GNU/Linux |
CentOS 5.6 |
|
clamd.conf(5) |
clamd.conf − Configuration file for Clam AntiVirus Daemon
clamd.conf configures the Clam AntiVirus daemon, clamd(8).
The file consists of comments and options with arguments. Each line which starts with a hash (#) symbol is ignored by the parser. Options and arguments are case sensitive and of the form Option Argument. The arguments are of the following types:
BOOL |
Boolean value (yes/no or true/false or 1/0). | ||
STRING |
String without blank characters. | ||
SIZE |
Size in bytes. You can use ’M’ or ’m’ modifiers for megabytes and ’K’ or ’k’ for kilobytes. | ||
NUMBER |
Unsigned integer. |
When some
option is not used (commented out or not included in the
configuration file at all) clamd takes a default action.
Example
If this option is set clamd will not run.
LogFile STRING
Enable logging to selected
file.
Default: no
LogFileUnlock BOOL
Disable a system lock that
protects against running clamd with the same configuration
file multiple times.
Default: no
LogFileMaxSize SIZE
Limit the size of the log file.
The logger will be automatically disabled if the file is
greater than SIZE. Value of 0 disables the limit.
Default: 1M
LogTime BOOL
Log time for each message.
Default: no
LogClean BOOL
Log clean files.
Default: no
LogSyslog BOOL
Use system logger (can work
together with LogFile).
Default: no
LogFacility STRING
Specify the type of syslog
messages − please refer to ’man syslog’
for facility names.
Default: LOG_LOCAL6
LogVerbose BOOL
Enable verbose logging.
Default: no
PidFile STRING
Save the process identifier of
a listening daemon (main thread) to a specified file.
Default: no
TemporaryDirectory STRING
Optional path to the global
temporary directory.
Default: system specific (usually /tmp or /var/tmp).
DatabaseDirectory STRING
Path to a directory containing
database files.
Default: /var/clamav
LocalSocket STRING
Path to a local (Unix) socket
the daemon will listen on.
Default: no
FixStaleSocket BOOL
Remove stale socket after
unclean shutdown.
Default: yes
TCPSocket NUMBER
TCP port number the daemon will
listen on.
Default: no
TCPAddr STRING
TCP socket address to bind to.
By default clamd binds to INADDR_ANY.
Default: no
MaxConnectionQueueLength NUMBER
Maximum length the queue of
pending connections may grow to.
Default: 15
MaxThreads NUMBER
Maximum number of threads
running at the same time.
Default: 10
ReadTimeout NUMBER
Waiting for data from a client
socket will timeout after this time (seconds).
Default: 120
CommandReadTimeout NUMBER
This option specifies the time
(in seconds) after which clamd should timeout if a client
doesn’t provide any initial command after connecting.
Note: the timeout for subsequents commands, and/or data
chunks is specified by ReadTimeout.
Default: 5
SendBufTimeout NUMBER
This option specifies how long
to wait (in miliseconds) if the send buffer is full. Keep
this value low to prevent clamd hanging.
Default: 500
MaxQueue NUMBER
Maximum number of queued items
(including those being processed by MaxThreads threads). It
is recommended to have this value at least twice MaxThreads
if possible.
WARNING: you shouldn’t increase this too much to avoid
running out of file descriptors, the following condition
should hold: MaxThreads*MaxRecursion + MaxQueue - MaxThreads
+ 6 < RLIMIT_NOFILE. RLIMIT_NOFILE is the maximum
number of open file descriptors (usually 1024), set by
ulimit -n.
Default: 100
IdleTimeout NUMBER
Waiting for a new job will
timeout after this time (seconds).
Default: 30
ExcludePath REGEX
Don’t scan files and
directories matching REGEX. This directive can be used
multiple times.
Default: scan all
MaxDirectoryRecursion NUMBER
Maximum depth directories are
scanned at.
Default: 15
FollowDirectorySymlinks BOOL
Follow directory symlinks.
Default: no
FollowFileSymlinks BOOL
Follow regular file symlinks.
Default: no
SelfCheck NUMBER
Perform a database check.
Default: 1800
VirusEvent COMMAND
Execute COMMAND when a virus is
found. In the command string %v will be replaced with the
virus name.
