#### Example config file for the Clam AV daemon## Please read the clamd.conf

1. ##
2. ## Example config file for the Clam AV daemon
3. ## Please read the clamd.conf(5) manual before editing this file.
4. ##
5.  
6.  
7. # Comment or remove the line below.
8. #Example
9.  
10. # Uncomment this option to enable logging.
11. # LogFile must be writable for the user running daemon.
12. # A full path is required.
13. # Default: disabled
14. LogFile /var/log/clamav/clamd.log
15.  
16. # By default the log file is locked for writing - the lock protects against
17. # running clamd multiple times (if want to run another clamd, please
18. # copy the configuration file, change the LogFile variable, and run
19. # the daemon with --config-file option).
20. # This option disables log file locking.
21. # Default: no
22. #LogFileUnlock yes
23.  
24. # Maximum size of the log file.
25. # Value of 0 disables the limit.
26. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
27. # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
28. # in bytes just don't use modifiers.
29. # Default: 1M
30. LogFileMaxSize 0
31.  
32. # Log time with each message.
33. # Default: no
34. LogTime yes
35.  
36. # Also log clean files. Useful in debugging but drastically increases the
37. # log size.
38. # Default: no
39. #LogClean yes
40.  
41. # Use system logger (can work together with LogFile).
42. # Default: no
43. LogSyslog yes
44.  
45. # Specify the type of syslog messages - please refer to 'man syslog'
46. # for facility names.
47. # Default: LOG_LOCAL6
48. #LogFacility LOG_MAIL
49.  
50. # Enable verbose logging.
51. # Default: no
52. #LogVerbose yes
53.  
54. # Log additional information about the infected file, such as its
55. # size and hash, together with the virus name.
56. #ExtendedDetectionInfo yes
57.  
58. # This option allows you to save a process identifier of the listening
59. # daemon (main thread).
60. # Default: disabled
61. PidFile /var/run/clamav/clamd.pid
62.  
63. # Optional path to the global temporary directory.
64. # Default: system specific (usually /tmp or /var/tmp).
65. TemporaryDirectory /var/tmp
66.  
67. # Path to the database directory.
68. # Default: hardcoded (depends on installation options)
69. DatabaseDirectory /var/lib/clamav
70.  
71. # Only load the official signatures published by the ClamAV project.
72. # Default: no
73. #OfficialDatabaseOnly no
74.  
75. # The daemon can work in local mode, network mode or both.
76. # Due to security reasons we recommend the local mode.
77.  
78. # Path to a local socket file the daemon will listen on.
79. # Default: disabled (must be specified by a user)
80. LocalSocket /var/run/clamav/clamd.sock
81.  
82. # Sets the group ownership on the unix socket.
83. # Default: disabled (the primary group of the user running clamd)
84. #LocalSocketGroup virusgroup
85.  
86. # Sets the permissions on the unix socket to the specified mode.
87. # Default: disabled (socket is world accessible)
88. #LocalSocketMode 660
89.  
90. # Remove stale socket after unclean shutdown.
91. # Default: yes
92. FixStaleSocket yes
93.  
94. # TCP port address.
95. # Default: no
96. TCPSocket 3310
97.  
98. # TCP address.
99. # By default we bind to INADDR_ANY, probably not wise.
100. # Enable the following to provide some degree of protection
101. # from the outside world.
102. # Default: no
103. TCPAddr 127.0.0.1
104.  
105. # Maximum length the queue of pending connections may grow to.
106. # Default: 200
107. MaxConnectionQueueLength 30
108.  
109. # Clamd uses FTP-like protocol to receive data from remote clients.
110. # If you are using clamav-milter to balance load between remote clamd daemons
111. # on firewall servers you may need to tune the options below.
112.  
113. # Close the connection when the data size limit is exceeded.
114. # The value should match your MTA's limit for a maximum attachment size.
115. # Default: 25M
116. #StreamMaxLength 10M
117.  
118. # Limit port range.
119. # Default: 1024
120. #StreamMinPort 30000
121. # Default: 2048
122. #StreamMaxPort 32000
123.  
124. # Maximum number of threads running at the same time.
125. # Default: 10
126. MaxThreads 50
127.  
