| # Uncomment this option to enable logging. |
| # LogFile must be writable for the user running daemon. |
| # A full path is required. |
| # Default: disabled |
| LogFile /tmp/clamd.log |
| |
| # By default the log file is locked for writing - the lock protects against |
| # running clamd multiple times (if want to run another clamd, please |
| # copy the configuration file, change the LogFile variable, and run |
| # the daemon with --config-file option). |
| # This option disables log file locking. |
| # Default: no |
| LogFileUnlock yes |
| |
| # Maximum size of the log file. |
| # Value of 0 disables the limit. |
| # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) |
| # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size |
| # in bytes just don't use modifiers. If LogFileMaxSize is enabled, log |
| # rotation (the LogRotate option) will always be enabled. |
| # Default: 1M |
| LogFileMaxSize 2M |
| |
| # Log time with each message. |
| # Default: no |
| LogTime yes |
| |
| # Also log clean files. Useful in debugging but drastically increases the |
| # log size. |
| # Default: no |
| #LogClean yes |
| |
| # Use system logger (can work together with LogFile). |
| # Default: no |
| #LogSyslog yes |
| |
| # Specify the type of syslog messages - please refer to 'man syslog' |
| # for facility names. |
| # Default: LOG_LOCAL6 |
| #LogFacility LOG_MAIL |
| |
| # Enable verbose logging. |
| # Default: no |
| #LogVerbose yes |
| |
| # Enable log rotation. Always enabled when LogFileMaxSize is enabled. |
| # Default: no |
| #LogRotate yes |
| |
| # Log additional information about the infected file, such as its |
| # size and hash, together with the virus name. |
| ExtendedDetectionInfo yes |
| |
| # This option allows you to save a process identifier of the listening |
| # daemon (main thread). |
| # Default: disabled |
| PidFile /var/run/clamd.pid |
| |
| # Optional path to the global temporary directory. |
| # Default: system specific (usually /tmp or /var/tmp). |
| TemporaryDirectory /var/tmp |
| |
| # Path to the database directory. |
| # Default: hardcoded (depends on installation options) |
| DatabaseDirectory /var/lib/clamav |
| |
| # Only load the official signatures published by the ClamAV project. |
| # Default: no |
| #OfficialDatabaseOnly no |
| |
| # The daemon can work in local mode, network mode or both. |
| # Due to security reasons we recommend the local mode. |
| |
| # Path to a local socket file the daemon will listen on. |
| # Default: disabled (must be specified by a user) |
| LocalSocket /tmp/clamd.socket |
| |
| # Sets the group ownership on the unix socket. |
| # Default: disabled (the primary group of the user running clamd) |
| #LocalSocketGroup virusgroup |
| |
| # Sets the permissions on the unix socket to the specified mode. |
| # Default: disabled (socket is world accessible) |
| #LocalSocketMode 660 |
| |
| # Remove stale socket after unclean shutdown. |
| # Default: yes |
| #FixStaleSocket yes |
| |
| # TCP port address. |
| # Default: no |
| #TCPSocket 3310 |
| |
| # TCP address. |
| # By default we bind to INADDR_ANY, probably not wise. |
| # Enable the following to provide some degree of protection |
| # from the outside world. This option can be specified multiple |
| # times if you want to listen on multiple IPs. IPv6 is now supported. |
| # Default: no |
| #TCPAddr 127.0.0.1 |
| |
| # Maximum length the queue of pending connections may grow to. |
| # Default: 200 |
| #MaxConnectionQueueLength 30 |
| |
| # Clamd uses FTP-like protocol to receive data from remote clients. |
| # If you are using clamav-milter to balance load between remote clamd daemons |
| # on firewall servers you may need to tune the options below. |
| |
| # Close the connection when the data size limit is exceeded. |
| # The value should match your MTA's limit for a maximum attachment size. |
| # Default: 25M |
| #StreamMaxLength 10M |
| |
| # Limit port range. |
| # Default: 1024 |
| #StreamMinPort 30000 |
| # Default: 2048 |
| #StreamMaxPort 32000 |
| |
| # Maximum number of threads running at the same time. |
| # Default: 10 |
