Provided by: clamav-base_0.98.1+dfsg-4ubuntu1_all 
NAME
clamd.conf - Configuration file for Clam AntiVirus Daemon
DESCRIPTION
clamd.conf configures the Clam AntiVirus daemon, clamd(8).
FILE FORMAT
The file consists of comments and options with arguments. Each line which starts with a
hash (#) symbol is ignored by the parser. Options and arguments are case sensitive and of
the form Option Argument. The arguments are of the following types:
BOOL Boolean value (yes/no or true/false or 1/0).
STRING String without blank characters.
SIZE Size in bytes. You can use 'M' or 'm' modifiers for megabytes and 'K' or 'k' for
kilobytes.
NUMBER Unsigned integer.
DIRECTIVES
When some option is not used (commented out or not included in the configuration file at
all) clamd takes a default action.
Example
If this option is set clamd will not run.
LogFile STRING
Enable logging to selected file.
Default: no
LogFileUnlock BOOL
Disable a system lock that protects against running clamd with the same
configuration file multiple times.
Default: no
LogFileMaxSize SIZE
Limit the size of the log file. The logger will be automatically disabled if the
file is greater than SIZE. Value of 0 disables the limit.
Default: 1M
LogTime BOOL
Log time for each message.
Default: no
LogClean BOOL
Log clean files.
Default: no
LogSyslog BOOL
Use system logger (can work together with LogFile).
Default: no
LogFacility STRING
Specify the type of syslog messages - please refer to 'man syslog' for facility
names.
Default: LOG_LOCAL6
LogVerbose BOOL
Enable verbose logging.
Default: no
ExtendedDetectionInfo BOOL
Log additional information about the infected file, such as its size and hash,
together with the virus name.
Default: no
PidFile STRING
Save the process identifier of a listening daemon (main thread) to a specified
file.
Default: no
TemporaryDirectory STRING
Optional path to the global temporary directory.
Default: system specific (usually /tmp or /var/tmp).
DatabaseDirectory STRING
Path to a directory containing database files.
OfficialDatabaseOnly BOOL
Only load the official signatures published by the ClamAV project.
Default: no
LocalSocket STRING
Path to a local (Unix) socket the daemon will listen on.
Default: no
LocalSocketGroup STRING
Sets the group ownership on the unix socket.
Default: the primary group of the user running clamd
LocalSocketMode STRING
Sets the permissions on the unix socket to the specified mode.
Default: socket is world readable and writable
FixStaleSocket BOOL
Remove stale socket after unclean shutdown.
Default: yes
TCPSocket NUMBER
TCP port number the daemon will listen on.
Default: no
TCPAddr STRING
TCP socket address to bind to. By default clamd binds to INADDR_ANY.
Default: no
MaxConnectionQueueLength NUMBER
Maximum length the queue of pending connections may grow to.
Default: 200
MaxThreads NUMBER
Maximum number of threads running at the same time.
Default: 10
ReadTimeout NUMBER
Waiting for data from a client socket will timeout after this time (seconds).
Default: 120
CommandReadTimeout NUMBER
This option specifies the time (in seconds) after which clamd should timeout if a
client doesn't provide any initial command after connecting. Note: the timeout for
subsequents commands, and/or data chunks is specified by ReadTimeout.
Default: 5
SendBufTimeout NUMBER
This option specifies how long to wait (in milliseconds) if the send buffer is
full. Keep this value low to prevent clamd hanging.
Default: 500
MaxQueue NUMBER
Maximum number of queued items (including those being processed by MaxThreads
threads). It is recommended to have this value at least twice MaxThreads if
possible.
WARNING: you shouldn't increase this too much to avoid running out of file
descriptors, the following condition should hold: MaxThreads*MaxRecursion +
MaxQueue - MaxThreads + 6 < RLIMIT_NOFILE. RLIMIT_NOFILE is the maximum number of
open file descriptors (usually 1024), set by ulimit -n.
Default: 100
IdleTimeout NUMBER
Waiting for a new job will timeout after this time (seconds).
Default: 30
ExcludePath REGEX
Don't scan files and directories matching REGEX. This directive can be used
multiple times.
Default: scan all
MaxDirectoryRecursion NUMBER
Maximum depth directories are scanned at.
Default: 15
FollowDirectorySymlinks BOOL
Follow directory symlinks.
Default: no
CrossFilesystems BOOL
Scan files and directories on other filesystems.
Default: yes
FollowFileSymlinks BOOL
Follow regular file symlinks.