128. # Waiting for data from a client socket will timeout after this time (seconds).
129. # Default: 120
130. ReadTimeout 300
131.  
132. # This option specifies the time (in seconds) after which clamd should
133. # timeout if a client doesn't provide any initial command after connecting.
134. # Default: 5
135. #CommandReadTimeout 5
136.  
137. # This option specifies how long to wait (in miliseconds) if the send buffer is full.
138. # Keep this value low to prevent clamd hanging
139. #
140. # Default: 500
141. #SendBufTimeout 200
142.  
143. # Maximum number of queued items (including those being processed by MaxThreads threads)
144. # It is recommended to have this value at least twice MaxThreads if possible.
145. # WARNING: you shouldn't increase this too much to avoid running out of file descriptors,
146. # the following condition should hold:
147. # MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
148. #
149. # Default: 100
150. #MaxQueue 200
151.  
152. # Waiting for a new job will timeout after this time (seconds).
153. # Default: 30
154. #IdleTimeout 60
155.  
156. # Don't scan files and directories matching regex
157. # This directive can be used multiple times
158. # Default: scan all
159. #ExcludePath ^/proc/
160. #ExcludePath ^/sys/
161.  
162. # Maximum depth directories are scanned at.
163. # Default: 15
164. #MaxDirectoryRecursion 20
165.  
166. # Follow directory symlinks.
167. # Default: no
168. #FollowDirectorySymlinks yes
169.  
170. # Follow regular file symlinks.
171. # Default: no
172. #FollowFileSymlinks yes
173.  
174. # Scan files and directories on other filesystems.
175. # Default: yes
176. #CrossFilesystems yes
177.  
178. # Perform a database check.
179. # Default: 600 (10 min)
180. #SelfCheck 600
181.  
182. # Execute a command when virus is found. In the command string %v will
183. # be replaced with the virus name.
184. # Default: no
185. #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
186.  
187. # Run as another user (clamd must be started by root for this option to work)
188. # Default: don't drop privileges
189. User clam
190.  
191. # Initialize supplementary group access (clamd must be started by root).
192. # Default: no
193. AllowSupplementaryGroups yes
194.  
195. # Stop daemon when libclamav reports out of memory condition.
196. #ExitOnOOM yes
197.  
198. # Don't fork into background.
199. # Default: no
200. #Foreground yes
201.  
202. # Enable debug messages in libclamav.
203. # Default: no
204. #Debug yes
205.  
206. # Do not remove temporary files (for debug purposes).
207. # Default: no
208. #LeaveTemporaryFiles yes
209.  
210. # Detect Possibly Unwanted Applications.
211. # Default: no
212. #DetectPUA yes
213.  
214. # Exclude a specific PUA category. This directive can be used multiple times.
215. # See http://www.clamav.net/support/pua for the complete list of PUA
216. # categories.
217. # Default: Load all categories (if DetectPUA is activated)
218. #ExcludePUA NetTool
219. #ExcludePUA PWTool
220.  
221. # Only include a specific PUA category. This directive can be used multiple
222. # times.
223. # Default: Load all categories (if DetectPUA is activated)
224. #IncludePUA Spy
225. #IncludePUA Scanner
226. #IncludePUA RAT
227.  
228. # In some cases (eg. complex malware, exploits in graphic files, and others),
229. # ClamAV uses special algorithms to provide accurate detection. This option
230. # controls the algorithmic detection.
231. # Default: yes
232. #AlgorithmicDetection yes
233.  
234.  
235. ##
236. ## Executable files
237. ##
238.  
239. # PE stands for Portable Executable - it's an executable file format used
240. # in all 32 and 64-bit versions of Windows operating systems. This option allows
241. # ClamAV to perform a deeper analysis of executable files and it's also
242. # required for decompression of popular executable packers such as UPX, FSG,
243. # and Petite. If you turn off this option, the original files will still be
244. # scanned, but without additional processing.
245. # Default: yes
246. ScanPE yes
247.  
248. # Executable and Linking Format is a standard format for UN*X executables.
249. # This option allows you to control the scanning of ELF files.
250. # If you turn off this option, the original files will still be scanned, but
251. # without additional processing.
