NAME
clamd.conf - Configuration file for Clam AntiVirus Daemon
DESCRIPTION
clamd.conf configures the Clam AntiVirus daemon, clamd(8).
FILE FORMAT
The file consists of comments and options with arguments. Each line which starts with a hash (#) symbol is ignored by the parser. Options and arguments are case sensitive and of the form Option Argument. The arguments are of the following types:
BOOL | Boolean value (yes/no or true/false or 1/0). |
STRING | String without blank characters. |
SIZE | Size in bytes. You can use M or m modifiers for megabytes and K or k for kilobytes. |
NUMBER | Unsigned integer. |
DIRECTIVES
When some option is not used (commented out or not included in the configuration file at all) clamd takes a default action.
Example | |
If this option is set clamd will not run. | |
LogFile STRING | |
Enable logging to selected file. Default: no | |
LogFileUnlock BOOL | |
Disable a system lock that protects against running clamd with the same configuration file multiple times. Default: no | |
LogFileMaxSize SIZE | |
Limit the size of the log file. The logger will be automatically disabled if the file is greater than SIZE. Value of 0 disables the limit. Default: 1M | |
LogTime BOOL | |
Log time for each message. Default: no | |
LogClean BOOL | |
Log clean files. Default: no | |
LogSyslog BOOL | |
Use system logger (can work together with LogFile). Default: no | |
LogFacility STRING | |
Specify the type of syslog messages - please refer to man syslog for facility names. Default: LOG_LOCAL6 | |
LogVerbose BOOL | |
Enable verbose logging. Default: no | |
ExtendedDetectionInfo BOOL | |
Log additional information about the infected file, such as its size and hash, together with the virus name. Default: no | |
PidFile STRING | |
Save the process identifier of a listening daemon (main thread) to a specified file. Default: no | |
TemporaryDirectory STRING | |
Optional path to the global temporary directory. Default: system specific (usually /tmp or /var/tmp). | |
DatabaseDirectory STRING | |
Path to a directory containing database files. | |
OfficialDatabaseOnly BOOL | |
Only load the official signatures published by the ClamAV project. Default: no | |
LocalSocket STRING | |
Path to a local (Unix) socket the daemon will listen on. Default: no | |
LocalSocketGroup STRING | |
Sets the group ownership on the unix socket. Default: the primary group of the user running clamd | |
LocalSocketMode STRING | |
Sets the permissions on the unix socket to the specified mode. Default: socket is world readable and writable | |
FixStaleSocket BOOL | |
Remove stale socket after unclean shutdown. Default: yes | |
TCPSocket NUMBER | |
TCP port number the daemon will listen on. Default: no | |
TCPAddr STRING | |
TCP socket address to bind to. By default clamd binds to INADDR_ANY. Default: no | |
MaxConnectionQueueLength NUMBER | |
Maximum length the queue of pending connections may grow to. Default: 15 | |
MaxThreads NUMBER | |
Maximum number of threads running at the same time. Default: 10 | |
ReadTimeout NUMBER | |
Waiting for data from a client socket will timeout after this time (seconds). Default: 120 | |
CommandReadTimeout NUMBER | |
This option specifies the time (in seconds) after which clamd should timeout if a client doesnt provide any initial command after connecting. Note: the timeout for subsequents commands, and/or data chunks is specified by ReadTimeout. Default: 5 | |
SendBufTimeout NUMBER | |
This option specifies how long to wait (in milliseconds) if the send buffer is full. Keep this value low to prevent clamd hanging. Default: 500 | |
MaxQueue NUMBER | |
Maximum number of queued items (including those being processed by MaxThreads threads). It is recommended to have this value at least twice MaxThreads if possible. WARNING: you shouldnt increase this too much to avoid running out of file descriptors, the following condition should hold: MaxThreads*MaxRecursion + MaxQueue - MaxThreads + 6 < RLIMIT_NOFILE. RLIMIT_NOFILE is the maximum number of open file descriptors (usually 1024), set by ulimit -n. Default: 100 | |
IdleTimeout NUMBER | |
Waiting for a new job will timeout after this time (seconds). Default: 30 | |
ExcludePath REGEX | |
Dont scan files and directories matching REGEX. This directive can be used multiple times. Default: scan all | |
MaxDirectoryRecursion NUMBER | |
Maximum depth directories are scanned at. Default: 15 | |
FollowDirectorySymlinks BOOL | |
