clamd (5) - Linux Manuals

clamd: Configuration file for Clam AntiVirus Daemon

Command to display clamd manual in Linux: $ man 5 clamd

NAME

clamd.conf - Configuration file for Clam AntiVirus Daemon

DESCRIPTION

clamd.conf configures the Clam AntiVirus daemon, clamd(8).

FILE FORMAT

The file consists of comments and options with arguments. Each line which starts with a hash (#) symbol is ignored by the parser. Options and arguments are case sensitive and of the form Option Argument. The arguments are of the following types:

BOOL: Boolean value (yes/no or true/false or 1/0).
STRING: String without blank characters.
SIZE: Size in bytes. You can use 'M' or 'm' modifiers for megabytes and 'K' or 'k' for kilobytes.
NUMBER: Unsigned integer.

DIRECTIVES

When some option is not used (commented out or not included in the configuration file at all) clamd takes a default action.

Example: If this option is set clamd will not run.
LogFile STRING: Enable logging to selected file.
Default: no
LogFileUnlock BOOL: Disable a system lock that protects against running clamd with the same configuration file multiple times.
Default: no
LogFileMaxSize SIZE: Limit the size of the log file. The logger will be automatically disabled if the file is greater than SIZE. Value of 0 disables the limit.
Default: 1M
LogTime BOOL: Log time for each message.
Default: no
LogClean BOOL: Log clean files.
Default: no
LogSyslog BOOL: Use system logger (can work together with LogFile).
Default: no
LogFacility STRING: Specify the type of syslog messages - please refer to 'man syslog' for facility names.
Default: LOG_LOCAL6
LogVerbose BOOL: Enable verbose logging.
Default: no
PidFile STRING: Save the process identifier of a listening daemon (main thread) to a specified file.
Default: no
TemporaryDirectory STRING: Optional path to the global temporary directory.
Default: system specific (usually /tmp or /var/tmp).
DatabaseDirectory STRING: Path to a directory containing database files.
Default: /var/lib/clamav
LocalSocket STRING: Path to a local (Unix) socket the daemon will listen on.
Default: no
FixStaleSocket BOOL: Remove stale socket after unclean shutdown.
Default: yes
TCPSocket NUMBER: TCP port number the daemon will listen on.
Default: no
TCPAddr STRING: TCP socket address to bind to. By default clamd binds to INADDR_ANY.
Default: no
MaxConnectionQueueLength NUMBER: Maximum length the queue of pending connections may grow to.
Default: 15
MaxThreads NUMBER: Maximum number of threads running at the same time.
Default: 10
ReadTimeout NUMBER: Waiting for data from a client socket will timeout after this time (seconds).
Default: 120
CommandReadTimeout NUMBER: This option specifies the time (in seconds) after which clamd should timeout if a client doesn't provide any initial command after connecting. Note: the timeout for subsequents commands, and/or data chunks is specified by ReadTimeout.
Default: 5
SendBufTimeout NUMBER: This option specifies how long to wait (in miliseconds) if the send buffer is full. Keep this value low to prevent clamd hanging.
Default: 500
MaxQueue NUMBER: Maximum number of queued items (including those being processed by MaxThreads threads). It is recommended to have this value at least twice MaxThreads if possible.
WARNING: you shouldn't increase this too much to avoid running out of file descriptors, the following condition should hold: MaxThreads*MaxRecursion + MaxQueue - MaxThreads + 6 < RLIMIT_NOFILE. RLIMIT_NOFILE is the maximum number of open file descriptors (usually 1024), set by ulimit -n.
Default: 100
IdleTimeout NUMBER: Waiting for a new job will timeout after this time (seconds).
Default: 30
ExcludePath REGEX: Don't scan files and directories matching REGEX. This directive can be used multiple times.
Default: scan all
MaxDirectoryRecursion NUMBER: Maximum depth directories are scanned at.
Default: 15
FollowDirectorySymlinks BOOL: Follow directory symlinks.
Default: no
FollowFileSymlinks BOOL: Follow regular file symlinks.
Default: no
SelfCheck NUMBER: Perform a database check.
Default: 1800
VirusEvent COMMAND: Execute COMMAND when a virus is found. In the command string %v will be replaced with the virus name.
Default: no
ExitOnOOM BOOL: Stop daemon when libclamav reports out of memory condition.
Default: no
User STRING: Run as another user (clamd must be started by root to make this option working).
Default: no
AllowSupplementaryGroups BOOL: Initialize supplementary group access (clamd must be started by root).
Default: no
Foreground BOOL: Don't fork into background.
Default: no
Debug BOOL: Enable debug messages from libclamav.
LeaveTemporaryFiles BOOL: Do not remove temporary files (for debug purpose).
Default: no
StreamMaxLength SIZE: Clamd uses FTP-like protocol to receive data from remote clients. If you are using clamav-milter to balance load between remote clamd daemons on firewall servers you may need to tune the Stream* options. This option allows you to specify the upper limit for data size that will be transfered to remote daemon when scanning a single file. It should match your MTA's limit for a maximum attachment size.
Default: 10M
StreamMinPort NUMBER: Limit data port range.
Default: 1024
StreamMaxPort NUMBER: Limit data port range.
Default: 2048
DetectPUA: Detect Possibly Unwanted Applications.
Default: No
ExcludePUA CATEGORY: Exclude a specific PUA category. This directive can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA categories.
Default: Load all categories (if DetectPUA is activated)
IncludePUA CATEGORY: Only include a specific PUA category. This directive can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA categories.
