-
Notifications
You must be signed in to change notification settings - Fork 708
/
clamd.conf.5.in
826 lines (826 loc) · 27.6 KB
/
clamd.conf.5.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
.TH "clamd.conf" "5" "December 4, 2013" "ClamAV @VERSION@" "Clam AntiVirus"
.SH "NAME"
.LP
\fBclamd.conf\fR \- Configuration file for Clam AntiVirus Daemon
.SH "DESCRIPTION"
.LP
clamd.conf configures the Clam AntiVirus daemon, clamd(8).
.SH "FILE FORMAT"
The file consists of comments and options with arguments. Each line which starts with a hash (\fB#\fR) symbol is ignored by the parser. Options and arguments are case sensitive and of the form \fBOption Argument\fR. The arguments are of the following types:
.TP
\fBBOOL\fR
Boolean value (yes/no or true/false or 1/0).
.TP
\fBSTRING\fR
String without blank characters.
.TP
\fBSIZE\fR
Size in bytes. You can use 'M' or 'm' modifiers for megabytes and 'K' or 'k' for kilobytes. To specify the size in bytes just don't use modifiers.
.TP
\fBNUMBER\fR
Unsigned integer.
.SH "DIRECTIVES"
.LP
When some option is not used (commented out or not included in the configuration file at all) clamd takes a default action.
.TP
\fBExample\fR
If this option is set clamd will not run.
.TP
\fBLogFile STRING\fR
Save all reports to a log file.
.br
Default: disabled
.TP
\fBLogFileUnlock BOOL\fR
By default the log file is locked for writing and only a single daemon process can write to it. This option disables the lock.
.br
Default: no
.TP
\fBLogFileMaxSize SIZE\fR
Maximum size of the log file.
.br
Value of 0 disables the limit.
.br
Default: 1048576
.TP
\fBLogTime BOOL\fR
Log time for each message.
.br
Default: no
.TP
\fBLogClean BOOL\fR
Log all clean files.
.br
Useful in debugging but drastically increases the log size.
.br
Default: no
.TP
\fBLogSyslog BOOL\fR
Use the system logger (can work together with LogFile).
.br
Default: no
.TP
\fBLogFacility STRING\fR
Type of syslog messages
.br
Please refer to 'man syslog' for facility names.
.br
Default: LOG_LOCAL6
.TP
\fBLogVerbose BOOL\fR
Enable verbose logging.
.br
Default: no
.TP
\fBLogRotate BOOL\fR
Rotate log file. Requires LogFileMaxSize option set prior to this option.
.br
Default: no
.TP
\fBExtendedDetectionInfo BOOL\fR
Log additional information about the infected file, such as its size and hash, together with the virus name.
.br
Default: no
.TP
\fBPidFile STRING\fR
Write the daemon's pid to the specified file.
.br
Default: disabled
.TP
\fBTemporaryDirectory STRING\fR
This option allows you to change the default temporary directory.
.br
Default: system specific (usually /tmp or /var/tmp).
.TP
\fBDatabaseDirectory STRING\fR
This option allows you to change the default database directory. If you enable it, please make sure it points to the same directory in both clamd and freshclam.
.br
Default: defined at configuration (/usr/local/share/clamav)
.TP
\fBOfficialDatabaseOnly BOOL\fR
Only load the official signatures published by the ClamAV project.
.br
Default: no
.TP
\fBFailIfCvdOlderThan NUMBER\fR
Return with a nonzero error code if the virus database is older than the specified number of days.
.br
Default: -1
.TP
\fBLocalSocket STRING\fR
Path to a local (Unix) socket the daemon will listen on.
.br
Default: disabled
.TP
\fBLocalSocketGroup STRING\fR
Sets the group ownership on the unix socket.
.br
Default: the primary group of the user running clamd
.TP
\fBLocalSocketMode STRING\fR
Sets the permissions on the unix socket to the specified mode.
.br
Default: socket is world readable and writable
.TP
\fBFixStaleSocket BOOL\fR
Remove stale socket after unclean shutdown.
.br
Default: yes
.TP
\fBTCPSocket NUMBER\fR
TCP port number the daemon will listen on.
.br
Default: disabled
.TP
\fBTCPAddr STRING\fR
By default clamd binds to INADDR_ANY.
.br
This option allows you to restrict the TCP address and provide some degree of protection from the outside world. This option can be specified multiple times in order to listen on multiple IPs. IPv6 is now supported.