Default: no
SelfCheck NUMBER
Perform a database check.
Default: 1800
VirusEvent COMMAND
Execute COMMAND when a virus is found. In the command string %v will be replaced
with the virus name.
Default: no
ExitOnOOM BOOL
Stop daemon when libclamav reports out of memory condition.
Default: no
User STRING
Run as another user (clamd must be started by root to make this option working).
Default: no
AllowSupplementaryGroups BOOL
Initialize supplementary group access (clamd must be started by root).
Default: no
Foreground BOOL
Don't fork into background.
Default: no
Debug BOOL
Enable debug messages from libclamav.
LeaveTemporaryFiles BOOL
Do not remove temporary files (for debug purpose).
Default: no
StreamMaxLength SIZE
Clamd uses FTP-like protocol to receive data from remote clients. If you are using
clamav-milter to balance load between remote clamd daemons on firewall servers you
may need to tune the Stream* options. This option allows you to specify the upper
limit for data size that will be transfered to remote daemon when scanning a single
file. It should match your MTA's limit for a maximum attachment size.
Default: 10M
StreamMinPort NUMBER
Limit data port range.
Default: 1024
StreamMaxPort NUMBER
Limit data port range.
Default: 2048
Bytecode BOOL
With this option enabled ClamAV will load bytecode from the database. It is highly
recommended you keep this option turned on, otherwise you may miss detections for
many new viruses.
Default: yes
BytecodeSecurity STRING
Set bytecode security level. Possible values: TrustSigned: trust bytecode loaded
from signed .c[lv]d files and insert runtime safety checks for bytecode loaded from
other sources, Paranoid: don't trust any bytecode, insert runtime checks for all.
The recommended setting is TrustSigned, because bytecode in .cvd files already has
safety checks inserted into it.
Default: TrustSigned
BytecodeUnsigned BOOL
Allow loading bytecode from outside digitally signed .c[lv]d files.
Default: no
BytecodeTimeout NUMBER
Set bytecode timeout in milliseconds.
Default: 5000
DetectPUA BOOL
Detect Possibly Unwanted Applications.
Default: No
ExcludePUA CATEGORY
Exclude a specific PUA category. This directive can be used multiple times. See
http://www.clamav.net/support/pua for the complete list of PUA categories.
Default: Load all categories (if DetectPUA is activated)
IncludePUA CATEGORY
Only include a specific PUA category. This directive can be used multiple times.
See http://www.clamav.net/support/pua for the complete list of PUA categories.
Default: Load all categories (if DetectPUA is activated)
AlgorithmicDetection BOOL
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV
uses special algorithms to provide accurate detection. This option controls the
algorithmic detection.
Default: yes
ScanPE BOOL
PE stands for Portable Executable - it's an executable file format used in all 32
and 64-bit versions of Windows operating systems. This option allows ClamAV to
perform a deeper analysis of executable files and it's also required for
decompression of popular executable packers such as UPX.
Default: yes
ScanELF BOOL
Executable and Linking Format is a standard format for UN*X executables. This
option allows you to control the scanning of ELF files.
Default: yes
DetectBrokenExecutables BOOL
With this option clamd will try to detect broken executables (both PE and ELF) and
mark them as Broken.Executable.
Default: no
ScanOLE2 BOOL
This option enables scanning of OLE2 files, such as Microsoft Office documents and
.msi files.
Default: yes
OLE2BlockMacros BOOL
With this option enabled OLE2 files with VBA macros, which were not detected by
signatures will be marked as "Heuristics.OLE2.ContainsMacros".
Default: no
ScanPDF BOOL
This option enables scanning within PDF files.
Default: yes
ScanHTML BOOL
Enables HTML detection and normalisation.
Default: yes
ScanMail BOOL
Enable scanning of mail files.
Default: yes
ScanPartialMessages BOOL
Scan RFC1341 messages split over many emails. You will need to periodically clean
up $TemporaryDirectory/clamav-partial directory. WARNING: This option may open your
system to a DoS attack. Never use it on loaded servers.
Default: no
MailMaxRecursion NUMBER (OBSOLETE)
WARNING: This option is no longer accepted. See MaxRecursion.
PhishingSignatures BOOL
With this option enabled ClamAV will try to detect phishing attempts by using
signatures.
Default: yes
PhishingScanURLs BOOL
Scan URLs found in mails for phishing attempts using heuristics. This will classify
"Possibly Unwanted" phishing emails as Phishing.Heuristics.Email.*
Default: yes
PhishingAlwaysBlockSSLMismatch BOOL
Always block SSL mismatches in URLs, even if the URL isn't in the database. This
can lead to false positives.