| #MaxThreads 20 |
| |
| # Waiting for data from a client socket will timeout after this time (seconds). |
| # Default: 120 |
| #ReadTimeout 300 |
| |
| # This option specifies the time (in seconds) after which clamd should |
| # timeout if a client doesn't provide any initial command after connecting. |
| # Default: 5 |
| #CommandReadTimeout 5 |
| |
| # This option specifies how long to wait (in miliseconds) if the send buffer is full. |
| # Keep this value low to prevent clamd hanging |
| # |
| # Default: 500 |
| #SendBufTimeout 200 |
| |
| # Maximum number of queued items (including those being processed by MaxThreads threads) |
| # It is recommended to have this value at least twice MaxThreads if possible. |
| # WARNING: you shouldn't increase this too much to avoid running out of file descriptors, |
| # the following condition should hold: |
| # MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024) |
| # |
| # Default: 100 |
| #MaxQueue 200 |
| |
| # Waiting for a new job will timeout after this time (seconds). |
| # Default: 30 |
| #IdleTimeout 60 |
| |
| # Don't scan files and directories matching regex |
| # This directive can be used multiple times |
| # Default: scan all |
| #ExcludePath ^/proc/ |
| #ExcludePath ^/sys/ |
| |
| # Maximum depth directories are scanned at. |
| # Default: 15 |
| #MaxDirectoryRecursion 20 |
| |
| # Follow directory symlinks. |
| # Default: no |
| #FollowDirectorySymlinks yes |
| |
| # Follow regular file symlinks. |
| # Default: no |
| #FollowFileSymlinks yes |
| |
| # Scan files and directories on other filesystems. |
| # Default: yes |
| #CrossFilesystems yes |
| |
| # Perform a database check. |
| # Default: 600 (10 min) |
| #SelfCheck 600 |
| |
| # Execute a command when virus is found. In the command string %v will |
| # be replaced with the virus name. |
| # Default: no |
| #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" |
| |
| # Run as another user (clamd must be started by root for this option to work) |
| # Default: don't drop privileges |
| User clamav |
| |
| # Initialize supplementary group access (clamd must be started by root). |
| # Default: no |
| #AllowSupplementaryGroups no |
| |
| # Stop daemon when libclamav reports out of memory condition. |
| #ExitOnOOM yes |
| |
| # Don't fork into background. |
| # Default: no |
| #Foreground yes |
| |
| # Enable debug messages in libclamav. |
| # Default: no |
| #Debug yes |
| |
| # Do not remove temporary files (for debug purposes). |
| # Default: no |
| #LeaveTemporaryFiles yes |
| |
| # Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject |
| # any ALLMATCHSCAN command as invalid. |
| # Default: yes |
| #AllowAllMatchScan no |
| |
| # Detect Possibly Unwanted Applications. |
| # Default: no |
| #DetectPUA yes |
| |
| # Exclude a specific PUA category. This directive can be used multiple times. |
| # See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for |
| # the complete list of PUA categories. |
| # Default: Load all categories (if DetectPUA is activated) |
| #ExcludePUA NetTool |
| #ExcludePUA PWTool |
| |
| # Only include a specific PUA category. This directive can be used multiple |
| # times. |
| # Default: Load all categories (if DetectPUA is activated) |
| #IncludePUA Spy |
| #IncludePUA Scanner |
| #IncludePUA RAT |
| |
| # In some cases (eg. complex malware, exploits in graphic files, and others), |
| # ClamAV uses special algorithms to provide accurate detection. This option |
| # controls the algorithmic detection. |
| # Default: yes |
| #AlgorithmicDetection yes |
| |
| # This option causes memory or nested map scans to dump the content to disk. |
| # If you turn on this option, more data is written to disk and is available |
| # when the LeaveTemporaryFiles option is enabled. |
| #ForceToDisk yes |
| |
| # This option allows you to disable the caching feature of the engine. By |
| # default, the engine will store an MD5 in a cache of any files that are |
| # not flagged as virus or that hit limits checks. Disabling the cache will |
| # have a negative performance impact on large scans. |
| # Default: no |