.br
Default: disabled
.TP
\fBMaxConnectionQueueLength NUMBER\fR
Maximum length the queue of pending connections may grow to.
.br
Default: 200
.TP
\fBStreamMaxLength SIZE\fR
Close the STREAM session when the data size limit is exceeded.
.br
The value should match your MTA's limit for the maximum attachment size.
.br
Default: 100M
.TP
\fBStreamMinPort NUMBER\fR
The STREAM command uses an FTP-like protocol.
.br
This option sets the lower boundary for the port range.
.br
Default: 1024
.TP
\fBStreamMaxPort NUMBER\fR
This option sets the upper boundary for the port range.
.br
Default: 2048
.TP
\fBMaxThreads NUMBER\fR
Maximum number of threads running at the same time.
.br
Default: 10
.TP
\fBReadTimeout NUMBER\fR
This option specifies the time (in seconds) after which clamd should
timeout if a client doesn't provide any data.
.br
Default: 120
.TP
\fBCommandReadTimeout NUMBER\fR
This option specifies the time (in seconds) after which clamd should
timeout if a client doesn't provide any initial command after connecting. The
default is set to 30 to avoid timeouts with TCP sockets when processing large
messages. If using a Unix socket, the value can be changed to 5.
Note: the timeout for subsequents commands, and/or data chunks is specified by
ReadTimeout.
.br
Default: 30
.TP
\fBSendBufTimeout NUMBER\fR
This option specifies how long to wait (in milliseconds) if the send buffer is full.
Keep this value low to prevent clamd hanging.
.br
Default: 500
.TP
\fBMaxQueue NUMBER\fR
Maximum number of queued items (including those being processed by MaxThreads threads).
It is recommended to have this value at least twice MaxThreads if possible.
.br
\fBWARNING: you shouldn't increase this too much to avoid running out of file descriptors,
the following condition should hold:
MaxThreads*MaxRecursion + MaxQueue - MaxThreads + 6 < RLIMIT_NOFILE.\fR
RLIMIT_NOFILE is the maximum number of open file descriptors (usually 1024), set
by \fBulimit \-n\fR.
.br
Default: 100
.TP
\fBIdleTimeout NUMBER\fR
This option specifies how long (in seconds) the process should wait
for a new job.
.br
Default: 30
.TP
\fBExcludePath REGEX\fR
Don't scan files and directories matching REGEX. This directive can be used multiple times.
.br
Default: disabled
.TP
\fBMaxDirectoryRecursion NUMBER\fR
Maximum depth directories are scanned at.
.br
Default: 15
.TP
\fBFollowDirectorySymlinks BOOL\fR
Follow directory symlinks.
.br
Default: no
.TP
\fBCrossFilesystems BOOL\fR
Scan files and directories on other filesystems.
.br
Default: yes
.TP
\fBFollowFileSymlinks BOOL\fR
Follow regular file symlinks.
.br
Default: no
.TP
\fBSelfCheck NUMBER\fR
This option specifies the time intervals (in seconds) in which clamd
should perform a database check.
.br
Default: 600
.TP
\fBConcurrentDatabaseReload BOOL\fR
Enable non-blocking (multi-threaded/concurrent) database reloads. This feature will temporarily load a second scanning engine while scanning continues using the first engine. Once loaded, the new engine takes over. The old engine is removed as soon as all scans using the old engine have completed. This feature requires more RAM, so this option is provided in case users are willing to block scans during reload in exchange for lower RAM requirements.
.br
Default: yes
.TP
\fBVirusEvent COMMAND\fR
Execute a command when virus is found.
Use the following environment variables to identify the file and virus names:
- $CLAM_VIRUSEVENT_FILENAME
- $CLAM_VIRUSEVENT_VIRUSNAME
In the command string, '%v' will also be replaced with the virus name.
Note: The '%f' filename format character has been disabled and will no longer
be replaced with the file name, due to command injection security concerns.
Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
For the same reason, you should NOT use the environment variables in the
command directly, but should use it carefully from your executed script.
\fR
.br
Default: disabled
.TP
\fBExitOnOOM BOOL\fR
Stop daemon when libclamav reports out of memory condition.
.br
Default: no
.TP
\fBAllowAllMatchScan BOOL\fR
Permit use of the ALLMATCHSCAN command.
.br
Default: yes
.TP
\fBForeground BOOL\fR
Don't fork into background.
.br
Default: no
.TP
\fBDebug BOOL\fR
Enable debug messages from libclamav.