Default: no
ExitOnOOM BOOL
Stop daemon when libclamav
reports out of memory condition.
Default: no
User STRING
Run as another user (clamd must
be started by root to make this option working).
Default: no
AllowSupplementaryGroups BOOL
Initialize supplementary group
access (clamd must be started by root).
Default: no
Foreground BOOL
Don’t fork into
background.
Default: no
Debug BOOL
Enable debug messages from libclamav.
LeaveTemporaryFiles BOOL
Do not remove temporary files
(for debug purpose).
Default: no
StreamMaxLength SIZE
Clamd uses FTP−like
protocol to receive data from remote clients. If you are
using clamav−milter to balance load between remote
clamd daemons on firewall servers you may need to tune the
Stream* options. This option allows you to specify the upper
limit for data size that will be transfered to remote daemon
when scanning a single file. It should match your
MTA’s limit for a maximum attachment size.
Default: 10M
StreamMinPort NUMBER
Limit data port range.
Default: 1024
StreamMaxPort NUMBER
Limit data port range.
Default: 2048
DetectPUA
Detect Possibly Unwanted
Applications.
Default: No
ExcludePUA CATEGORY
Exclude a specific PUA
category. This directive can be used multiple times. See
http://www.clamav.net/support/pua for the complete list of
PUA categories.
Default: Load all categories (if DetectPUA is activated)
IncludePUA CATEGORY
Only include a specific PUA
category. This directive can be used multiple times. See
http://www.clamav.net/support/pua for the complete list of
PUA categories.
Default: Load all categories (if DetectPUA is activated)
AlgorithmicDetection BOOL
In some cases (eg. complex
malware, exploits in graphic files, and others), ClamAV uses
special algorithms to provide accurate detection. This
option controls the algorithmic detection.
Default: yes
ScanPE BOOL
PE stands for Portable
Executable − it’s an executable file format used
in all 32 and 64−bit versions of Windows operating
systems. This option allows ClamAV to perform a deeper
analysis of executable files and it’s also required
for decompression of popular executable packers such as UPX.
Default: yes
ScanELF BOOL
Executable and Linking Format
is a standard format for UN*X executables. This option
allows you to control the scanning of ELF files.
Default: yes
DetectBrokenExecutables BOOL
With this option clamd will try
to detect broken executables (both PE and ELF) and mark them
as Broken.Executable.
Default: no
ScanOLE2 BOOL
This option enables scanning of
OLE2 files, such as Microsoft Office documents and .msi
files.
Default: yes
ScanPDF BOOL
This option enables scanning
within PDF files.
Default: yes
ScanHTML BOOL
Enables HTML detection and
normalisation.
Default: yes
ScanMail BOOL
Enable scanning of mail files.
Default: yes
MailFollowURLs BOOL
If an email contains URLs
ClamAV can download and scan them. WARNING: This option
may open your system to a DoS attack. Never use it on loaded
servers.
Default: no
ScanPartialMessages BOOL
Scan RFC1341 messages split
over many emails. You will need to periodically clean up
$TemporaryDirectory/clamav-partial directory. WARNING:
This option may open your system to a DoS attack. Never use
it on loaded servers.
Default: no
MailMaxRecursion NUMBER (OBSOLETE)
WARNING: This option is no longer accepted. See MaxRecursion.
PhishingSignatures BOOL
With this option enabled ClamAV
will try to detect phishing attempts by using signatures.
Default: yes
PhishingScanURLs BOOL
Scan URLs found in mails for
phishing attempts using heuristics. This will classify
"Possibly Unwanted" phishing emails as
Phishing.Heuristics.Email.*
Default: yes
PhishingAlwaysBlockSSLMismatch BOOL
Always block SSL mismatches in
URLs, even if the URL isn’t in the database. This can
lead to false positives.
Default: no
PhishingAlwaysBlockCloak BOOL
Always block cloaked URLs, even
if URL isn’t in database. This can lead to false
positives.
