mirror of https://github.com/Cisco-Talos/clamav
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
489 lines
15 KiB
489 lines
15 KiB
.TH "clamd.conf" "5" "February 12, 2007" "ClamAV @VERSION@" "Clam AntiVirus"
|
|
.SH "NAME"
|
|
.LP
|
|
\fBclamd.conf\fR \- Configuration file for Clam AntiVirus Daemon
|
|
.SH "DESCRIPTION"
|
|
.LP
|
|
clamd.conf configures the Clam AntiVirus daemon, clamd(8).
|
|
.SH "FILE FORMAT"
|
|
The file consists of comments and options with arguments. Each line which starts with a hash (\fB#\fR) symbol is ignored by the parser. Options and arguments are case sensitive and of the form \fBOption Argument\fR. The arguments are of the following types:
|
|
.TP
|
|
\fBBOOL\fR
|
|
Boolean value (yes/no or true/false or 1/0).
|
|
.TP
|
|
\fBSTRING\fR
|
|
String without blank characters.
|
|
.TP
|
|
\fBSIZE\fR
|
|
Size in bytes. You can use 'M' or 'm' modifiers for megabytes and 'K' or 'k' for kilobytes.
|
|
.TP
|
|
\fBNUMBER\fR
|
|
Unsigned integer.
|
|
.SH "DIRECTIVES"
|
|
.LP
|
|
When some option is not used (commented out or not included in the configuration file at all) clamd takes a default action.
|
|
.TP
|
|
\fBExample\fR
|
|
If this option is set clamd will not run.
|
|
.TP
|
|
\fBLogFile STRING\fR
|
|
Enable logging to selected file.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBLogFileUnlock BOOL\fR
|
|
Disable a system lock that protects against running clamd with the same configuration file multiple times.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBLogFileMaxSize SIZE\fR
|
|
Limit the size of the log file. The logger will be automatically disabled if the file is greater than SIZE. Value of 0 disables the limit.
|
|
.br
|
|
Default: 1M
|
|
.TP
|
|
\fBLogTime BOOL\fR
|
|
Log time for each message.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBLogClean BOOL\fR
|
|
Log clean files.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBLogSyslog BOOL\fR
|
|
Use system logger (can work together with LogFile).
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBLogFacility STRING\fR
|
|
Specify the type of syslog messages \- please refer to 'man syslog' for facility names.
|
|
.br
|
|
Default: LOG_LOCAL6
|
|
.TP
|
|
\fBLogVerbose BOOL\fR
|
|
Enable verbose logging.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBExtendedDetectionInfo BOOL\fR
|
|
Log additional information about the infected file, such as its size and hash, together with the virus name.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBPidFile STRING\fR
|
|
Save the process identifier of a listening daemon (main thread) to a specified file.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBTemporaryDirectory STRING\fR
|
|
Optional path to the global temporary directory.
|
|
.br
|
|
Default: system specific (usually /tmp or /var/tmp).
|
|
.TP
|
|
\fBDatabaseDirectory STRING\fR
|
|
Path to a directory containing database files.
|
|
.TP
|
|
\fBOfficialDatabaseOnly BOOL\fR
|
|
Only load the official signatures published by the ClamAV project.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBLocalSocket STRING\fR
|
|
Path to a local (Unix) socket the daemon will listen on.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBLocalSocketGroup STRING\fR
|
|
Sets the group ownership on the unix socket.
|
|
.br
|
|
Default: the primary group of the user running clamd
|
|
.TP
|
|
\fBLocalSocketMode STRING\fR
|
|
Sets the permissions on the unix socket to the specified mode.
|
|
.br
|
|
Default: socket is world readable and writable
|
|
.TP
|
|
\fBFixStaleSocket BOOL\fR
|
|
Remove stale socket after unclean shutdown.