Follow directory symlinks. Default: no | |
CrossFilesystems BOOL | |
Scan files and directories on other filesystems. Default: yes | |
FollowFileSymlinks BOOL | |
Follow regular file symlinks. Default: no | |
SelfCheck NUMBER | |
Perform a database check. Default: 1800 | |
VirusEvent COMMAND | |
Execute COMMAND when a virus is found. In the command string %v will be replaced with the virus name. Default: no | |
ExitOnOOM BOOL | |
Stop daemon when libclamav reports out of memory condition. Default: no | |
User STRING | |
Run as another user (clamd must be started by root to make this option working). Default: no | |
AllowSupplementaryGroups BOOL | |
Initialize supplementary group access (clamd must be started by root). Default: no | |
Foreground BOOL | |
Dont fork into background. Default: no | |
Debug BOOL | |
Enable debug messages from libclamav. | |
LeaveTemporaryFiles BOOL | |
Do not remove temporary files (for debug purpose). Default: no | |
StreamMaxLength SIZE | |
Clamd uses FTP-like protocol to receive data from remote clients. If you are using clamav-milter to balance load between remote clamd daemons on firewall servers you may need to tune the Stream* options. This option allows you to specify the upper limit for data size that will be transfered to remote daemon when scanning a single file. It should match your MTAs limit for a maximum attachment size. Default: 10M | |
StreamMinPort NUMBER | |
Limit data port range. Default: 1024 | |
StreamMaxPort NUMBER | |
Limit data port range. Default: 2048 | |
Bytecode BOOL | |
With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option turned on, otherwise you may miss detections for many new viruses. Default: yes | |
BytecodeSecurity STRING | |
Set bytecode security level. Possible values: None: no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS, TrustSigned: trust bytecode loaded from signed .c[lv]d files and insert runtime safety checks for bytecode loaded from other sources, Paranoid: dont trust any bytecode, insert runtime checks for all. The recommended setting is TrustSigned, because bytecode in .cvd files already has safety checks inserted into it. Default: TrustSigned | |
BytecodeTimeout NUMBER | |
Set bytecode timeout in milliseconds. Default: 60000 | |
DetectPUA BOOL | |
Detect Possibly Unwanted Applications. Default: No | |
ExcludePUA CATEGORY | |
Exclude a specific PUA category. This directive can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA categories. Default: Load all categories (if DetectPUA is activated) | |
IncludePUA CATEGORY | |
Only include a specific PUA category. This directive can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA categories. Default: Load all categories (if DetectPUA is activated) | |
AlgorithmicDetection BOOL | |
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option controls the algorithmic detection. Default: yes | |
ScanPE BOOL | |
PE stands for Portable Executable - its an executable file format used in all 32 and 64-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and its also required for decompression of popular executable packers such as UPX. Default: yes | |
ScanELF BOOL | |
Executable and Linking Format is a standard format for UN*X executables. This option allows you to control the scanning of ELF files. Default: yes | |
DetectBrokenExecutables BOOL | |
With this option clamd will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable. Default: no | |
ScanOLE2 BOOL | |
This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files. Default: yes | |
OLE2BlockMacros BOOL | |
With this option enabled OLE2 files with VBA macros, which were not detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". Default: no | |
ScanPDF BOOL | |
This option enables scanning within PDF files. Default: yes | |
ScanHTML BOOL | |
Enables HTML detection and normalisation. Default: yes | |
ScanMail BOOL | |
Enable scanning of mail files. Default: yes | |
ScanPartialMessages BOOL | |
Scan RFC1341 messages split over many emails. You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. WARNING: This option may open your system to a DoS attack. Never use it on loaded servers. Default: no | |
MailMaxRecursion NUMBER (OBSOLETE) | |
WARNING: This option is no longer accepted. See MaxRecursion. | |
PhishingSignatures BOOL | |
With this option enabled ClamAV will try to detect phishing attempts by using signatures. Default: yes | |
PhishingScanURLs BOOL | |