.br
Default: no
.TP
\fBLeaveTemporaryFiles BOOL\fR
Do not remove temporary files (for debugging purpose).
.br
Default: no
.TP
\fBGenerateMetadataJson BOOL\fR
Record metadata about the file being scanned.
Scan metadata is useful for file analysis purposes and for debugging scan behavior.
The JSON metadata will be printed after the scan is complete if Debug is enabled.
A metadata.json file will be written to the scan temp directory if LeaveTemporaryFiles is enabled.
.br
Default: no
.TP
\fBUser STRING\fR
Run the daemon as a specified user (the process must be started by root).
.br
Default: disabled
.TP
\fBBytecode BOOL\fR
With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option turned on, otherwise you may miss detections for many new viruses.
.br
Default: yes
.TP
\fBBytecodeSecurity STRING\fR
Set bytecode security level.
.RS
.PD 0
.HP 4
Possible values:
.br
\fBTrustSigned\fR \- trust bytecode loaded from signed .c[lv]d files and insert runtime safety checks for bytecode loaded from other sources,
.br
\fBParanoid\fR \- don't trust any bytecode, insert runtime checks for all.
.RE
.RS
Recommended: \fBTrustSigned\fR, because bytecode in .cvd files already has these checks.
.br
Default: TrustSigned
.PD 1
.RE
.TP
\fBBytecodeTimeout NUMBER\fR
Set bytecode timeout in milliseconds.
.br
Default: 10000
.TP
\fBBytecodeUnsigned BOOL\fR
Allow loading bytecode from outside digitally signed .c[lv]d files.
**Caution**: You should NEVER run bytecode signatures from untrusted sources.
Doing so may result in arbitrary code execution.
.br
Default: no
.TP
\fBBytecodeMode STRING\fR
Set bytecode execution mode.
.RS
.PD 0
.HP 4
Possible values:
.br
\fBAuto\fR \- automatically choose JIT if possible, fallback to interpreter
.br
\fBForceJIT\fR \- always choose JIT, fail if not possible
.br
\fBForceInterpreter\fR \- always choose interpreter
.br
\fBTest\fR \- run with both JIT and interpreter and compare results. Make all failures fatal.
.RE
.RS
Default: Auto
.PD 1
.RE
.TP
\fBDetectPUA BOOL\fR
Detect Possibly Unwanted Applications.
.br
Default: No
.TP
\fBExcludePUA CATEGORY\fR
Exclude a specific PUA category. This directive can be used multiple times. See https://docs.clamav.net/faq/faq-pua.html for the complete list of PUA categories.
.br
Default: disabled
.TP
\fBIncludePUA CATEGORY\fR
Only include a specific PUA category. This directive can be used multiple times. See https://docs.clamav.net/faq/faq-pua.html for the complete list of PUA categories.
.br
Default: disabled
.TP
\fBHeuristicAlerts BOOL\fR
In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option controls the algorithmic detection.
.br
Default: yes
.TP
\fBHeuristicScanPrecedence BOOL\fR
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phishing it will stop scanning immediately. Recommended, saves CPU scan-time. When disabled, virus/phishing detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phishing, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option.
.br
Default: no
.TP
\fBScanPE BOOL\fR
PE stands for Portable Executable \- it's an executable file format used in all 32 and 64\-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX.
.br
If you turn off this option, the original files will still be scanned, but without additional processing.
.br
Default: yes
.TP
\fBScanELF BOOL\fR
Executable and Linking Format is a standard format for UN*X executables. This option allows you to control the scanning of ELF files.
.br
If you turn off this option, the original files will still be scanned, but without additional processing.
.br
Default: yes
.TP
\fBScanMail BOOL\fR
Enable scanning of mail files.
.br
If you turn off this option, the original files will still be scanned, but without parsing individual messages/attachments.
.br
Default: yes
.TP
\fBScanPartialMessages BOOL\fR
Scan RFC1341 messages split over many emails. You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. \fBWARNING: This option may open your system to a DoS attack. Never use it on loaded servers.\fR
.br
Default: no
.TP
\fBPhishingSignatures BOOL\fR
Enable email signature-based phishing detection.
.br
Default: yes
.TP
\fBPhishingScanURLs BOOL\fR
Enable URL signature-based phishing detection (Heuristics.Phishing.Email.*)
.br
Default: yes
.TP
\fBStructuredDataDetection BOOL\fR
Enable the DLP module.