252. # Default: yes
253. ScanELF yes
254.  
255. # With this option clamav will try to detect broken executables (both PE and
256. # ELF) and mark them as Broken.Executable.
257. # Default: no
258. DetectBrokenExecutables yes
259.  
260.  
261. ##
262. ## Documents
263. ##
264.  
265. # This option enables scanning of OLE2 files, such as Microsoft Office
266. # documents and .msi files.
267. # If you turn off this option, the original files will still be scanned, but
268. # without additional processing.
269. # Default: yes
270. ScanOLE2 yes
271.  
272.  
273. # With this option enabled OLE2 files with VBA macros, which were not
274. # detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
275. # Default: no
276. #OLE2BlockMacros no
277.  
278. # This option enables scanning within PDF files.
279. # If you turn off this option, the original files will still be scanned, but
280. # without decoding and additional processing.
281. # Default: yes
282. #ScanPDF yes
283.  
284.  
285. ##
286. ## Mail files
287. ##
288.  
289. # Enable internal e-mail scanner.
290. # If you turn off this option, the original files will still be scanned, but
291. # without parsing individual messages/attachments.
292. # Default: yes
293. ScanMail yes
294.  
295. # Scan RFC1341 messages split over many emails.
296. # You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
297. # WARNING: This option may open your system to a DoS attack.
298. # Never use it on loaded servers.
299. # Default: no
300. #ScanPartialMessages yes
301.  
302.  
303. # With this option enabled ClamAV will try to detect phishing attempts by using
304. # signatures.
305. # Default: yes
306. #PhishingSignatures yes
307.  
308. # Scan URLs found in mails for phishing attempts using heuristics.
309. # Default: yes
310. #PhishingScanURLs yes
311.  
312. # Always block SSL mismatches in URLs, even if the URL isn't in the database.
313. # This can lead to false positives.
314. #
315. # Default: no
316. #PhishingAlwaysBlockSSLMismatch no
317.  
318. # Always block cloaked URLs, even if URL isn't in database.
319. # This can lead to false positives.
320. #
321. # Default: no
322. #PhishingAlwaysBlockCloak no
323.  
324. # Allow heuristic match to take precedence.
325. # When enabled, if a heuristic scan (such as phishingScan) detects
326. # a possible virus/phish it will stop scan immediately. Recommended, saves CPU
327. # scan-time.
328. # When disabled, virus/phish detected by heuristic scans will be reported only at
329. # the end of a scan. If an archive contains both a heuristically detected
330. # virus/phish, and a real malware, the real malware will be reported
331. #
332. # Keep this disabled if you intend to handle "*.Heuristics.*" viruses
333. # differently from "real" malware.
334. # If a non-heuristically-detected virus (signature-based) is found first,
335. # the scan is interrupted immediately, regardless of this config option.
336. #
337. # Default: no
338. #HeuristicScanPrecedence yes
339.  
340. ##
341. ## Data Loss Prevention (DLP)
342. ##
343.  
344. # Enable the DLP module
345. # Default: No
346. #StructuredDataDetection yes
347.  
348. # This option sets the lowest number of Credit Card numbers found in a file
349. # to generate a detect.
350. # Default: 3
351. #StructuredMinCreditCardCount 5
352.  
353. # This option sets the lowest number of Social Security Numbers found
354. # in a file to generate a detect.
355. # Default: 3
356. #StructuredMinSSNCount 5
357.  
358. # With this option enabled the DLP module will search for valid
359. # SSNs formatted as xxx-yy-zzzz
360. # Default: yes
361. #StructuredSSNFormatNormal yes
362.  
363. # With this option enabled the DLP module will search for valid
364. # SSNs formatted as xxxyyzzzz
365. # Default: no
366. #StructuredSSNFormatStripped yes
367.  
368.  
369. ##
370. ## HTML
371. ##
372.  
373. # Perform HTML normalisation and decryption of MS Script Encoder code.
374. # Default: yes
375. # If you turn off this option, the original files will still be scanned, but
376. # without additional processing.
377. #ScanHTML yes
378.  
379.  
380. ##
381. ## Archives
382. ##
383.  
384. # ClamAV can scan within archives and compressed files.