Default: no
HeuristicScanPrecedence BOOL
Allow heuristic match to take
precedence. When enabled, if a heuristic scan (such as
phishingScan) detects a possible virus/phishing it will stop
scanning immediately. Recommended, saves CPU scan-time. When
disabled, virus/phishing detected by heuristic scans will be
reported only at the end of a scan. If an archive contains
both a heuristically detected virus/phishing, and a real
malware, the real malware will be reported. Keep this
disabled if you intend to handle "*.Heuristics.*"
viruses differently from "real" malware. If a
non-heuristically-detected virus (signature-based) is found
first, the scan is interrupted immediately, regardless of
this config option.
Default: no
StructuredDataDetection BOOL
Enable the DLP module.
Default: no
StructuredMinCreditCardCount NUMBER
This option sets the lowest
number of Credit Card numbers found in a file to generate a
detect.
Default: 3
StructuredMinSSNCount NUMBER
This option sets the lowest
number of Social Security Numbers found in a file to
generate a detect.
Default: 3
StructuredSSNFormatNormal BOOL
With this option enabled the
DLP module will search for valid SSNs formatted as
xxx-yy-zzzz.
Default: Yes
StructuredSSNFormatStripped BOOL
With this option enabled the
DLP module will search for valid SSNs formatted as
xxxyyzzzz.
Default: No
ScanArchive BOOL
Enable archive scanning.
Default: yes
ArchiveMaxFileSize (OBSOLETE)
WARNING: This option is no longer accepted. See MaxFileSize and MaxScanSize.
ArchiveMaxRecursion (OBSOLETE)
WARNING: This option is no longer accepted. See MaxRecursion.
ArchiveMaxFiles (OBSOLETE)
WARNING: This option is no longer accepted. See MaxFiles.
ArchiveMaxCompressionRatio (OBSOLETE)
WARNING: This option is no longer accepted.
ArchiveBlockMax (OBSOLETE)
WARNING: This option is no longer accepted.
ArchiveLimitMemoryUsage BOOL
Use slower decompression
algorithm which uses less memory. This option only affects
the bzip2 decompressor.
Default: no
ArchiveBlockEncrypted BOOL
Mark encrypted archives as
viruses (Encrypted.Zip, Encrypted.RAR).
Default: no
MaxScanSize SIZE
Sets the maximum amount of data
to be scanned for each input file. Archives and other
containers are recursively extracted and scanned up to this
value. Warning: disabling this limit or setting it too
high may result in severe damage to the system.
Default: 100M
MaxFileSize SIZE
Files larger than this limit
won’t be scanned. Affects the input file itself as
well as files contained inside it (when the input file is an
archive, a document or some other kind of container).
Warning: disabling this limit or setting it too high may
result in severe damage to the system.
Default: 25M
MaxRecursion NUMBER
Nested archives are scanned
recursively, e.g. if a Zip archive contains a RAR file, all
files within it will also be scanned. This options specifies
how deeply the process should be continued. Warning:
disabling this limit or setting it too high may result in
severe damage to the system.
Default: 16
MaxFiles NUMBER
Number of files to be scanned
within an archive, a document, or any other kind of
container. Warning: disabling this limit or setting it
too high may result in severe damage to the system.
Default: 10000
ClamukoScanOnAccess BOOL
Enable Clamuko. Dazuko
(/dev/dazuko) must be configured and running.
Default: no
ClamukoScanOnOpen BOOL
Scan files on open.
Default: no
ClamukoScanOnClose BOOL
Scan files on close.
Default: no.
ClamukoScanOnExec BOOL
Scan files on execute.
Default: no
ClamukoIncludePath STRING
Set the include paths (all
files and directories inside them will be scanned). You can
have multiple ClamukoIncludePath directives but each
directory must be added in a separate line).
Default: no
ClamukoExcludePath STRING
Set the exclude paths. All
subdirectories will also be excluded.
Default: no
ClamukoMaxFileSize SIZE
Ignore files larger than SIZE.
Default: 5M
All options expressing a size are limited to max 4GB. Values in excess will be resetted to the maximum.
/etc/clamd.conf
Tomasz Kojm <tkojm@clamav.net>
clamd(8), clamdscan(1), clamav-milter(8), clamscan(1), freshclam(1), sigtool(1)
clamd.conf(5) |