Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / dbdec8bbc3f5962afbaa70abdf0011e415000508 / . / meta-security / recipes-scanners / clamav / files / clamd.conf
blob: 045778506c7c0bfadbd18e1adbe9177d16b56f72 [file] [log] [blame]
Richard Marian Thomaiyar14fddef2018-07-13 23:55:56 +0530[diff] [blame]1# Uncomment this option to enable logging.
2# LogFile must be writable for the user running daemon.
3# A full path is required.
4# Default: disabled
5LogFile /tmp/clamd.log
6
7# By default the log file is locked for writing - the lock protects against
8# running clamd multiple times (if want to run another clamd, please
9# copy the configuration file, change the LogFile variable, and run
10# the daemon with --config-file option).
11# This option disables log file locking.
12# Default: no
13LogFileUnlock yes
14
15# Maximum size of the log file.
16# Value of 0 disables the limit.
17# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
18# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
19# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
20# rotation (the LogRotate option) will always be enabled.
21# Default: 1M
22LogFileMaxSize 2M
23
24# Log time with each message.
25# Default: no
26LogTime yes
27
28# Also log clean files. Useful in debugging but drastically increases the
29# log size.
30# Default: no
31#LogClean yes
32
33# Use system logger (can work together with LogFile).
34# Default: no
35#LogSyslog yes
36
37# Specify the type of syslog messages - please refer to 'man syslog'
38# for facility names.
39# Default: LOG_LOCAL6
40#LogFacility LOG_MAIL
41
42# Enable verbose logging.
43# Default: no
44#LogVerbose yes
45
46# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
47# Default: no
48#LogRotate yes
49
50# Log additional information about the infected file, such as its
51# size and hash, together with the virus name.
52ExtendedDetectionInfo yes
53
54# This option allows you to save a process identifier of the listening
55# daemon (main thread).
56# Default: disabled
57PidFile /var/run/clamd.pid
58
59# Optional path to the global temporary directory.
60# Default: system specific (usually /tmp or /var/tmp).
61TemporaryDirectory /var/tmp
62
63# Path to the database directory.
64# Default: hardcoded (depends on installation options)
65DatabaseDirectory /var/lib/clamav
66
67# Only load the official signatures published by the ClamAV project.
68# Default: no
69#OfficialDatabaseOnly no
70
71# The daemon can work in local mode, network mode or both.
72# Due to security reasons we recommend the local mode.
73
74# Path to a local socket file the daemon will listen on.
75# Default: disabled (must be specified by a user)
76LocalSocket /tmp/clamd.socket
77
78# Sets the group ownership on the unix socket.
79# Default: disabled (the primary group of the user running clamd)
80#LocalSocketGroup virusgroup
81
82# Sets the permissions on the unix socket to the specified mode.
83# Default: disabled (socket is world accessible)
84#LocalSocketMode 660
85
86# Remove stale socket after unclean shutdown.
87# Default: yes
88#FixStaleSocket yes
89
90# TCP port address.
91# Default: no
92#TCPSocket 3310
93
94# TCP address.
95# By default we bind to INADDR_ANY, probably not wise.
96# Enable the following to provide some degree of protection
97# from the outside world. This option can be specified multiple
98# times if you want to listen on multiple IPs. IPv6 is now supported.
99# Default: no
100#TCPAddr 127.0.0.1
101
102# Maximum length the queue of pending connections may grow to.
103# Default: 200
104#MaxConnectionQueueLength 30
105
106# Clamd uses FTP-like protocol to receive data from remote clients.
107# If you are using clamav-milter to balance load between remote clamd daemons
108# on firewall servers you may need to tune the options below.
109
110# Close the connection when the data size limit is exceeded.
111# The value should match your MTA's limit for a maximum attachment size.
112# Default: 25M
113#StreamMaxLength 10M
114
115# Limit port range.
116# Default: 1024
117#StreamMinPort 30000
118# Default: 2048
119#StreamMaxPort 32000
120
121# Maximum number of threads running at the same time.
122# Default: 10
123#MaxThreads 20
124
125# Waiting for data from a client socket will timeout after this time (seconds).
126# Default: 120
127#ReadTimeout 300
128
129# This option specifies the time (in seconds) after which clamd should
130# timeout if a client doesn't provide any initial command after connecting.
131# Default: 5
132#CommandReadTimeout 5
133
134# This option specifies how long to wait (in miliseconds) if the send buffer is full.
135# Keep this value low to prevent clamd hanging
136#
137# Default: 500
138#SendBufTimeout 200
139
140# Maximum number of queued items (including those being processed by MaxThreads threads)
141# It is recommended to have this value at least twice MaxThreads if possible.