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBTCPSocket NUMBER\fR
|
|
TCP port number the daemon will listen on.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBTCPAddr STRING\fR
|
|
TCP socket address to bind to. By default clamd binds to INADDR_ANY.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBMaxConnectionQueueLength NUMBER\fR
|
|
Maximum length the queue of pending connections may grow to.
|
|
.br
|
|
Default: 200
|
|
.TP
|
|
\fBMaxThreads NUMBER\fR
|
|
Maximum number of threads running at the same time.
|
|
.br
|
|
Default: 10
|
|
.TP
|
|
\fBReadTimeout NUMBER\fR
|
|
Waiting for data from a client socket will timeout after this time (seconds).
|
|
.br
|
|
Default: 120
|
|
.TP
|
|
\fBCommandReadTimeout NUMBER\fR
|
|
This option specifies the time (in seconds) after which clamd should
|
|
timeout if a client doesn't provide any initial command after connecting.
|
|
Note: the timeout for subsequents commands, and/or data chunks is specified by
|
|
ReadTimeout.
|
|
.br
|
|
Default: 5
|
|
.TP
|
|
\fBSendBufTimeout NUMBER\fR
|
|
This option specifies how long to wait (in milliseconds) if the send buffer is full.
|
|
Keep this value low to prevent clamd hanging.
|
|
.br
|
|
Default: 500
|
|
.TP
|
|
\fBMaxQueue NUMBER\fR
|
|
Maximum number of queued items (including those being processed by MaxThreads threads).
|
|
It is recommended to have this value at least twice MaxThreads if possible.
|
|
.br
|
|
\fBWARNING: you shouldn't increase this too much to avoid running out of file descriptors,
|
|
the following condition should hold:
|
|
MaxThreads*MaxRecursion + MaxQueue - MaxThreads + 6 < RLIMIT_NOFILE.\fR
|
|
RLIMIT_NOFILE is the maximum number of open file descriptors (usually 1024), set
|
|
by \fBulimit \-n\fR.
|
|
.br
|
|
Default: 100
|
|
.TP
|
|
\fBIdleTimeout NUMBER\fR
|
|
Waiting for a new job will timeout after this time (seconds).
|
|
.br
|
|
Default: 30
|
|
.TP
|
|
\fBExcludePath REGEX\fR
|
|
Don't scan files and directories matching REGEX. This directive can be used multiple times.
|
|
.br
|
|
Default: scan all
|
|
.TP
|
|
\fBMaxDirectoryRecursion NUMBER\fR
|
|
Maximum depth directories are scanned at.
|
|
.br
|
|
Default: 15
|
|
.TP
|
|
\fBFollowDirectorySymlinks BOOL\fR
|
|
Follow directory symlinks.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBCrossFilesystems BOOL\fR
|
|
Scan files and directories on other filesystems.
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBFollowFileSymlinks BOOL\fR
|
|
Follow regular file symlinks.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBSelfCheck NUMBER\fR
|
|
Perform a database check.
|
|
.br
|
|
Default: 1800
|
|
.TP
|
|
\fBVirusEvent COMMAND\fR
|
|
Execute COMMAND when a virus is found. In the command string %v will be replaced with the virus name.
|
|
\fR
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBExitOnOOM BOOL\fR
|
|
Stop daemon when libclamav reports out of memory condition.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBUser STRING\fR
|
|
Run as another user (clamd must be started by root to make this option working).
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBAllowSupplementaryGroups BOOL\fR
|
|
Initialize supplementary group access (clamd must be started by root).
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBForeground BOOL\fR
|
|
Don't fork into background.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBDebug BOOL\fR
|
|
Enable debug messages from libclamav.
|
|
.TP
|
|
\fBLeaveTemporaryFiles BOOL\fR
|
|
Do not remove temporary files (for debug purpose).
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBStreamMaxLength SIZE\fR
|
|
Clamd uses FTP\-like protocol to receive data from remote clients. If you are using clamav\-milter to balance load between remote clamd daemons on firewall servers you may need to tune the Stream* options. This option allows you to specify the upper limit for data size that will be transfered to remote daemon when scanning a single file. It should match your MTA's limit for a maximum attachment size.
|
|
.br
|
|
Default: 10M
|
|
.TP
|
|
\fBStreamMinPort NUMBER\fR
|
|
Limit data port range.
|
|
.br
|
|
Default: 1024
|
|
.TP
|
|
\fBStreamMaxPort NUMBER\fR
|
|
Limit data port range.
|
|
.br
|
|
Default: 2048
|
|
.TP
|
|
\fBBytecode BOOL\fR
|
|
With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option turned on, otherwise you may miss detections for many new viruses.
