## ## clamd - automatically generated by clamconf 0.103.3 ## # # Default: no #AlertExceedsMax # Enable prelude # Default: no #PreludeEnable # Name of the analyzer as seen in prewikka # Default: disabled #PreludeAnalyzerName # Save all reports to a log file. # Default: disabled LogFile /var/share/clamav/clamd.log # By default the log file is locked for writing and only a single # daemon process can write to it. This option disables the lock. # Default: yes #LogFileUnlock no # Maximum size of the log file. # Value of 0 disables the limit. # NOTE: If the application starts and the maximum size has already been reach, # logging gets disabled. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 1048576 LogFileMaxSize 0 # Log time with each message. # Default: yes LogTime yes # Log all clean files. # Useful in debugging but drastically increases the log size. # Default: disabled #LogClean yes # Use the system logger (can work together with LogFile). # Default: disabled #LogSyslog yes # Type of syslog messages. # Please refer to 'man syslog' for the facility names. # Default: LOG_LOCAL6 #LogFacility # Enable verbose logging. # Default: disabled #LogVerbose yes # Rotate log file. Requires LogFileMaxSize option set prior to this option. # Default: no #LogRotate yes # Log additional information about the infected file, such as its # size and hash, together with the virus name. # Default: disabled #ExtendedDetectionInfo yes # Save the process ID to a file. # Default: disabled #PidFile /var/share/clamav/clamd.pid # This option allows you to change the default temporary directory. # Default: disabled #TemporaryDirectory /tmp # This option allows you to change the default database directory. # If you enable it, please make sure it points to the same directory in # both clamd and freshclam. # Default: /var/share/clamav DatabaseDirectory /var/share/clamav # Only load the official signatures published by the ClamAV project. # Default: no #OfficialDatabaseOnly yes # Path to a local socket file the daemon will listen on. # Default: disabled LocalSocket /var/share/clamav/clamd.sock # Sets the permissions on the unix socket to the specified mode. # Default: 666 LocalSocketMode 666 # Remove a stale socket after unclean shutdown # Default: yes FixStaleSocket yes # A TCP port number the daemon will listen on. # Default: disabled #TCPSocket 3310 # By default clamd binds to INADDR_ANY. This option allows you to restrict the # TCP address and provide # some degree of protection from the outside world. # Default: disabled #TCPAddr all # Maximum length the queue of pending connections may grow to. # Default: 200 #MaxConnectionQueueLength 30 # Close the STREAM session when the data size limit is exceeded. # The value should match your MTA's limit for the maximum attachment size. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 26214400 StreamMaxLength 10M # The STREAM command uses an FTP-like protocol. # This option sets the lower boundary for the port range. # Default: 1024 #StreamMinPort 1024 # This option sets the upper boundary for the port range. # Default: 2048 #StreamMaxPort 2048 # Maximum number of threads running at the same time. # Default: 10 MaxThreads 20 # This option specifies the time (in seconds) after which clamd should # timeout if a client doesn't provide any data. # Default: 120 #ReadTimeout 120 # This option specifies the time (in seconds) after which clamd should # timeout if a client doesn't provide any initial command after connecting. # Default: 30 #CommandReadTimeout 30 # This option specifies how long to wait (in milliseconds) if the send buffer # is full. Keep this value low to prevent clamd hanging. # Default: 500 #SendBufTimeout 200 # Maximum number of queued items (including those being processed by MaxThreads # threads). It is recommended to have this value at least twice MaxThreads if # possible. WARNING: you shouldn't increase this too much to avoid running out # of file descriptors, the following condition should hold: # MaxThreads * MaxRecursion + MaxQueue - MaxThreads + 6 < RLIMIT_NOFILE # Usually max. for RLIMIT_NOFILE is 1024. # Default: 100 #MaxQueue 200 # This option specifies how long (in seconds) the process should wait # for a new job. # Default: 30 #IdleTimeout 60 # Don't scan files/directories whose names match the provided # regular expression. This option can be specified multiple times. # Default: disabled ExcludePath ^/proc/ #ExcludePath ^/sys/ # Maximum depth the directories are scanned at. # Default: 15 #MaxDirectoryRecursion 15 # Follow directory symlinks. # Default: no #FollowDirectorySymlinks no # Follow symlinks to regular files. # Default: no #FollowFileSymlinks no # Scan files and directories on other