142# WARNING: you shouldn't increase this too much to avoid running out of file descriptors,
143# the following condition should hold:
144# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
145#
146# Default: 100
147#MaxQueue 200
148
149# Waiting for a new job will timeout after this time (seconds).
150# Default: 30
151#IdleTimeout 60
152
153# Don't scan files and directories matching regex
154# This directive can be used multiple times
155# Default: scan all
156#ExcludePath ^/proc/
157#ExcludePath ^/sys/
158
159# Maximum depth directories are scanned at.
160# Default: 15
161#MaxDirectoryRecursion 20
162
163# Follow directory symlinks.
164# Default: no
165#FollowDirectorySymlinks yes
166
167# Follow regular file symlinks.
168# Default: no
169#FollowFileSymlinks yes
170
171# Scan files and directories on other filesystems.
172# Default: yes
173#CrossFilesystems yes
174
175# Perform a database check.
176# Default: 600 (10 min)
177#SelfCheck 600
178
179# Execute a command when virus is found. In the command string %v will
180# be replaced with the virus name.
181# Default: no
182#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
183
184# Run as another user (clamd must be started by root for this option to work)
185# Default: don't drop privileges
186User clamav
187
188# Initialize supplementary group access (clamd must be started by root).
189# Default: no
190#AllowSupplementaryGroups no
191
192# Stop daemon when libclamav reports out of memory condition.
193#ExitOnOOM yes
194
195# Don't fork into background.
196# Default: no
197#Foreground yes
198
199# Enable debug messages in libclamav.
200# Default: no
201#Debug yes
202
203# Do not remove temporary files (for debug purposes).
204# Default: no
205#LeaveTemporaryFiles yes
206
207# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
208# any ALLMATCHSCAN command as invalid.
209# Default: yes
210#AllowAllMatchScan no
211
212# Detect Possibly Unwanted Applications.
213# Default: no
214#DetectPUA yes
215
216# Exclude a specific PUA category. This directive can be used multiple times.
217# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
218# the complete list of PUA categories.
219# Default: Load all categories (if DetectPUA is activated)
220#ExcludePUA NetTool
221#ExcludePUA PWTool
222
223# Only include a specific PUA category. This directive can be used multiple
224# times.
225# Default: Load all categories (if DetectPUA is activated)
226#IncludePUA Spy
227#IncludePUA Scanner
228#IncludePUA RAT
229
230# In some cases (eg. complex malware, exploits in graphic files, and others),
231# ClamAV uses special algorithms to provide accurate detection. This option
232# controls the algorithmic detection.
233# Default: yes
234#AlgorithmicDetection yes
235
236# This option causes memory or nested map scans to dump the content to disk.
237# If you turn on this option, more data is written to disk and is available
238# when the LeaveTemporaryFiles option is enabled.
239#ForceToDisk yes
240
241# This option allows you to disable the caching feature of the engine. By
242# default, the engine will store an MD5 in a cache of any files that are
243# not flagged as virus or that hit limits checks. Disabling the cache will
244# have a negative performance impact on large scans.
245# Default: no
246#DisableCache yes
247
248##
249## Executable files
250##
251
252# PE stands for Portable Executable - it's an executable file format used
253# in all 32 and 64-bit versions of Windows operating systems. This option allows
254# ClamAV to perform a deeper analysis of executable files and it's also
255# required for decompression of popular executable packers such as UPX, FSG,
256# and Petite. If you turn off this option, the original files will still be
257# scanned, but without additional processing.
258# Default: yes
259#ScanPE yes
260
261# Certain PE files contain an authenticode signature. By default, we check
262# the signature chain in the PE file against a database of trusted and
263# revoked certificates if the file being scanned is marked as a virus.
264# If any certificate in the chain validates against any trusted root, but
265# does not match any revoked certificate, the file is marked as whitelisted.
266# If the file does match a revoked certificate, the file is marked as virus.
267# The following setting completely turns off authenticode verification.
268# Default: no
269#DisableCertCheck yes
270
271# Executable and Linking Format is a standard format for UN*X executables.
272# This option allows you to control the scanning of ELF files.
273# If you turn off this option, the original files will still be scanned, but
274# without additional processing.
275# Default: yes
276#ScanELF yes
277
278# With this option clamav will try to detect broken executables (both PE and
279# ELF) and mark them as Broken.Executable.
280# Default: no
281#DetectBrokenExecutables yes
282
283
284##
285## Documents
286##
287
288# This option enables scanning of OLE2 files, such as Microsoft Office
289# documents and .msi files.
