clamd (5) Linux Manual Page
clamd.conf – Configuration file for Clam AntiVirus Daemon
Description
clamd.conf configures the Clam AntiVirus daemon, clamd(8).
File Format
The file consists of comments and options with arguments. Each line which starts with a hash (#) symbol is ignored by the parser. Options and arguments are case sensitive and of the form Option Argument. The arguments are of the following types:
BOOL- Boolean value (yes/no or true/false or 1/0).
STRING- String without blank characters.
SIZE- Size in bytes. You can use ‘M’ or ‘m’ modifiers for megabytes and ‘K’ or ‘k’ for kilobytes.
NUMBER- Unsigned integer.
Directives
When some option is not used (commented out or not included in the configuration file at all) clamd takes a default action.
Example- If this option is set clamd will not run.
LogFile STRING- Enable logging to selected file.
Default: no LogFileUnlock BOOL- Disable a system lock that protects against running clamd with the same configuration file multiple times.
Default: no LogFileMaxSize SIZE- Limit the size of the log file. The logger will be automatically disabled if the file is greater than SIZE. Value of 0 disables the limit.
Default: 1M LogTime BOOL- Log time for each message.
Default: no LogClean BOOL- Log clean files.
Default: no LogSyslog BOOL- Use system logger (can work together with LogFile).
Default: no LogFacility STRING- Specify the type of syslog messages – please refer to ‘man syslog’ for facility names.
Default: LOG_LOCAL6 LogVerbose BOOL- Enable verbose logging.
Default: no PidFile STRING- Save the process identifier of a listening daemon (main thread) to a specified file.
Default: no TemporaryDirectory STRING- Optional path to the global temporary directory.
Default: system specific (usually /tmp or /var/tmp). DatabaseDirectory STRING- Path to a directory containing database files.
Default: /var/lib/clamav LocalSocket STRING- Path to a local (Unix) socket the daemon will listen on.
Default: no FixStaleSocket BOOL- Remove stale socket after unclean shutdown.
Default: yes TCPSocket NUMBER- TCP port number the daemon will listen on.
Default: no TCPAddr STRING- TCP socket address to bind to. By default clamd binds to INADDR_ANY.
Default: no MaxConnectionQueueLength NUMBER- Maximum length the queue of pending connections may grow to.
Default: 15 MaxThreads NUMBER- Maximum number of threads running at the same time.
Default: 10 ReadTimeout NUMBER- Waiting for data from a client socket will timeout after this time (seconds).
Default: 120 CommandReadTimeout NUMBER- This option specifies the time (in seconds) after which clamd should timeout if a client doesn’t provide any initial command after connecting. Note: the timeout for subsequents commands, and/or data chunks is specified by ReadTimeout.
Default: 5 SendBufTimeout NUMBER- This option specifies how long to wait (in miliseconds) if the send buffer is full. Keep this value low to prevent clamd hanging.
Default: 500 MaxQueue NUMBER- Maximum number of queued items (including those being processed by MaxThreads threads). It is recommended to have this value at least twice MaxThreads if possible.
WARNING: you shouldn’t increase this too much to avoid running out of file descriptors, the following condition should hold: MaxThreads*MaxRecursion + MaxQueue – MaxThreads + 6 < RLIMIT_NOFILE.RLIMIT_NOFILE is the maximum number of open file descriptors (usually 1024), set byulimit -n.
Default: 100 IdleTimeout NUMBER- Waiting for a new job will timeout after this time (seconds).
Default: 30 ExcludePath REGEX- Don’t scan files and directories matching REGEX. This directive can be used multiple times.
Default: scan all MaxDirectoryRecursion NUMBER- Maximum depth directories are scanned at.
Default: 15 FollowDirectorySymlinks BOOL- Follow directory symlinks.
Default: no FollowFileSymlinks BOOL- Follow regular file symlinks.
Default: no SelfCheck NUMBER- Perform a database check.
Default: 1800 VirusEvent COMMAND- Execute COMMAND when a virus is found. In the command string %v will be replaced with the virus name.
Default: no ExitOnOOM BOOL- Stop daemon when libclamav reports out of memory condition.
Default: no User STRING- Run as another user (clamd must be started by root to make this option working).
Default: no AllowSupplementaryGroups BOOL- Initialize supplementary group access (clamd must be started by root).
Default: no Foreground BOOL- Don’t fork into background.
Default: no Debug BOOL- Enable debug messages from libclamav.
LeaveTemporaryFiles BOOL- Do not remove temporary files (for debug purpose).
Default: no StreamMaxLength SIZE- Clamd uses FTP-like protocol to receive data from remote clients. If you are using clamav-milter to balance load between remote clamd daemons on firewall servers you may need to tune the Stream* options. This option allows you to specify the upper limit for data size that will be transfered to remote daemon when scanning a single file. It should match your MTA’s limit for a maximum attachment size.
Default: 10M StreamMinPort NUMBER- Limit data port range.
Default: 1024 StreamMaxPort NUMBER- Limit data port range.
Default: 2048 DetectPUA- Detect Possibly Unwanted Applications.
Default: No ExcludePUA CATEGORY- Exclude a specific PUA category. This directive can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA categories.
Default: Load all categories (if DetectPUA is activated) IncludePUA CATEGORY- Only include a specific PUA category. This directive can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA categories.