.br
Default: no
.TP
\fBStructuredMinCreditCardCount NUMBER\fR
This option sets the lowest number of Credit Card numbers found in a file to generate a detect.
.br
Default: 3
.TP
\fBStructuredCCOnly BOOL\fR
With this option enabled the DLP module will search for valid Credit Card\nnumbers only. Debit and Private Label cards will not be searched.
.br
Default: No
.TP
\fBStructuredMinSSNCount NUMBER\fR
This option sets the lowest number of Social Security Numbers found in a file to generate a detect.
.br
Default: 3
.TP
\fBStructuredSSNFormatNormal BOOL\fR
With this option enabled the DLP module will search for valid SSNs formatted as xxx-yy-zzzz.
.br
Default: Yes
.TP
\fBStructuredSSNFormatStripped BOOL\fR
With this option enabled the DLP module will search for valid SSNs formatted as xxxyyzzzz.
.br
Default: No
.TP
\fBScanHTML BOOL\fR
Perform HTML/JavaScript/ScriptEncoder normalisation and decryption.
.br
If you turn off this option, the original files will still be scanned, but without additional processing.
.br
Default: yes
.TP
\fBScanOLE2 BOOL\fR
This option enables scanning of OLE2 files, such as Microsoft Office documents and .msi files.
.br
If you turn off this option, the original files will still be scanned, but without additional processing.
.br
Default: yes
.TP
\fBScanPDF BOOL\fR
This option enables scanning within PDF files.
.br
If you turn off this option, the original files will still be scanned, but without additional processing.
.br
Default: yes
.TP
\fBScanSWF BOOL\fR
This option enables scanning within SWF files.
.br
If you turn off this option, the original files will still be scanned, but without decoding and additional processing.
.br
Default: yes
.TP
\fBScanXMLDOCS BOOL\fR
This option enables scanning xml-based document files supported by libclamav.
.br
If you turn off this option, the original files will still be scanned, but without additional processing.
.br
Default: yes
.TP
\fBScanHWP3 BOOL\fR
This option enables scanning HWP3 files.
.br
If you turn off this option, the original files will still be scanned, but without additional processing.
.br
Default: yes
.TP
\fBScanOneNote BOOL\fR
This option enables scanning OneNote files.
.br
If you turn off this option, the original files will still be scanned, but without additional processing.
.br
Default: yes
.TP
\fBScanArchive BOOL\fR
Scan within archives and compressed files.
.br
If you turn off this option, the original files will still be scanned, but without unpacking and additional processing.
.br
Default: yes
.TP
\fBScanImage BOOL\fR
This option enables scanning of image (graphics).
.br
If you turn off this option, the original files will still be scanned, but without unpacking and additional processing.
.br
Default: yes
.TP
\fBScanImageFuzzyHash BOOL\fR
This option enables detection by calculating a fuzzy hash of image (graphics) files. Signatures using image fuzzy hashes typically match files and documents by identifying images embedded or attached to those files.
.br
If you turn off this option, then some files may no longer be detected.
.br
Default: yes
.TP
\fBAlertBrokenExecutables BOOL\fR
Alert on broken executable files (PE & ELF).
.br
Default: no
.TP
\fBAlertBrokenMedia BOOL\fR
Alert on broken graphics files (JPEG, TIFF, PNG, GIF).
.br
Default: no
.TP
\fBAlertEncrypted BOOL\fR
Alert on encrypted archives and documents (encrypted .zip, .7zip, .rar, .pdf).
.br
Default: no
.TP
\fBAlertEncryptedArchive BOOL\fR
Alert on encrypted archives (encrypted .zip, .7zip, .rar).
.br
Default: no
.TP
\fBAlertEncryptedDoc BOOL\fR
Alert on encrypted documents (encrypted .pdf).
.br
Default: no
.TP
\fBAlertOLE2Macros BOOL\fR
Alert on OLE2 files containing VBA macros (Heuristics.OLE2.ContainsMacros).
.br
Default: no
.TP
\fBAlertExceedsMax BOOL\fR
When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or MaxRecursion limit will be flagged with the virus name starting with "Heuristics.Limits.Exceeded".
.br
Default: no
.TP
\fBAlertPhishingSSLMismatch BOOL\fR
Alert on emails containing SSL mismatches in URLs (might lead to false positives!).
.br
Default: no
.TP
\fBAlertPhishingCloak BOOL\fR
Alert on emails containing cloaked URLs (might lead to some false positives).