Default: no
PhishingAlwaysBlockCloak BOOL
Always block cloaked URLs, even if URL isn't in database. This can lead to false
positives.
Default: no
HeuristicScanPrecedence BOOL
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such
as phishingScan) detects a possible virus/phishing it will stop scanning
immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing
detected by heuristic scans will be reported only at the end of a scan. If an
archive contains both a heuristically detected virus/phishing, and a real malware,
the real malware will be reported. Keep this disabled if you intend to handle
"*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-
detected virus (signature-based) is found first, the scan is interrupted
immediately, regardless of this config option.
Default: no
StructuredDataDetection BOOL
Enable the DLP module.
Default: no
StructuredMinCreditCardCount NUMBER
This option sets the lowest number of Credit Card numbers found in a file to
generate a detect.
Default: 3
StructuredMinSSNCount NUMBER
This option sets the lowest number of Social Security Numbers found in a file to
generate a detect.
Default: 3
StructuredSSNFormatNormal BOOL
With this option enabled the DLP module will search for valid SSNs formatted as
xxx-yy-zzzz.
Default: Yes
StructuredSSNFormatStripped BOOL
With this option enabled the DLP module will search for valid SSNs formatted as
xxxyyzzzz.
Default: No
ScanArchive BOOL
Enable archive scanning.
Default: yes
ArchiveMaxFileSize (OBSOLETE)
WARNING: This option is no longer accepted. See MaxFileSize and MaxScanSize.
ArchiveMaxRecursion (OBSOLETE)
WARNING: This option is no longer accepted. See MaxRecursion.
ArchiveMaxFiles (OBSOLETE)
WARNING: This option is no longer accepted. See MaxFiles.
ArchiveMaxCompressionRatio (OBSOLETE)
WARNING: This option is no longer accepted.
ArchiveBlockMax (OBSOLETE)
WARNING: This option is no longer accepted.
ArchiveLimitMemoryUsage (OBSOLETE)
WARNING: This option is no longer accepted.
Default: no
ArchiveBlockEncrypted BOOL
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
Default: no
MaxScanSize SIZE
Sets the maximum amount of data to be scanned for each input file. Archives and
other containers are recursively extracted and scanned up to this value. Warning:
disabling this limit or setting it too high may result in severe damage to the
system.
Default: 100M
MaxFileSize SIZE
Files larger than this limit won't be scanned. Affects the input file itself as
well as files contained inside it (when the input file is an archive, a document or
some other kind of container). Warning: disabling this limit or setting it too high
may result in severe damage to the system.
Default: 25M
MaxRecursion NUMBER
Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR file,
all files within it will also be scanned. This options specifies how deeply the
process should be continued. Warning: setting this limit too high may result in
severe damage to the system.
Default: 16
MaxFiles NUMBER
Number of files to be scanned within an archive, a document, or any other kind of
container. Warning: disabling this limit or setting it too high may result in
severe damage to the system.
Default: 10000
ClamukoScanOnAccess BOOL
Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.
Default: no
ClamukoScannerCount NUMBER
The number of scanner threads that will be started (DazukoFS only). Having multiple
scanner threads allows Clamuko to serve multiple processes simultaneously. This is
particularly beneficial on SMP machines.
Default: 3
ClamukoScanOnOpen BOOL
Scan files on open.
Default: no
ClamukoScanOnClose BOOL
Scan files on close.
Default: no.
ClamukoScanOnExec BOOL
Scan files on execute.
Default: no
ClamukoIncludePath STRING
Set the include paths (all files and directories inside them will be scanned). You
can have multiple ClamukoIncludePath directives but each directory must be added in
a separate line).
Default: no
ClamukoExcludePath STRING
Set the exclude paths. All subdirectories will also be excluded.
Default: no ClamukoExcludeUID NUMBER With this option you can whitelist specific
UIDs. Processes with these UIDs will be able to access all files. This option can
be used multiple times (one per line).
Default: no
ClamukoMaxFileSize SIZE
Ignore files larger than SIZE.
Default: 5M
NOTES
All options expressing a size are limited to max 4GB. Values in excess will be resetted to
the maximum.
FILES
/etc/clamav/clamd.conf
AUTHOR
Tomasz Kojm <tkojm@clamav.net>
SEE ALSO
clamd(8), clamdscan(1), clamav-milter(8), freshclam(1), freshclam.conf(5)