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBBytecodeSecurity STRING\fR
|
|
Set bytecode security level. Possible values: \fBTrustSigned\fR: trust bytecode loaded from signed .c[lv]d files and insert runtime safety checks for bytecode loaded from other sources, \fBParanoid\fR: don't trust any bytecode, insert runtime checks for all. The recommended setting is \fBTrustSigned\fR, because bytecode in .cvd files already has safety checks inserted into it.
|
|
.br
|
|
Default: TrustSigned
|
|
.TP
|
|
\fBBytecodeUnsigned BOOL\fR
|
|
Allow loading bytecode from outside digitally signed .c[lv]d files.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBBytecodeTimeout NUMBER\fR
|
|
Set bytecode timeout in milliseconds.
|
|
.br
|
|
Default: 5000
|
|
.TP
|
|
\fBDetectPUA BOOL\fR
|
|
Detect Possibly Unwanted Applications.
|
|
.br
|
|
Default: No
|
|
.TP
|
|
\fBExcludePUA CATEGORY\fR
|
|
Exclude a specific PUA category. This directive can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA categories.
|
|
.br
|
|
Default: Load all categories (if DetectPUA is activated)
|
|
.TP
|
|
\fBIncludePUA CATEGORY\fR
|
|
Only include a specific PUA category. This directive can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA categories.
|
|
.br
|
|
Default: Load all categories (if DetectPUA is activated)
|
|
.TP
|
|
\fBAlgorithmicDetection BOOL\fR
|
|
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option controls the algorithmic detection.
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBScanPE BOOL\fR
|
|
PE stands for Portable Executable \- it's an executable file format used in all 32 and 64\-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX.
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBScanELF BOOL\fR
|
|
Executable and Linking Format is a standard format for UN*X executables. This option allows you to control the scanning of ELF files.
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBDetectBrokenExecutables BOOL\fR
|
|
With this option clamd will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBScanOLE2 BOOL\fR
|
|
This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files.
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBOLE2BlockMacros BOOL\fR
|
|
With this option enabled OLE2 files with VBA macros, which were not detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBScanPDF BOOL\fR
|
|
This option enables scanning within PDF files.
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBScanHTML BOOL\fR
|
|
Enables HTML detection and normalisation.
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBScanMail BOOL\fR
|
|
Enable scanning of mail files.
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBScanPartialMessages BOOL\fR
|
|
Scan RFC1341 messages split over many emails. You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. \fBWARNING: This option may open your system to a DoS attack. Never use it on loaded servers.\fR
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBMailMaxRecursion NUMBER (OBSOLETE)\fR
|
|
\fBWARNING:\fR This option is no longer accepted. See \fBMaxRecursion\fR.
|
|
.TP
|
|
\fBPhishingSignatures BOOL\fR
|
|
With this option enabled ClamAV will try to detect phishing attempts by using signatures.
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBPhishingScanURLs BOOL\fR
|
|
Scan URLs found in mails for phishing attempts using heuristics. This will classify "Possibly Unwanted" phishing emails as Phishing.Heuristics.Email.*
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBPhishingAlwaysBlockSSLMismatch BOOL\fR
|
|
Always block SSL mismatches in URLs, even if the URL isn't in the database. This can lead to false positives.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBPhishingAlwaysBlockCloak BOOL\fR
|
|
Always block cloaked URLs, even if URL isn't in database. This can lead to false positives.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBHeuristicScanPrecedence BOOL\fR
|
|
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phishing it will stop scanning immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBStructuredDataDetection BOOL\fR
|
|
Enable the DLP module.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBStructuredMinCreditCardCount NUMBER\fR
|
|
This option sets the lowest number of Credit Card numbers found in a file to generate a detect.
|
|
.br
|
|
Default: 3
|
|
.TP
|
|
\fBStructuredMinSSNCount NUMBER\fR
|
|
This option sets the lowest number of Social Security Numbers found in a file to generate a detect.
|
|
.br
|
|
Default: 3
|
|
.TP
|
|
\fBStructuredSSNFormatNormal BOOL\fR
|
|
With this option enabled the DLP module will search for valid SSNs formatted as xxx-yy-zzzz.
|
|
.br
|
|
Default: Yes
|
|
.TP
|
|
\fBStructuredSSNFormatStripped BOOL\fR
|
|
With this option enabled the DLP module will search for valid SSNs formatted as xxxyyzzzz.
|
|
.br
|
|
Default: No
|
|
.TP
|
|
\fBScanArchive BOOL\fR
|
|
Enable archive scanning.