Default: Load all categories (if DetectPUA is activated) AlgorithmicDetection BOOL- In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option controls the algorithmic detection.
Default: yes ScanPE BOOL- PE stands for Portable Executable – it’s an executable file format used in all 32 and 64-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it’s also required for decompression of popular executable packers such as UPX.
Default: yes ScanELF BOOL- Executable and Linking Format is a standard format for UN*X executables. This option allows you to control the scanning of ELF files.
Default: yes DetectBrokenExecutables BOOL- With this option clamd will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.
Default: no ScanOLE2 BOOL- This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files.
Default: yes ScanPDF BOOL- This option enables scanning within PDF files.
Default: yes ScanHTML BOOL- Enables HTML detection and normalisation.
Default: yes ScanMail BOOL- Enable scanning of mail files.
Default: yes MailFollowURLs BOOL- If an email contains URLs ClamAV can download and scan them.
WARNING: This option may open your system to a DoS attack. Never use it on loaded servers.
Default: no ScanPartialMessages BOOL- Scan RFC1341 messages split over many emails. You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
WARNING: This option may open your system to a DoS attack. Never use it on loaded servers.
Default: no MailMaxRecursion NUMBER (OBSOLETE)WARNING:This option is no longer accepted. SeeMaxRecursion.PhishingSignatures BOOL- With this option enabled ClamAV will try to detect phishing attempts by using signatures.
Default: yes PhishingScanURLs BOOL- Scan URLs found in mails for phishing attempts using heuristics. This will classify "Possibly Unwanted" phishing emails as Phishing.Heuristics.Email.*
Default: yes PhishingAlwaysBlockSSLMismatch BOOL- Always block SSL mismatches in URLs, even if the URL isn’t in the database. This can lead to false positives.
Default: no PhishingAlwaysBlockCloak BOOL- Always block cloaked URLs, even if URL isn’t in database. This can lead to false positives.
Default: no HeuristicScanPrecedence BOOL- Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phishing it will stop scanning immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.
Default: no StructuredDataDetection BOOL- Enable the DLP module.
Default: no StructuredMinCreditCardCount NUMBER- This option sets the lowest number of Credit Card numbers found in a file to generate a detect.
Default: 3 StructuredMinSSNCount NUMBER- This option sets the lowest number of Social Security Numbers found in a file to generate a detect.
Default: 3 StructuredSSNFormatNormal BOOL- With this option enabled the DLP module will search for valid SSNs formatted as xxx-yy-zzzz.
Default: Yes StructuredSSNFormatStripped BOOL- With this option enabled the DLP module will search for valid SSNs formatted as xxxyyzzzz.
Default: No ScanArchive BOOL- Enable archive scanning.
Default: yes ArchiveMaxFileSize (OBSOLETE)WARNING:This option is no longer accepted. SeeMaxFileSizeandMaxScanSize.ArchiveMaxRecursion (OBSOLETE)WARNING:This option is no longer accepted. SeeMaxRecursion.ArchiveMaxFiles (OBSOLETE)WARNING:This option is no longer accepted. SeeMaxFiles.ArchiveMaxCompressionRatio (OBSOLETE)WARNING:This option is no longer accepted.ArchiveBlockMax (OBSOLETE)WARNING:This option is no longer accepted.ArchiveLimitMemoryUsage BOOL- Use slower decompression algorithm which uses less memory. This option only affects the bzip2 decompressor.
Default: no ArchiveBlockEncrypted BOOL- Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
Default: no MaxScanSize SIZE- Sets the maximum amount of data to be scanned for each input file. Archives and other containers are recursively extracted and scanned up to this value.
Warning: disabling this limit or setting it too high may result in severe damage to the system.
Default: 100M MaxFileSize SIZE- Files larger than this limit won’t be scanned. Affects the input file itself as well as files contained inside it (when the input file is an archive, a document or some other kind of container).
Warning: disabling this limit or setting it too high may result in severe damage to the system.
Default: 25M MaxRecursion NUMBER- Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR file, all files within it will also be scanned. This options specifies how deeply the process should be continued.
Warning: disabling this limit or setting it too high may result in severe damage to the system.
Default: 16 MaxFiles NUMBER- Number of files to be scanned within an archive, a document, or any other kind of container.
Warning: disabling this limit or setting it too high may result in severe damage to the system.
Default: 10000 ClamukoScanOnAccess BOOL- Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.
Default: no ClamukoScanOnOpen BOOL- Scan files on open.
Default: no ClamukoScanOnClose BOOL- Scan files on close.
Default: no. ClamukoScanOnExec BOOL- Scan files on execute.
Default: no ClamukoIncludePath STRING- Set the include paths (all files and directories inside them will be scanned). You can have multiple ClamukoIncludePath directives but each directory must be added in a separate line).
Default: no ClamukoExcludePath STRING- Set the exclude paths. All subdirectories will also be excluded.
Default: no ClamukoMaxFileSize SIZE- Ignore files larger than SIZE.
Default: 5M
Notes
All options expressing a size are limited to max 4GB. Values in excess will be resetted to the maximum.
Files
/etc/clamd.conf
Author
Tomasz Kojm <tkojm [at] clamav.net>
See Also
clamd(8), clamdscan(1), clamav-milter(8), clamscan(1), freshclam(1), sigtool(1)