Scan URLs found in mails for phishing attempts using heuristics. This will classify "Possibly Unwanted" phishing emails as Phishing.Heuristics.Email.* Default: yes | |
PhishingAlwaysBlockSSLMismatch BOOL | |
Always block SSL mismatches in URLs, even if the URL isnt in the database. This can lead to false positives. Default: no | |
PhishingAlwaysBlockCloak BOOL | |
Always block cloaked URLs, even if URL isnt in database. This can lead to false positives. Default: no | |
HeuristicScanPrecedence BOOL | |
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phishing it will stop scanning immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option. Default: no | |
StructuredDataDetection BOOL | |
Enable the DLP module. Default: no | |
StructuredMinCreditCardCount NUMBER | |
This option sets the lowest number of Credit Card numbers found in a file to generate a detect. Default: 3 | |
StructuredMinSSNCount NUMBER | |
This option sets the lowest number of Social Security Numbers found in a file to generate a detect. Default: 3 | |
StructuredSSNFormatNormal BOOL | |
With this option enabled the DLP module will search for valid SSNs formatted as xxx-yy-zzzz. Default: Yes | |
StructuredSSNFormatStripped BOOL | |
With this option enabled the DLP module will search for valid SSNs formatted as xxxyyzzzz. Default: No | |
ScanArchive BOOL | |
Enable archive scanning. Default: yes | |
ArchiveMaxFileSize (OBSOLETE) | |
WARNING: This option is no longer accepted. See MaxFileSize and MaxScanSize. | |
ArchiveMaxRecursion (OBSOLETE) | |
WARNING: This option is no longer accepted. See MaxRecursion. | |
ArchiveMaxFiles (OBSOLETE) | |
WARNING: This option is no longer accepted. See MaxFiles. | |
ArchiveMaxCompressionRatio (OBSOLETE) | |
WARNING: This option is no longer accepted. | |
ArchiveBlockMax (OBSOLETE) | |
WARNING: This option is no longer accepted. | |
ArchiveLimitMemoryUsage (OBSOLETE) | |
WARNING: This option is no longer accepted. Default: no | |
ArchiveBlockEncrypted BOOL | |
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). Default: no | |
MaxScanSize SIZE | |
Sets the maximum amount of data to be scanned for each input file. Archives and other containers are recursively extracted and scanned up to this value. Warning: disabling this limit or setting it too high may result in severe damage to the system. Default: 100M | |
MaxFileSize SIZE | |
Files larger than this limit wont be scanned. Affects the input file itself as well as files contained inside it (when the input file is an archive, a document or some other kind of container). Warning: disabling this limit or setting it too high may result in severe damage to the system. Default: 25M | |
MaxRecursion NUMBER | |
Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR file, all files within it will also be scanned. This options specifies how deeply the process should be continued. Warning: setting this limit too high may result in severe damage to the system. Default: 16 | |
MaxFiles NUMBER | |
Number of files to be scanned within an archive, a document, or any other kind of container. Warning: disabling this limit or setting it too high may result in severe damage to the system. Default: 10000 | |
ClamukoScanOnAccess BOOL | |
Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running. Default: no | |
ClamukoScannerCount NUMBER | |
The number of scanner threads that will be started (DazukoFS only). Having multiple scanner threads allows Clamuko to serve multiple processes simultaneously. This is particularly beneficial on SMP machines. Default: 3 | |
ClamukoScanOnOpen BOOL | |
Scan files on open. Default: no | |
ClamukoScanOnClose BOOL | |
Scan files on close. Default: no. | |
ClamukoScanOnExec BOOL | |
Scan files on execute. Default: no | |
ClamukoIncludePath STRING | |
Set the include paths (all files and directories inside them will be scanned). You can have multiple ClamukoIncludePath directives but each directory must be added in a separate line). Default: no | |
ClamukoExcludePath STRING | |
Set the exclude paths. All subdirectories will also be excluded. Default: no | |
ClamukoMaxFileSize SIZE | |
Ignore files larger than SIZE. Default: 5M | |
NOTES
All options expressing a size are limited to max 4GB. Values in excess will be resetted to the maximum.
FILES
/etc/clamd.conf
AUTHOR
Tomasz Kojm <tkojm@clamav.net>
SEE ALSO
clamd(8), clamdscan(1), clamav-milter(8), freshclam(1), freshclam.conf(5)