|
|
.br
|
|
Default: yes
|
|
.TP
|
|
\fBArchiveMaxFileSize (OBSOLETE)\fR
|
|
\fBWARNING:\fR This option is no longer accepted. See \fBMaxFileSize\fR and \fBMaxScanSize\fR.
|
|
.TP
|
|
\fBArchiveMaxRecursion (OBSOLETE)\fR
|
|
\fBWARNING:\fR This option is no longer accepted. See \fBMaxRecursion\fR.
|
|
.TP
|
|
\fBArchiveMaxFiles (OBSOLETE)\fR
|
|
\fBWARNING:\fR This option is no longer accepted. See \fBMaxFiles\fR.
|
|
.TP
|
|
\fBArchiveMaxCompressionRatio (OBSOLETE)\fR
|
|
\fBWARNING:\fR This option is no longer accepted.
|
|
.TP
|
|
\fBArchiveBlockMax (OBSOLETE)\fR
|
|
\fBWARNING:\fR This option is no longer accepted.
|
|
.TP
|
|
\fBArchiveLimitMemoryUsage (OBSOLETE)\fR
|
|
\fBWARNING:\fR This option is no longer accepted.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBArchiveBlockEncrypted BOOL\fR
|
|
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBMaxScanSize SIZE\fR
|
|
Sets the maximum amount of data to be scanned for each input file. Archives and other containers are recursively extracted and scanned up to this value. \fBWarning: disabling this limit or setting it too high may result in severe damage to the system.\fR
|
|
.br
|
|
Default: 100M
|
|
.TP
|
|
\fBMaxFileSize SIZE\fR
|
|
Files larger than this limit won't be scanned. Affects the input file itself as well as files contained inside it (when the input file is an archive, a document or some other kind of container). \fBWarning: disabling this limit or setting it too high may result in severe damage to the system.\fR
|
|
.br
|
|
Default: 25M
|
|
.TP
|
|
\fBMaxRecursion NUMBER\fR
|
|
Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR file, all files within it will also be scanned. This options specifies how deeply the process should be continued. \fBWarning: setting this limit too high may result in severe damage to the system.\fR
|
|
.br
|
|
Default: 16
|
|
.TP
|
|
\fBMaxFiles NUMBER\fR
|
|
Number of files to be scanned within an archive, a document, or any other kind of container. \fBWarning: disabling this limit or setting it too high may result in severe damage to the system.\fR
|
|
.br
|
|
Default: 10000
|
|
.TP
|
|
\fBClamukoScanOnAccess BOOL\fR
|
|
Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBClamukoScannerCount NUMBER\fR
|
|
The number of scanner threads that will be started (DazukoFS only). Having multiple scanner threads allows Clamuko to serve multiple processes simultaneously. This is particularly beneficial on SMP machines.
|
|
.br
|
|
Default: 3
|
|
.TP
|
|
\fBClamukoScanOnOpen BOOL\fR
|
|
Scan files on open.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBClamukoScanOnClose BOOL\fR
|
|
Scan files on close.
|
|
.br
|
|
Default: no.
|
|
.TP
|
|
\fBClamukoScanOnExec BOOL\fR
|
|
Scan files on execute.
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBClamukoIncludePath STRING\fR
|
|
Set the include paths (all files and directories inside them will be scanned). You can have multiple ClamukoIncludePath directives but each directory must be added in a separate line).
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBClamukoExcludePath STRING\fR
|
|
Set the exclude paths. All subdirectories will also be excluded.
|
|
.br
|
|
Default: no
|
|
\fBClamukoExcludeUID NUMBER\fR
|
|
With this option you can whitelist specific UIDs. Processes with these UIDs will be able to access all files. This option can be used multiple times (one per line).
|
|
.br
|
|
Default: no
|
|
.TP
|
|
\fBClamukoMaxFileSize SIZE\fR
|
|
Ignore files larger than SIZE.
|
|
.br
|
|
Default: 5M
|
|
.SH "NOTES"
|
|
.LP
|
|
All options expressing a size are limited to max 4GB. Values in excess will be resetted to the maximum.
|
|
.SH "FILES"
|
|
.LP
|
|
@CFGDIR@/clamd.conf
|
|
.SH "AUTHOR"
|
|
.LP
|
|
Tomasz Kojm <tkojm@clamav.net>
|
|
.SH "SEE ALSO"
|
|
.LP
|
|
clamd(8), clamdscan(1), clamav-milter(8), freshclam(1), freshclam.conf(5)
|
|
|