290# If you turn off this option, the original files will still be scanned, but
291# without additional processing.
292# Default: yes
293#ScanOLE2 yes
294
295# With this option enabled OLE2 files with VBA macros, which were not
296# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
297# Default: no
298#OLE2BlockMacros no
299
300# This option enables scanning within PDF files.
301# If you turn off this option, the original files will still be scanned, but
302# without decoding and additional processing.
303# Default: yes
304#ScanPDF yes
305
306# This option enables scanning within SWF files.
307# If you turn off this option, the original files will still be scanned, but
308# without decoding and additional processing.
309# Default: yes
310#ScanSWF yes
311
312
313##
314## Mail files
315##
316
317# Enable internal e-mail scanner.
318# If you turn off this option, the original files will still be scanned, but
319# without parsing individual messages/attachments.
320# Default: yes
321#ScanMail yes
322
323# Scan RFC1341 messages split over many emails.
324# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
325# WARNING: This option may open your system to a DoS attack.
326# Never use it on loaded servers.
327# Default: no
328#ScanPartialMessages yes
329
330# With this option enabled ClamAV will try to detect phishing attempts by using
331# signatures.
332# Default: yes
333#PhishingSignatures yes
334
335# Scan URLs found in mails for phishing attempts using heuristics.
336# Default: yes
337#PhishingScanURLs yes
338
339# Always block SSL mismatches in URLs, even if the URL isn't in the database.
340# This can lead to false positives.
341#
342# Default: no
343#PhishingAlwaysBlockSSLMismatch no
344
345# Always block cloaked URLs, even if URL isn't in database.
346# This can lead to false positives.
347#
348# Default: no
349#PhishingAlwaysBlockCloak no
350
351# Detect partition intersections in raw disk images using heuristics.
352# Default: no
353#PartitionIntersection no
354
355# Allow heuristic match to take precedence.
356# When enabled, if a heuristic scan (such as phishingScan) detects
357# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
358# scan-time.
359# When disabled, virus/phish detected by heuristic scans will be reported only at
360# the end of a scan. If an archive contains both a heuristically detected
361# virus/phish, and a real malware, the real malware will be reported
362#
363# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
364# differently from "real" malware.
365# If a non-heuristically-detected virus (signature-based) is found first,
366# the scan is interrupted immediately, regardless of this config option.
367#
368# Default: no
369#HeuristicScanPrecedence yes
370
371
372##
373## Data Loss Prevention (DLP)
374##
375
376# Enable the DLP module
377# Default: No
378#StructuredDataDetection yes
379
380# This option sets the lowest number of Credit Card numbers found in a file
381# to generate a detect.
382# Default: 3
383#StructuredMinCreditCardCount 5
384
385# This option sets the lowest number of Social Security Numbers found
386# in a file to generate a detect.
387# Default: 3
388#StructuredMinSSNCount 5
389
390# With this option enabled the DLP module will search for valid
391# SSNs formatted as xxx-yy-zzzz
392# Default: yes
393#StructuredSSNFormatNormal yes
394
395# With this option enabled the DLP module will search for valid
396# SSNs formatted as xxxyyzzzz
397# Default: no
398#StructuredSSNFormatStripped yes
399
400
401##
402## HTML
403##
404
405# Perform HTML normalisation and decryption of MS Script Encoder code.
406# Default: yes
407# If you turn off this option, the original files will still be scanned, but
408# without additional processing.
409#ScanHTML yes
410
411
412##
413## Archives
414##
415
416# ClamAV can scan within archives and compressed files.
417# If you turn off this option, the original files will still be scanned, but
418# without unpacking and additional processing.
419# Default: yes
420#ScanArchive yes
421
422# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
423# Default: no
424#ArchiveBlockEncrypted no
425
426
427##
428## Limits
429##
430
431# The options below protect your system against Denial of Service attacks
432# using archive bombs.
433
434# This option sets the maximum amount of data to be scanned for each input file.
435# Archives and other containers are recursively extracted and scanned up to this
436# value.
437# Value of 0 disables the limit
438# Note: disabling this limit or setting it too high may result in severe damage
439# to the system.
440# Default: 100M
441#MaxScanSize 150M
442
443# Files larger than this limit won't be scanned. Affects the input file itself
444# as well as files contained inside it (when the input file is an archive, a
445# document or some other kind of container).
446# Value of 0 disables the limit.
447# Note: disabling this limit or setting it too high may result in severe damage
448# to the system.
449# Default: 25M
450#MaxFileSize 30M
451
452# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
453# file, all files within it will also be scanned. This options specifies how
454# deeply the process should be continued.