| #DisableCache yes |
| |
| ## |
| ## Executable files |
| ## |
| |
| # PE stands for Portable Executable - it's an executable file format used |
| # in all 32 and 64-bit versions of Windows operating systems. This option allows |
| # ClamAV to perform a deeper analysis of executable files and it's also |
| # required for decompression of popular executable packers such as UPX, FSG, |
| # and Petite. If you turn off this option, the original files will still be |
| # scanned, but without additional processing. |
| # Default: yes |
| #ScanPE yes |
| |
| # Certain PE files contain an authenticode signature. By default, we check |
| # the signature chain in the PE file against a database of trusted and |
| # revoked certificates if the file being scanned is marked as a virus. |
| # If any certificate in the chain validates against any trusted root, but |
| # does not match any revoked certificate, the file is marked as whitelisted. |
| # If the file does match a revoked certificate, the file is marked as virus. |
| # The following setting completely turns off authenticode verification. |
| # Default: no |
| #DisableCertCheck yes |
| |
| # Executable and Linking Format is a standard format for UN*X executables. |
| # This option allows you to control the scanning of ELF files. |
| # If you turn off this option, the original files will still be scanned, but |
| # without additional processing. |
| # Default: yes |
| #ScanELF yes |
| |
| # With this option clamav will try to detect broken executables (both PE and |
| # ELF) and mark them as Broken.Executable. |
| # Default: no |
| #DetectBrokenExecutables yes |
| |
| |
| ## |
| ## Documents |
| ## |
| |
| # This option enables scanning of OLE2 files, such as Microsoft Office |
| # documents and .msi files. |
| # If you turn off this option, the original files will still be scanned, but |
| # without additional processing. |
| # Default: yes |
| #ScanOLE2 yes |
| |
| # With this option enabled OLE2 files with VBA macros, which were not |
| # detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". |
| # Default: no |
| #OLE2BlockMacros no |
| |
| # This option enables scanning within PDF files. |
| # If you turn off this option, the original files will still be scanned, but |
| # without decoding and additional processing. |
| # Default: yes |
| #ScanPDF yes |
| |
| # This option enables scanning within SWF files. |
| # If you turn off this option, the original files will still be scanned, but |
| # without decoding and additional processing. |
| # Default: yes |
| #ScanSWF yes |
| |
| |
| ## |
| ## Mail files |
| ## |
| |
| # Enable internal e-mail scanner. |
| # If you turn off this option, the original files will still be scanned, but |
| # without parsing individual messages/attachments. |
| # Default: yes |
| #ScanMail yes |
| |
| # Scan RFC1341 messages split over many emails. |
| # You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. |
| # WARNING: This option may open your system to a DoS attack. |
| # Never use it on loaded servers. |
| # Default: no |
| #ScanPartialMessages yes |
| |
| # With this option enabled ClamAV will try to detect phishing attempts by using |
| # signatures. |
| # Default: yes |
| #PhishingSignatures yes |
| |
| # Scan URLs found in mails for phishing attempts using heuristics. |
| # Default: yes |
| #PhishingScanURLs yes |
| |
| # Always block SSL mismatches in URLs, even if the URL isn't in the database. |
| # This can lead to false positives. |
| # |
| # Default: no |
| #PhishingAlwaysBlockSSLMismatch no |
| |
| # Always block cloaked URLs, even if URL isn't in database. |
| # This can lead to false positives. |
| # |
| # Default: no |
| #PhishingAlwaysBlockCloak no |
| |
| # Detect partition intersections in raw disk images using heuristics. |
| # Default: no |
| #PartitionIntersection no |
| |
| # Allow heuristic match to take precedence. |
| # When enabled, if a heuristic scan (such as phishingScan) detects |
| # a possible virus/phish it will stop scan immediately. Recommended, saves CPU |
| # scan-time. |
| # When disabled, virus/phish detected by heuristic scans will be reported only at |