filesystems. # Default: yes #CrossFilesystems no # This option specifies the time intervals (in seconds) in which clamd # should perform a database check. # Default: 600 #SelfCheck 600 # Enable non-blocking (multi-threaded/concurrent) database reloads. This feature # will temporarily load a second scanning engine while scanning continues using # the first engine. Once loaded, the new engine takes over. The old engine is # removed as soon as all scans using the old engine have completed. This feature # requires more RAM, so this option is provided in case users are willing to # block scans during reload in exchange for lower RAM requirements. # Default: yes #ConcurrentDatabaseReload yes # This option allows you to disable clamd's caching feature. # Default: no #DisableCache no # Execute a command when a virus is found. In the command string %v will be # replaced with the virus name. Additionally, two environment variables will # be defined: $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNAME. # Default: disabled #VirusEvent /usr/bin/mailx -s "ClamAV VIRUS ALERT: %v" alert < /dev/null # Stop the daemon when libclamav reports an out of memory condition. # Default: no ExitOnOOM yes # Permit use of the ALLMATCHSCAN command. # Default: yes #AllowAllMatchScan yes # Don't fork into background. # Default: no #Foreground yes # Enable debug messages in libclamav. # Default: disabled #Debug yes # Don't remove temporary files (for debugging purposes). # Default: no #LeaveTemporaryFiles no # With this option enabled ClamAV will load bytecode from the database. It is # highly recommended you keep this option on, otherwise you'll miss detections # for many new viruses. # Default: yes #Bytecode yes # Set bytecode security level. Possible values: # TrustSigned - trust bytecode loaded from signed .c[lv]d files, insert # runtime safety checks for bytecode loaded from other # sources. This recommended because bytecode in .cvd files # already has these checks. # Paranoid - don't trust any bytecode, insert runtime checks for all. # Default: TrustSigned #BytecodeSecurity TrustSigned # Set bytecode timeout in milliseconds. # Default: 10000 #BytecodeTimeout 10000 # Allow loading bytecode from outside digitally signed .c[lv]d files. # Default: no #BytecodeUnsigned no # Set bytecode execution mode. Possible values: # Auto - automatically choose JIT if possible, fallback to interpreter # ForceJIT - always choose JIT, fail if not possible # ForceInterpreter - always choose interpreter # Test - run with both JIT and interpreter and compare results. Make all # failures fatal. # Default: Auto #BytecodeMode Auto # Detect Potentially Unwanted Applications. # Default: no #DetectPUA yes # Exclude a specific PUA category. This directive can be used multiple times. # See https://www.clamav.net/documents/potentially-unwanted-applications-pua for the complete list of PUA # categories. # Default: disabled #ExcludePUA NetTool #ExcludePUA PWTool # Only include a specific PUA category. This directive can be used multiple # times. # Default: disabled #IncludePUA Spy #IncludePUA Scanner #IncludePUA RAT # PE stands for Portable Executable - it's an executable file format used # in all 32- and 64-bit versions of Windows operating systems. This option # allows ClamAV to perform a deeper analysis of executable files and it's also # required for decompression of popular executable packers such as UPX or FSG. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes #ScanPE yes # Executable and Linking Format is a standard format for UN*X executables. # This option allows you to control the scanning of ELF files. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes #ScanELF yes # Enable the built in email scanner. # If you turn off this option, the original files will still be scanned, but # without parsing individual messages/attachments. # Default: yes ScanMail yes # Scan RFC1341 messages split over many emails. You will need to # periodically clean up $TemporaryDirectory/clamav-partial directory. # WARNING: This option may open your system to a DoS attack. Please don't use # this feature on highly loaded servers. # Default: no #ScanPartialMessages no # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes # In some cases (eg. complex malware, exploits in graphic files, and others), # ClamAV uses special algorithms to provide accurate detection. This option # controls the algorithmic detection. # Default: yes #HeuristicAlerts yes # Allow heuristic match to take precedence. # When enabled, if a heuristic scan (such as phishingScan) detects # a possible virus/phish it will stop scan immediately. Recommended, saves CPU # scan-time. # When disabled, virus/phish detected by heuristic scans will be reported only # at the end of a scan. If an archive contains both a heuristically detected # virus/phish, and a real malware, the real malware will be reported. # Keep this disabled if you intend to handle "*.Heuristics.