455# Note: setting this limit too high may result in severe damage to the system.
456# Default: 16
457#MaxRecursion 10
458
459# Number of files to be scanned within an archive, a document, or any other
460# container file.
461# Value of 0 disables the limit.
462# Note: disabling this limit or setting it too high may result in severe damage
463# to the system.
464# Default: 10000
465#MaxFiles 15000
466
467# Maximum size of a file to check for embedded PE. Files larger than this value
468# will skip the additional analysis step.
469# Note: disabling this limit or setting it too high may result in severe damage
470# to the system.
471# Default: 10M
472#MaxEmbeddedPE 10M
473
474# Maximum size of a HTML file to normalize. HTML files larger than this value
475# will not be normalized or scanned.
476# Note: disabling this limit or setting it too high may result in severe damage
477# to the system.
478# Default: 10M
479#MaxHTMLNormalize 10M
480
481# Maximum size of a normalized HTML file to scan. HTML files larger than this
482# value after normalization will not be scanned.
483# Note: disabling this limit or setting it too high may result in severe damage
484# to the system.
485# Default: 2M
486#MaxHTMLNoTags 2M
487
488# Maximum size of a script file to normalize. Script content larger than this
489# value will not be normalized or scanned.
490# Note: disabling this limit or setting it too high may result in severe damage
491# to the system.
492# Default: 5M
493#MaxScriptNormalize 5M
494
495# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
496# than this value will skip the step to potentially reanalyze as PE.
497# Note: disabling this limit or setting it too high may result in severe damage
498# to the system.
499# Default: 1M
500#MaxZipTypeRcg 1M
501
502# This option sets the maximum number of partitions of a raw disk image to be scanned.
503# Raw disk images with more partitions than this value will have up to the value number
504# partitions scanned. Negative values are not allowed.
505# Note: setting this limit too high may result in severe damage or impact performance.
506# Default: 50
507#MaxPartitions 128
508
509# This option sets the maximum number of icons within a PE to be scanned.
510# PE files with more icons than this value will have up to the value number icons scanned.
511# Negative values are not allowed.
512# WARNING: setting this limit too high may result in severe damage or impact performance.
513# Default: 100
514#MaxIconsPE 200
515
516##
517## On-access Scan Settings
518##
519
520# Enable on-access scanning. Currently, this is supported via fanotify.
521# Clamuko/Dazuko support has been deprecated.
522# Default: no
523#ScanOnAccess yes
524
525# Don't scan files larger than OnAccessMaxFileSize
526# Value of 0 disables the limit.
527# Default: 5M
528#OnAccessMaxFileSize 10M
529
530# Set the include paths (all files inside them will be scanned). You can have
531# multiple OnAccessIncludePath directives but each directory must be added
532# in a separate line. (On-access scan only)
533# Default: disabled
534#OnAccessIncludePath /home
535#OnAccessIncludePath /students
536
537# Set the exclude paths. All subdirectories are also excluded.
538# (On-access scan only)
539# Default: disabled
540#OnAccessExcludePath /home/bofh
541
542# With this option you can whitelist specific UIDs. Processes with these UIDs
543# will be able to access all files.
544# This option can be used multiple times (one per line).
545# Default: disabled
546#OnAccessExcludeUID 0
547
548
549##
550## Bytecode
551##
552
553# With this option enabled ClamAV will load bytecode from the database.
554# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
555# Default: yes
556#Bytecode yes
557
558# Set bytecode security level.
559# Possible values:
560# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
561# This value is only available if clamav was built with --enable-debug!
562# TrustSigned - trust bytecode loaded from signed .c[lv]d files,
563# insert runtime safety checks for bytecode loaded from other sources
564# Paranoid - don't trust any bytecode, insert runtime checks for all
565# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
566# Note that by default only signed bytecode is loaded, currently you can only
567# load unsigned bytecode in --enable-debug mode.
568#
569# Default: TrustSigned
570#BytecodeSecurity TrustSigned
571
572# Set bytecode timeout in miliseconds.
573#
574# Default: 5000
575# BytecodeTimeout 1000
576
577##
578## Statistics gathering and submitting
579##
580
581# Enable statistical reporting.
582# Default: no
583#StatsEnabled yes
584
585# Disable submission of individual PE sections for files flagged as malware.
586# Default: no
587#StatsPEDisabled yes
588
589# HostID in the form of an UUID to use when submitting statistical information.
590# Default: auto
591#StatsHostID auto
592
593# Time in seconds to wait for the stats server to come back with a response
594# Default: 10
595#StatsTimeout 10