Default: Load all categories (if DetectPUA is activated)
AlgorithmicDetection BOOL: In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option controls the algorithmic detection.
Default: yes
ScanPE BOOL: PE stands for Portable Executable - it's an executable file format used in all 32 and 64-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX.
Default: yes
ScanELF BOOL: Executable and Linking Format is a standard format for UN*X executables. This option allows you to control the scanning of ELF files.
Default: yes
DetectBrokenExecutables BOOL: With this option clamd will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.
Default: no
ScanOLE2 BOOL: This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files.
Default: yes
ScanPDF BOOL: This option enables scanning within PDF files.
Default: yes
ScanHTML BOOL: Enables HTML detection and normalisation.
Default: yes
ScanMail BOOL: Enable scanning of mail files.
Default: yes
MailFollowURLs BOOL: If an email contains URLs ClamAV can download and scan them. WARNING: This option may open your system to a DoS attack. Never use it on loaded servers.
Default: no
ScanPartialMessages BOOL: Scan RFC1341 messages split over many emails. You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. WARNING: This option may open your system to a DoS attack. Never use it on loaded servers.
Default: no
MailMaxRecursion NUMBER (OBSOLETE): WARNING: This option is no longer accepted. See MaxRecursion.
PhishingSignatures BOOL: With this option enabled ClamAV will try to detect phishing attempts by using signatures.
Default: yes
PhishingScanURLs BOOL: Scan URLs found in mails for phishing attempts using heuristics. This will classify "Possibly Unwanted" phishing emails as Phishing.Heuristics.Email.*
Default: yes
PhishingAlwaysBlockSSLMismatch BOOL: Always block SSL mismatches in URLs, even if the URL isn't in the database. This can lead to false positives.
Default: no
PhishingAlwaysBlockCloak BOOL: Always block cloaked URLs, even if URL isn't in database. This can lead to false positives.
Default: no
HeuristicScanPrecedence BOOL: Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phishing it will stop scanning immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.
Default: no
StructuredDataDetection BOOL: Enable the DLP module.
Default: no
StructuredMinCreditCardCount NUMBER: This option sets the lowest number of Credit Card numbers found in a file to generate a detect.
Default: 3
StructuredMinSSNCount NUMBER: This option sets the lowest number of Social Security Numbers found in a file to generate a detect.
Default: 3
StructuredSSNFormatNormal BOOL: With this option enabled the DLP module will search for valid SSNs formatted as xxx-yy-zzzz.
Default: Yes
StructuredSSNFormatStripped BOOL: With this option enabled the DLP module will search for valid SSNs formatted as xxxyyzzzz.
Default: No
ScanArchive BOOL: Enable archive scanning.
Default: yes
ArchiveMaxFileSize (OBSOLETE): WARNING: This option is no longer accepted. See MaxFileSize and MaxScanSize.
ArchiveMaxRecursion (OBSOLETE): WARNING: This option is no longer accepted. See MaxRecursion.
ArchiveMaxFiles (OBSOLETE): WARNING: This option is no longer accepted. See MaxFiles.
ArchiveMaxCompressionRatio (OBSOLETE): WARNING: This option is no longer accepted.
ArchiveBlockMax (OBSOLETE): WARNING: This option is no longer accepted.
ArchiveLimitMemoryUsage BOOL: Use slower decompression algorithm which uses less memory. This option only affects the bzip2 decompressor.
Default: no
ArchiveBlockEncrypted BOOL: Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
Default: no
MaxScanSize SIZE: Sets the maximum amount of data to be scanned for each input file. Archives and other containers are recursively extracted and scanned up to this value. Warning: disabling this limit or setting it too high may result in severe damage to the system.
Default: 100M
MaxFileSize SIZE: Files larger than this limit won't be scanned. Affects the input file itself as well as files contained inside it (when the input file is an archive, a document or some other kind of container). Warning: disabling this limit or setting it too high may result in severe damage to the system.
Default: 25M
MaxRecursion NUMBER: Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR file, all files within it will also be scanned. This options specifies how deeply the process should be continued. Warning: disabling this limit or setting it too high may result in severe damage to the system.
Default: 16
MaxFiles NUMBER: Number of files to be scanned within an archive, a document, or any other kind of container. Warning: disabling this limit or setting it too high may result in severe damage to the system.
Default: 10000
ClamukoScanOnAccess BOOL: Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.
Default: no
ClamukoScanOnOpen BOOL: Scan files on open.
Default: no
ClamukoScanOnClose BOOL: Scan files on close.
Default: no.
ClamukoScanOnExec BOOL: Scan files on execute.
Default: no
ClamukoIncludePath STRING: Set the include paths (all files and directories inside them will be scanned). You can have multiple ClamukoIncludePath directives but each directory must be added in a separate line).
Default: no
ClamukoExcludePath STRING: Set the exclude paths. All subdirectories will also be excluded.
Default: no
ClamukoMaxFileSize SIZE: Ignore files larger than SIZE.
Default: 5M

NOTES

All options expressing a size are limited to max 4GB. Values in excess will be resetted to the maximum.

FILES

/etc/clamd.conf

AUTHOR

Tomasz Kojm <tkojm [at] clamav.net>