*" viruses # differently from "real" malware. # If a non-heuristically-detected virus (signature-based) is found first, # the scan is interrupted immediately, regardless of this config option. # Default: yes HeuristicScanPrecedence yes # Enable the Data Loss Prevention module. # Default: no #StructuredDataDetection no # This option sets the lowest number of Credit Card numbers found in a file # to generate a detect. # Default: 3 #StructuredMinCreditCardCount 5 # This option sets the lowest number of Social Security Numbers found # in a file to generate a detect. # Default: 3 #StructuredMinSSNCount 5 # With this option enabled the DLP module will search for valid # SSNs formatted as xxx-yy-zzzz. # Default: no #StructuredSSNFormatNormal yes # With this option enabled the DLP module will search for valid # SSNs formatted as xxxyyzzzz # Default: no #StructuredSSNFormatStripped no # Perform HTML/JavaScript/ScriptEncoder normalisation and decryption. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes #ScanHTML yes # This option enables scanning of OLE2 files, such as Microsoft Office # documents and .msi files. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes #ScanOLE2 yes # With this option enabled clamav will try to detect broken executables # (PE, ELF, & Mach-O) and alert on them with a Broken.Executable heuristic signature. # Default: no #AlertBrokenExecutables yes # With this option enabled clamav will try to detect broken media files # (JPEG, TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature. # Default: no #AlertBrokenMedia yes # Alert on encrypted archives and documents (encrypted .zip, .7zip, .rar, .pdf). # Default: no #AlertEncrypted no # With this option enabled the DLP module will search for valid Credit Card # numbers only. Debit and Private Label cards will not be searched. # Default: no #StructuredCCOnly no # Alert on encrypted archives (encrypted .zip, .7zip, .rar). # Default: no #AlertEncryptedArchive no # Alert on encrypted documents (encrypted .pdf). # Default: no #AlertEncryptedDoc no # With this option enabled OLE2 files with VBA macros, which were not # detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". # Default: no #AlertOLE2Macros no # Alert on SSL mismatches in URLs, even if they're not in the database. # This feature can lead to false positives. # Default: no #AlertPhishingSSLMismatch # Alert on cloaked URLs, even if they're not in the database. # This feature can lead to false positives. # Default: no #AlertPhishingCloak no # Alert on raw DMG image files containing partition intersections. # Default: no #AlertPartitionIntersection yes # This option enables scanning within PDF files. # If you turn off this option, the original files will still be scanned, but # without decoding and additional processing. # Default: yes #ScanPDF yes # This option enables scanning within SWF files. # If you turn off this option, the original files will still be scanned, but # without decoding and additional processing. # Default: yes #ScanSWF yes # This option enables scanning xml-based document files supported by libclamav. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes #ScanXMLDOCS yes # This option enables scanning HWP3 files. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes #ScanHWP3 yes # Scan within archives and compressed files. # If you turn off this option, the original files will still be scanned, but # without unpacking and additional processing. # Default: yes #ScanArchive yes # This option causes memory or nested map scans to dump the content to disk. # If you turn on this option, more data is written to disk and is available # when the leave-temps option is enabled at the cost of more disk writes. # Default: no #ForceToDisk no # This option sets the maximum amount of time a scan may take to complete. # The value of 0 disables the limit. # WARNING: disabling this limit or setting it too high may result allow scanning # of certain files to lock up the scanning process/threads resulting in a Denial of Service. # The value is in milliseconds. # Default: 0 #MaxScanTime 120000 # This option sets the maximum amount of data to be scanned for each input file. # Archives and other containers are recursively extracted and scanned up to this # value. # The value of 0 disables the limit. # WARNING: disabling this limit or setting it too high may result in severe # damage. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 104857600 #MaxScanSize 100M # Files/messages larger than this limit won't be scanned. Affects the input # file itself as well as files contained inside it (when the input file is # an archive, a document or some other kind of container). # The value of 0 disables the limit. # WARNING: disabling this limit or setting it too high may result in severe # damage to the system. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 26214400 #MaxFileSize 25M # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR # file, all files within it will also be scanned. This option specifies how # deeply the process should be continued. # The value of 0 disables the limit. # WARNING: disabling this limit or setting it too high may result in severe # damage to the system. # Default: 16 #MaxRecursion 16 # Number of files to be scanned within an archive, a document, or any other # container file. # The value of 0 disables the limit. # WARNING: disabling this limit or setting it too high may result in severe # damage to the system. # Default: 10000 #MaxFiles 10000 # This option sets the maximum size of a file to check for embedded PE. # Files larger than this value will skip the additional analysis step. # Negative values are not allowed. # WARNING: setting this limit too high may result in severe damage or impact performance. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 10485760 #MaxEmbeddedPE 10M # This option sets the maximum size of a HTML file to normalize. # HTML files larger than this value will not be normalized or scanned. # Negative values are not allowed. # WARNING: setting this limit too high may result in severe damage or impact performance. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 10485760 #MaxHTMLNormalize 10M # This option sets the maximum size of a normalized HTML file to scan. # HTML files larger than this value after normalization will not be scanned. # Negative values are not allowed. # WARNING: setting this limit too high may result in severe damage or impact performance. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 2097152 #MaxHTMLNoTags 2M # This option sets the maximum size of a script file to normalize. # Script content larger than this value will not be normalized or scanned. # Negative values are not allowed. # WARNING: setting this limit too high may result in severe damage or impact performance. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 5242880 #MaxScriptNormalize 5M # This option sets the maximum size of a ZIP file to reanalyze type recognition. # ZIP files larger than this value will skip the step to potentially reanalyze as PE. # Negative values are not allowed. # WARNING: setting this limit too high may result in severe damage or impact performance. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 1048576 #MaxZipTypeRcg 1M # This option sets the maximum number of partitions of a raw disk image to be scanned. # Raw disk images with more partitions than this value will have up to the value number partitions scanned. # Negative values are not allowed. # WARNING: setting this limit too high may result in severe damage or impact performance. # Default: 50 #MaxPartitions 128 # This option sets the maximum number of icons within a PE to be scanned. # PE files with more icons than this value will have up to the value number icons scanned. # Negative values are not allowed. # WARNING: setting this limit too high may result in severe damage or impact performance. # Default: 100 #MaxIconsPE 100 # This option sets the maximum recursive calls to HWP3 parsing function. # HWP3 files using more than this limit will be terminated and alert the user. # Scans will be unable to scan any HWP3 attachments if the recursive limit is reached. # Negative values are not allowed. # WARNING: setting this limit too high may result in severe damage or impact performance. # Default: 16 #MaxRecHWP3 16 # This option sets the maximum calls to the PCRE match function during an instance of regex matching. # Instances using more than this limit will be terminated and alert the user but the scan will continue. # For more information on match_limit, see the PCRE documentation. # Negative values are not allowed. # WARNING: setting this limit too high may severely impact performance. # Default: 100000 #PCREMatchLimit 100000 # This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching. # Instances using more than this limit will be terminated and alert the user but the scan will continue. # For more information on match_limit_recursion, see the PCRE documentation. # Negative values are not allowed and values > PCREMatchLimit are superfluous. # WARNING: setting this limit too high may severely impact performance. # Default: 2000 #PCRERecMatchLimit 5000 # This option sets the maximum filesize for which PCRE subsigs will be executed. # Files exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer. # Negative values are not allowed. # Setting this value to zero disables the limit. # WARNING: setting this limit too high or disabling it may severely impact performance. