust bytecode loaded from signed .c[lv]d files and insert runtime safety checks for bytecode loaded from other sources,

Paranoid - don't trust any bytecode, insert runtime checks for all.

Recommended: TrustSigned, because bytecode in .cvd files already has these checks.

Default: TrustSigned

BytecodeTimeout NUMBER

Set bytecode timeout in milliseconds.

Default: 5000

BytecodeUnsigned BOOL

Allow loading bytecode from outside digitally signed .c[lv]d files.

Default: no

BytecodeMode STRING

Set bytecode execution mode.

Possible values:

Auto - automatically choose JIT if possible, fallback to interpreter

ForceJIT - always choose JIT, fail if not possible

ForceInterpreter - always choose interpreter

Test - run with both JIT and interpreter and compare results. Make all failures fatal.

Default: Auto

DetectPUA BOOL

Detect Possibly Unwanted Applications.

Default: No

ExcludePUA CATEGORY

Exclude a specific PUA category. This directive can be used multiple times. See http://www.clamav.net/doc/pua.html for the complete list of PUA categories.

Default: disabled

IncludePUA CATEGORY

Only include a specific PUA category. This directive can be used multiple times. See http://www.clamav.net/doc/pua.html for the complete list of PUA categories.

Default: disabled

AlgorithmicDetection BOOL

In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option controls the algorithmic detection.

Default: yes

ScanPE BOOL

PE stands for Portable Executable - it's an executable file format used in all 32 and 64-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX.

If you turn off this option, the original files will still be scanned, but without additional processing.

Default: yes

ScanELF BOOL

Executable and Linking Format is a standard format for UN*X executables. This option allows you to control the scanning of ELF files.

If you turn off this option, the original files will still be scanned, but without additional processing.

Default: yes

DetectBrokenExecutables BOOL

With this option clamd will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.

Default: no

ScanMail BOOL

Enable scanning of mail files.

If you turn off this option, the original files will still be scanned, but without parsing individual messages/attachments.

Default: yes

ScanPartialMessages BOOL

Scan RFC1341 messages split over many emails. You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. WARNING: This option may open your system to a DoS attack. Never use it on loaded servers.

Default: no

PhishingSignatures BOOL

With this option enabled ClamAV will try to detect phishing attempts by using signatures.

Default: yes

PhishingScanURLs BOOL

Scan URLs found in mails for phishing attempts using heuristics. This will classify "Possibly Unwanted" phishing emails as Phishing.Heuristics.Email.*

Default: yes

PhishingAlwaysBlockCloak BOOL

Always block cloaked URLs, even if URL isn't in database. This can lead to false positives.

Default: no

PhishingAlwaysBlockSSLMismatch BOOL

Always block SSL mismatches in URLs, even if the URL isn't in the database. This can lead to false positives.

Default: no

PartitionIntersection BOOL

Detect partition intersections in raw disk images using heuristics.

Default: no

HeuristicScanPrecedence BOOL

Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phishing it will stop scanning immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.

Default: no

StructuredDataDetection BOOL

Enable the DLP module.

Default: no

StructuredMinCreditCardCount NUMBER

This option sets the lowest number of Credit Card numbers found in a file to generate a detect.

Default: 3

StructuredMinSSNCount NUMBER

This option sets the lowest number of Social Security Numbers found in a file to generate a detect.

Default: 3

StructuredSSNFormatNormal BOOL

With this option enabled the DLP module will search for valid SSNs formatted as xxx-yy-zzzz.

Default: Yes

StructuredSSNFormatStripped BOOL

With this option enabled the DLP module will search for valid SSNs formatted as xxxyyzzzz.

Default: No

ScanHTML BOOL

Perform HTML/JavaScript/ScriptEncoder normalisation and decryption.

If you turn off this option, the original files will still be scanned, but without additional processing.

Default: yes

ScanOLE2 BOOL

This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files.

If you turn off this option, the original files will still be scanned, but without additional processing.

Default: yes

OLE2BlockMacros BOOL

With this option enabled OLE2 files with VBA macros, which were not detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".

Default: no

ScanPDF BOOL

This option enables scanning within PDF files.

If you turn off this option, the original files will still be scanned, but without additional processing.

Default: yes

ScanSWF BOOL

This option enables scanning within SWF files.

If you turn off this option, the original files will still be scanned, but without decoding and additional processing.

Default: yes

ScanXMLDOCS BOOL

This option enables scanning xml-based document files supported by libclamav.

If you turn off this option, the original files will still be scanned, but without additional processing.

Default: yes

ScanHWP3 BOOL

This option enables scanning HWP3 files.

If you turn off this option, the original files will still be scanned, but without additional processing.

Default: yes

ScanArchive BOOL

Scan within archives and compressed files.

If you turn off this option, the original files will still be scanned, but without unpacking and additional processing.

Default: yes

ArchiveBlockEncrypted BOOL

Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

Default: no

ForceToDisk

This option causes memory or nested map scans to dump the content to disk.

If you turn on this option, more data is written to disk and is available when the leave-temps option is enabled at the cost of more disk writes.

Default: no

Default: no

MaxScanSize SIZE

Sets the maximum amount of data to be scanned for each input file. Archives and other containers are recursively extracted and scanned up to this value. The size of an archive plus the sum of the sizes of all files within archive count toward the scan size. For example, a 1M uncompressed archive containing a single 1M inner file counts as 2M toward the max scan size. Warning: disabling this limit or setting it too high may result in severe damage to the system.