385. # If you turn off this option, the original files will still be scanned, but
386. # without unpacking and additional processing.
387. # Default: yes
388. ScanArchive yes
389.  
390. # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
391. # Default: no
392. ArchiveBlockEncrypted no
393.  
394.  
395. ##
396. ## Limits
397. ##
398.  
399. # The options below protect your system against Denial of Service attacks
400. # using archive bombs.
401.  
402. # This option sets the maximum amount of data to be scanned for each input file.
403. # Archives and other containers are recursively extracted and scanned up to this
404. # value.
405. # Value of 0 disables the limit
406. # Note: disabling this limit or setting it too high may result in severe damage
407. # to the system.
408. # Default: 100M
409. #MaxScanSize 150M
410.  
411. # Files larger than this limit won't be scanned. Affects the input file itself
412. # as well as files contained inside it (when the input file is an archive, a
413. # document or some other kind of container).
414. # Value of 0 disables the limit.
415. # Note: disabling this limit or setting it too high may result in severe damage
416. # to the system.
417. # Default: 25M
418. #MaxFileSize 30M
419.  
420. # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
421. # file, all files within it will also be scanned. This options specifies how
422. # deeply the process should be continued.
423. # Note: setting this limit too high may result in severe damage to the system.
424. # Default: 16
425. #MaxRecursion 10
426.  
427. # Number of files to be scanned within an archive, a document, or any other
428. # container file.
429. # Value of 0 disables the limit.
430. # Note: disabling this limit or setting it too high may result in severe damage
431. # to the system.
432. # Default: 10000
433. #MaxFiles 15000
434.  
435.  
436. ##
437. ## Clamuko settings
438. ##
439.  
440. # Enable Clamuko. Dazuko must be configured and running. Clamuko supports
441. # both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS
442. # is the preferred option. For more information please visit www.dazuko.org
443. # Default: no
444. #ClamukoScanOnAccess yes
445.  
446. # The number of scanner threads that will be started (DazukoFS only).
447. # Having multiple scanner threads allows Clamuko to serve multiple
448. # processes simultaneously. This is particularly beneficial on SMP machines.
449. # Default: 3
450. #ClamukoScannerCount 3
451.  
452. # Don't scan files larger than ClamukoMaxFileSize
453. # Value of 0 disables the limit.
454. # Default: 5M
455. #ClamukoMaxFileSize 10M
456.  
457. # Set access mask for Clamuko (Dazuko only).
458. # Default: no
459. #ClamukoScanOnOpen yes
460. #ClamukoScanOnClose yes
461. #ClamukoScanOnExec yes
462.  
463. # Set the include paths (all files inside them will be scanned). You can have
464. # multiple ClamukoIncludePath directives but each directory must be added
465. # in a seperate line. (Dazuko only)
466. # Default: disabled
467. #ClamukoIncludePath /home
468. #ClamukoIncludePath /students
469.  
470. # Set the exclude paths. All subdirectories are also excluded. (Dazuko only)
471. # Default: disabled
472. #ClamukoExcludePath /home/bofh
473.  
474. # With this option you can whitelist specific UIDs. Processes with these UIDs
475. # will be able to access all files.
476. # This option can be used multiple times (one per line).
477. # Default: disabled
478. #ClamukoExcludeUID 0
479.  
480. # With this option enabled ClamAV will load bytecode from the database.
481. # It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
482. # Default: yes
483. #Bytecode yes
484.  
485. # Set bytecode security level.
486. # Possible values:
487. # None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
488. # This value is only available if clamav was built with --enable-debug!
489. # TrustSigned - trust bytecode loaded from signed .c[lv]d files,
490. # insert runtime safety checks for bytecode loaded from other sources
491. # Paranoid - don't trust any bytecode, insert runtime checks for all
492. # Recommended: TrustSigned, because bytecode in .cvd files already has these checks
493. # Note that by default only signed bytecode is loaded, currently you can only
494. # load unsigned bytecode in --enable-debug mode.
495. #
496. # Default: TrustSigned
497. #BytecodeSecurity TrustSigned
498.  
499. # Set bytecode timeout in miliseconds.
500. #
501. # Default: 5000
502. # BytecodeTimeout 1000