| # the end of a scan. If an archive contains both a heuristically detected |
| # virus/phish, and a real malware, the real malware will be reported |
| # |
| # Keep this disabled if you intend to handle "*.Heuristics.*" viruses |
| # differently from "real" malware. |
| # If a non-heuristically-detected virus (signature-based) is found first, |
| # the scan is interrupted immediately, regardless of this config option. |
| # |
| # Default: no |
| #HeuristicScanPrecedence yes |
| |
| |
| ## |
| ## Data Loss Prevention (DLP) |
| ## |
| |
| # Enable the DLP module |
| # Default: No |
| #StructuredDataDetection yes |
| |
| # This option sets the lowest number of Credit Card numbers found in a file |
| # to generate a detect. |
| # Default: 3 |
| #StructuredMinCreditCardCount 5 |
| |
| # This option sets the lowest number of Social Security Numbers found |
| # in a file to generate a detect. |
| # Default: 3 |
| #StructuredMinSSNCount 5 |
| |
| # With this option enabled the DLP module will search for valid |
| # SSNs formatted as xxx-yy-zzzz |
| # Default: yes |
| #StructuredSSNFormatNormal yes |
| |
| # With this option enabled the DLP module will search for valid |
| # SSNs formatted as xxxyyzzzz |
| # Default: no |
| #StructuredSSNFormatStripped yes |
| |
| |
| ## |
| ## HTML |
| ## |
| |
| # Perform HTML normalisation and decryption of MS Script Encoder code. |
| # Default: yes |
| # If you turn off this option, the original files will still be scanned, but |
| # without additional processing. |
| #ScanHTML yes |
| |
| |
| ## |
| ## Archives |
| ## |
| |
| # ClamAV can scan within archives and compressed files. |
| # If you turn off this option, the original files will still be scanned, but |
| # without unpacking and additional processing. |
| # Default: yes |
| #ScanArchive yes |
| |
| # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). |
| # Default: no |
| #ArchiveBlockEncrypted no |
| |
| |
| ## |
| ## Limits |
| ## |
| |
| # The options below protect your system against Denial of Service attacks |
| # using archive bombs. |
| |
| # This option sets the maximum amount of data to be scanned for each input file. |
| # Archives and other containers are recursively extracted and scanned up to this |
| # value. |
| # Value of 0 disables the limit |
| # Note: disabling this limit or setting it too high may result in severe damage |
| # to the system. |
| # Default: 100M |
| #MaxScanSize 150M |
| |
| # Files larger than this limit won't be scanned. Affects the input file itself |
| # as well as files contained inside it (when the input file is an archive, a |
| # document or some other kind of container). |
| # Value of 0 disables the limit. |
| # Note: disabling this limit or setting it too high may result in severe damage |
| # to the system. |
| # Default: 25M |
| #MaxFileSize 30M |
| |
| # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR |
| # file, all files within it will also be scanned. This options specifies how |
| # deeply the process should be continued. |
| # Note: setting this limit too high may result in severe damage to the system. |
| # Default: 16 |
| #MaxRecursion 10 |
| |
| # Number of files to be scanned within an archive, a document, or any other |
| # container file. |
| # Value of 0 disables the limit. |
| # Note: disabling this limit or setting it too high may result in severe damage |
| # to the system. |
| # Default: 10000 |
| #MaxFiles 15000 |
| |
| # Maximum size of a file to check for embedded PE. Files larger than this value |
| # will skip the additional analysis step. |
| # Note: disabling this limit or setting it too high may result in severe damage |
| # to the system. |
| # Default: 10M |
| #MaxEmbeddedPE 10M |
| |
| # Maximum size of a HTML file to normalize. HTML files larger than this value |
| # will not be normalized or scanned. |
| # Note: disabling this limit or setting it too high may result in severe damage |
| # to the system. |
| # Default: 10M |
| #MaxHTMLNormalize 10M |
| |
| # Maximum size of a normalized HTML file to scan. HTML files larger than this |