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 26214400 #PCREMaxFileSize 25M # This option specifies a directory or mount point which should be scanned on access. The mount point specified, or the mount point containing the specified directory will be watched, but only notifications will occur. If any directories are specified, this option will preempt the DDD system. It can also be used multiple times. # Default: disabled #OnAccessMountPath / #OnAccessMountPath /home/user # This option specifies a directory (including all files and directories # inside it), which should be scanned on access. This option can # be used multiple times. # Default: disabled #OnAccessIncludePath /home #OnAccessIncludePath /students # This option allows excluding directories from on-access scanning. It can # be used multiple times. Only works with DDD system. # Default: disabled #OnAccessExcludePath /home/bofh #OnAccessExcludePath /root # Use this option to whitelist the root UID (0) and allow any processes run under root to access all watched files without triggering scans. # Default: disabled #OnAccessExcludeRootUID no # With this option you can whitelist specific UIDs. Processes with these UIDs # will be able to access all files. # This option can be used multiple times (one per line). Using a value of 0 on any line will disable this option entirely. To whitelist the root UID please enable the OnAccessExcludeRootUID option. # Default: disabled #OnAccessExcludeUID 0 # This option allows exclusions via user names when using the on-access scanning client. It can # be used multiple times. # Default: disabled #OnAccessExcludeUname clamuser # Files larger than this value will not be scanned in on access. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 5242880 #OnAccessMaxFileSize 5M # This option toggles the dynamic directory determination system for on-access scanning (Linux only). # Default: no #OnAccessDisableDDD no # This option changes fanotify behavior to prevent access attempts on malicious files instead of simply notifying the user (On Access scan only). # Default: no #OnAccessPrevention yes # Enables extra scanning and notification after catching certain inotify events. Only works with the DDD system enabled. # Default: no #OnAccessExtraScanning yes # Max amount of time (in milliseconds) that the OnAccess client should spend for every connect, send, and recieve attempt when communicating with clamd via curl (5s default) # Default: 5000 #OnAccessCurlTimeout 10000L # Max number of scanning threads to allocate to the OnAccess thread pool at startup--these threads are the ones responsible for creating a connection with the daemon and kicking off scanning after an event has been processed. To prevent clamonacc from consuming all clamd's resources keep this lower than clamd's max threads. Default is 5 # Default: 5 #OnAccessMaxThreads 10 # Number of times the OnAccess client will retry a failed scan due to connection problems (or other issues). Defaults to no retries. # Default: 0 #OnAccessRetryAttempts 3 # When using prevention, if this option is turned on, any errors that occur during scanning will result in the event attempt being denied. This could potentially lead to unwanted system behaviour with certain configurations, so the client defaults to off and allowing access events in case of error. # Default: no #OnAccessDenyOnError yes # Disable authenticode certificate chain verification in PE files. # Default: no #DisableCertCheck no # Deprecated option to enable heuristic alerts (e.g. "Heuristics.") # Default: yes #AlgorithmicDetection no # # Default: no #BlockMax # Deprecated option to alert on SSL mismatches in URLs, even if they're not in the database. # This feature can lead to false positives. # Default: no #PhishingAlwaysBlockSSLMismatch no # Deprecated option to alert on cloaked URLs, even if they're not in the database. # This feature can lead to false positives. # Default: no #PhishingAlwaysBlockCloak no # Deprecated option to alert on raw DMG image files containing partition intersections. # Default: no #PartitionIntersection no # With this option enabled OLE2 files with VBA macros, which were not # detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". # Default: no #OLE2BlockMacros no # Deprecated option to alert on encrypted archives and documents (encrypted .zip, .7zip, .rar, .pdf). # Default: no #ArchiveBlockEncrypted no