Default: 100M

MaxFileSize SIZE

Files larger than this limit won't be scanned. Affects the input file itself as well as files contained inside it (when the input file is an archive, a document or some other kind of container). Warning: disabling this limit or setting it too high may result in severe damage to the system.

Default: 25M

MaxRecursion NUMBER

Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR file, all files within it will also be scanned. This options specifies how deeply the process should be continued. Warning: setting this limit too high may result in severe damage to the system.

Default: 16

MaxFiles NUMBER

Number of files to be scanned within an archive, a document, or any other kind of container. Warning: disabling this limit or setting it too high may result in severe damage to the system.

Default: 10000

MaxEmbeddedPE SIZE

This option sets the maximum size of a file to check for embedded PE.

Files larger than this value will skip the additional analysis step.

Negative values are not allowed.

Default: 10M

MaxHTMLNormalize SIZE

This option sets the maximum size of a HTML file to normalize.

HTML files larger than this value will not be normalized or scanned.

Negative values are not allowed.

Default: 10M

MaxHTMLNoTags SIZE

This option sets the maximum size of a normalized HTML file to scan.

HTML files larger than this value after normalization will not be scanned.

Negative values are not allowed.

Default: 2M

MaxScriptNormalize SIZE

This option sets the maximum size of a script file to normalize.

Script content larger than this value will not be normalized or scanned.

Negative values are not allowed.

Default: 5M

MaxZipTypeRcg SIZE

This option sets the maximum size of a ZIP file to reanalyze type recognition.

ZIP files larger than this value will skip the step to potentially reanalyze as PE.

Negative values are not allowed.

WARNING: setting this limit too high may result in severe damage or impact performance.

Default: 1M

MaxPartitions SIZE

This option sets the maximum number of partitions of a raw disk image to be scanned.

Raw disk images with more partitions than this value will have up to the value partitions scanned.

Negative values are not allowed.

WARNING: setting this limit too high may result in severe damage or impact performance.

Default: 50

MaxIconsPE SIZE

This option sets the maximum number of icons within a PE to be scanned.

PE files with more icons than this value will have up to the value number icons scanned.

Negative values are not allowed.

WARNING: setting this limit too high may result in severe damage or impact performance.

Default: 100

MaxRecHWP3 NUMBER

This option sets the maximum recursive calls to HWP3 parsing function.

HWP3 files using more than this limit will be terminated and alert the user.

Scans will be unable to scan any HWP3 attachments if the recursive limit is reached.

Negative values are not allowed.

WARNING: setting this limit too high may result in severe damage or impact performance.

Default: 16

PCREMatchLimit NUMBER

This option sets the maximum calls to the PCRE match function during an instance of regex matching.

Instances using more than this limit will be terminated and alert the user but the scan will continue.

For more information on match_limit, see the PCRE documentation.

Negative values are not allowed.

WARNING: setting this limit too high may severely impact performance.

Default: 10000

PCRERecMatchLimit NUMBER

This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching.

Instances using more than this limit will be terminated and alert the user but the scan will continue.

For more information on match_limit_recursion, see the PCRE documentation.

Negative values are not allowed and values > PCREMatchLimit are superfluous.

WARNING: setting this limit too high may severely impact performance.

Default: 5000

PCREMaxFileSize SIZE

This option sets the maximum filesize for which PCRE subsigs will be executed.

Files exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer.

Negative values are not allowed.

Setting this value to zero disables the limit.

WARNING: setting this limit too high or disabling it may severely impact performance.

Default: 25M

ScanOnAccess BOOL

This option enables on-access scanning (Linux only)

Default: disabled

OnAccessIncludePath STRING

This option specifies a directory (including all files and directories inside it), which should be scanned on access. This option can be used multiple times.

Default: disabled

OnAccessExcludePath STRING

This option allows excluding directories from on-access scanning. It can be used multiple times.

Default: disabled

OnAccessExcludeUID NUMBER

With this option you can whitelist specific UIDs. Processes with these UIDs will be able to access all files.

This option can be used multiple times (one per line).

Default: disabled

OnAccessMaxFileSize SIZE

Files larger than this value will not be scanned in on access.

Default: 5M

OnAccessMountPath STRING

Specifies a mount point (including all files and directories under it), which should be scanned on access. This option can be used multiple times.

Default: disabled

OnAccessDisableDDD BOOL

Disables the dynamic directory determination system which allows for recursively watching include paths.

Default: no

OnAccessPrevention BOOL

Enables fanotify blocking when malicious files are found.

Default: disabled

DisableCertCheck BOOL

Disable authenticode certificate chain verification in PE files.

Default: no

StatsEnabled BOOL

Enable submission of statistical data

Default: no

StatsHostID STRING

HostID in the form of an UUID to use when submitting statistical information.

Default: auto

StatsPEDisabled BOOL

Disable submission of PE section statistical data.

Default: no

StatsTimeout NUMBER

Timeout in seconds to timeout communication with the stats server.

Default: 10

NOTES

All options expressing a size are limited to max 4GB. Values in excess will be resetted to the maximum.

FILES

/etc/clamav/clamd.conf

AUTHORS

Tomasz Kojm <[email protected]>, Kevin Lin <[email protected]>

RELATED TO clamd.conf…