| # value after normalization will not be scanned. |
| # Note: disabling this limit or setting it too high may result in severe damage |
| # to the system. |
| # Default: 2M |
| #MaxHTMLNoTags 2M |
| |
| # Maximum size of a script file to normalize. Script content larger than this |
| # value will not be normalized or scanned. |
| # Note: disabling this limit or setting it too high may result in severe damage |
| # to the system. |
| # Default: 5M |
| #MaxScriptNormalize 5M |
| |
| # Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger |
| # than this value will skip the step to potentially reanalyze as PE. |
| # Note: disabling this limit or setting it too high may result in severe damage |
| # to the system. |
| # Default: 1M |
| #MaxZipTypeRcg 1M |
| |
| # This option sets the maximum number of partitions of a raw disk image to be scanned. |
| # Raw disk images with more partitions than this value will have up to the value number |
| # partitions scanned. Negative values are not allowed. |
| # Note: setting this limit too high may result in severe damage or impact performance. |
| # Default: 50 |
| #MaxPartitions 128 |
| |
| # This option sets the maximum number of icons within a PE to be scanned. |
| # PE files with more icons than this value will have up to the value number icons scanned. |
| # Negative values are not allowed. |
| # WARNING: setting this limit too high may result in severe damage or impact performance. |
| # Default: 100 |
| #MaxIconsPE 200 |
| |
| ## |
| ## On-access Scan Settings |
| ## |
| |
| # Enable on-access scanning. Currently, this is supported via fanotify. |
| # Clamuko/Dazuko support has been deprecated. |
| # Default: no |
| #ScanOnAccess yes |
| |
| # Don't scan files larger than OnAccessMaxFileSize |
| # Value of 0 disables the limit. |
| # Default: 5M |
| #OnAccessMaxFileSize 10M |
| |
| # Set the include paths (all files inside them will be scanned). You can have |
| # multiple OnAccessIncludePath directives but each directory must be added |
| # in a separate line. (On-access scan only) |
| # Default: disabled |
| #OnAccessIncludePath /home |
| #OnAccessIncludePath /students |
| |
| # Set the exclude paths. All subdirectories are also excluded. |
| # (On-access scan only) |
| # Default: disabled |
| #OnAccessExcludePath /home/bofh |
| |
| # With this option you can whitelist specific UIDs. Processes with these UIDs |
| # will be able to access all files. |
| # This option can be used multiple times (one per line). |
| # Default: disabled |
| #OnAccessExcludeUID 0 |
| |
| |
| ## |
| ## Bytecode |
| ## |
| |
| # With this option enabled ClamAV will load bytecode from the database. |
| # It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses. |
| # Default: yes |
| #Bytecode yes |
| |
| # Set bytecode security level. |
| # Possible values: |
| # None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS |
| # This value is only available if clamav was built with --enable-debug! |
| # TrustSigned - trust bytecode loaded from signed .c[lv]d files, |
| # insert runtime safety checks for bytecode loaded from other sources |
| # Paranoid - don't trust any bytecode, insert runtime checks for all |
| # Recommended: TrustSigned, because bytecode in .cvd files already has these checks |
| # Note that by default only signed bytecode is loaded, currently you can only |
| # load unsigned bytecode in --enable-debug mode. |
| # |
| # Default: TrustSigned |
| #BytecodeSecurity TrustSigned |
| |
| # Set bytecode timeout in miliseconds. |
| # |
| # Default: 5000 |
| # BytecodeTimeout 1000 |
| |
| ## |
| ## Statistics gathering and submitting |
| ## |
| |
| # Enable statistical reporting. |
| # Default: no |
| #StatsEnabled yes |
| |
| # Disable submission of individual PE sections for files flagged as malware. |
| # Default: no |
| #StatsPEDisabled yes |
| |
| # HostID in the form of an UUID to use when submitting statistical information. |
| # Default: auto |
| #StatsHostID auto |
| |
| # Time in seconds to wait for the stats server to come back with a response |
| # Default: 10 |
| #StatsTimeout 10 |