.br
Default: no
.TP
\fBAlertPartitionIntersection BOOL\fR
Alert on raw DMG image files containing partition intersections.
.br
Default: no
.TP
\fBDisableCache\fR
This option allows you to disable the caching feature of the engine.
.br
By default, the engine will store an MD5 in a cache of any files that are not flagged as virus or that hit limits checks. \fBWarning: Disabling the cache will have a negative performance impact on large scans.\fR
.br
Default: no
.TP
\fBCacheSize\fR
This option allows you to set the number of entries the cache can store. The value should be a square number or will be rounded up to the nearest square number.
.br
Default: 65536
.TP
\fBForceToDisk\fR
This option causes memory or nested map scans to dump the content to disk.
.br
If you turn on this option, more data is written to disk and is available when the leave-temps option is enabled at the cost of more disk writes.
.br
Default: no
.TP
\fBMaxScanTime SIZE\fR
This option sets the maximum amount of time a scan may take to complete. The value is in milliseconds. The value of 0 disables the limit. \fBWARNING: disabling this limit or setting it too high may result allow scanning of certain files to lock up the scanning process/threads resulting in a Denial of Service.\fR
.br
Default: 120000
.TP
\fBMaxScanSize SIZE\fR
Sets the maximum amount of data to be scanned for each input file. Archives and other containers are recursively extracted and scanned up to this value. The size of an archive plus the sum of the sizes of all files within archive count toward the scan size. For example, a 1M uncompressed archive containing a single 1M inner file counts as 2M toward the max scan size. \fBWarning: disabling this limit or setting it too high may result in severe damage to the system.\fR
.br
Default: 400M
.TP
\fBMaxFileSize SIZE\fR
Files larger than this limit won't be scanned. Affects the input file itself as well as files contained inside it (when the input file is an archive, a document or some other kind of container). \fBWarning: disabling this limit or setting it too high may result in severe damage to the system. Technical design limitations prevent ClamAV from scanning files greater than 2 GB at this time.\fR
.br
Default: 100M
.TP
\fBMaxRecursion NUMBER\fR
Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR file, all files within it will also be scanned. This options specifies how deeply the process should be continued. \fBWarning: setting this limit too high may result in severe damage to the system.\fR
.br
Default: 17
.TP
\fBMaxFiles NUMBER\fR
Number of files to be scanned within an archive, a document, or any other kind of container. \fBWarning: disabling this limit or setting it too high may result in severe damage to the system.\fR
.br
Default: 10000
.TP
\fBMaxEmbeddedPE SIZE\fR
This option sets the maximum size of a file to check for embedded PE.
.br
Files larger than this value will skip the additional analysis step.
.br
Negative values are not allowed.
.br
Default: 40M
.TP
\fBMaxHTMLNormalize SIZE\fR
This option sets the maximum size of a HTML file to normalize.
.br
HTML files larger than this value will not be normalized or scanned.
.br
Negative values are not allowed.
.br
Default: 40M
.TP
\fBMaxHTMLNoTags SIZE\fR
This option sets the maximum size of a normalized HTML file to scan.
.br
HTML files larger than this value after normalization will not be scanned.
.br
Negative values are not allowed.
.br
Default: 8M
.TP
\fBMaxScriptNormalize SIZE\fR
This option sets the maximum size of a script file to normalize.
.br
Script content larger than this value will not be normalized or scanned.
.br
Negative values are not allowed.
.br
Default: 20M
.TP
\fBMaxZipTypeRcg SIZE\fR
This option sets the maximum size of a ZIP file to reanalyze type recognition.
.br
ZIP files larger than this value will skip the step to potentially reanalyze as PE.
.br
Negative values are not allowed.
.br
WARNING: setting this limit too high may result in severe damage or impact performance.
.br
Default: 1M
.TP
\fBMaxPartitions SIZE\fR
This option sets the maximum number of partitions of a raw disk image to be scanned.
.br
Raw disk images with more partitions than this value will have up to the value partitions scanned.
.br
Negative values are not allowed.
.br
WARNING: setting this limit too high may result in severe damage or impact performance.
.br
Default: 50
.TP
\fBMaxIconsPE SIZE\fR
This option sets the maximum number of icons within a PE to be scanned.
.br
PE files with more icons than this value will have up to the value number icons scanned.
.br
Negative values are not allowed.
.br
WARNING: setting this limit too high may result in severe damage or impact performance.
.br
Default: 100
.TP
\fBMaxRecHWP3 NUMBER\fR
This option sets the maximum recursive calls to HWP3 parsing function.
.br
HWP3 files using more than this limit will be terminated and alert the user.
.br
Scans will be unable to scan any HWP3 attachments if the recursive limit is reached.
.br
Negative values are not allowed.
.br
WARNING: setting this limit too high may result in severe damage or impact performance.
.br
Default: 16
.TP
\fBPCREMatchLimit NUMBER\fR
This option sets the maximum calls to the PCRE match function during an instance of regex matching.
.br
Instances using more than this limit will be terminated and alert the user but the scan will continue.
.br
For more information on match_limit, see the PCRE documentation.
.br
Negative values are not allowed.
.br
WARNING: setting this limit too high may severely impact performance.
.br
Default: 10000
.TP
\fBPCRERecMatchLimit NUMBER\fR
This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching.
.br
Instances using more than this limit will be terminated and alert the user but the scan will continue.
.br
For more information on match_limit_recursion, see the PCRE documentation.
.br
Negative values are not allowed and values > PCREMatchLimit are superfluous.
.br
WARNING: setting this limit too high may severely impact performance.
.br
Default: 2000
.TP
\fBPCREMaxFileSize SIZE\fR
This option sets the maximum filesize for which PCRE subsigs will be executed.
.br
Files exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer.
.br
Negative values are not allowed.
.br
Setting this value to zero disables the limit.
.br
WARNING: setting this limit too high or disabling it may severely impact performance.
.br
Default: 100M
.TP
\fBOnAccessIncludePath STRING\fR
This option specifies a directory (including all files and directories inside it), which should be scanned on access. This option can be used multiple times.
.br
Default: disabled
.TP
\fBOnAccessExcludePath STRING\fR
This option allows excluding directories from on-access scanning. It can be used multiple times.
.br
Default: disabled
.TP
\fBOnAccessExcludeRootUID BOOL\fR
With this option you can exclude the root UID (0). Processes run under root will be able to access all files without triggering scans or permission denied events.
.br
Note that if clamd cannot check the uid of the process that generated an on-access scan event (e.g., because \fBOnAccessPrevention\fR was not enabled, and the process already exited), clamd will perform a scan. Thus, setting \fBOnAccessExcludeRootUID\fR is not \fIguaranteed\fR to prevent every access by the root user from triggering a scan (unless \fBOnAccessPrevention\fR is enabled).
.br
Default: no
.TP
\fBOnAccessExcludeUID NUMBER\fR
With this option you can exclude specific UIDs. Processes with these UIDs will be able to access all files without triggering scans or permission denied events.
.br
This option can be used multiple times (one per line).
.br
Note: using a value of 0 on any line will disable this option entirely. To exclude the root UID (0) please enable the OnAccessExcludeRootUID option.
.br
Also note that if clamd cannot check the uid of the process that generated an on-access scan event (e.g., because \fBOnAccessPrevention\fR was not enabled, and the process already exited), clamd will perform a scan. Thus, setting \fBOnAccessExcludeUID\fR is not \fIguaranteed\fR to prevent every access by the specified uid from triggering a scan (unless \fBOnAccessPrevention\fR is enabled).
.br
Default: disabled
.TP
\fBOnAccessExcludeUname STRING\fR
This option allows exclusions via user names when using the on-access scanning client. It can be used multiple times, and has the same potential race condition limitations of the OnAccessExcludeUID option.
.br
Default: disabled
.TP
\fBOnAccessMaxFileSize SIZE\fR
Files larger than this value will not be scanned in on access.
.br
Default: 5M
.TP
\fBOnAccessMaxThreads NUMBER\fR
Max number of scanning threads to allocate to the OnAccess thread pool at startup. These threads are the ones responsible for creating a connection with the daemon and kicking off scanning after an event has been processed. To prevent clamonacc from consuming all clamd's resources keep this lower than clamd's max threads.
.br
Default: 5
.TP
\fBOnAccessCurlTimeout NUMBER\fR
Max amount of time (in milliseconds) that the OnAccess client should spend for every connect, send, and receive attempt when communicating with clamd via curl.
.br
Default: 5000 (5 seconds)
.TP
\fBOnAccessMountPath STRING\fR
Specifies a mount point (including all files and directories under it), which should be scanned on access. This option can be used multiple times.
.br
Default: disabled
.TP
\fBOnAccessDisableDDD BOOL\fR
Disables the dynamic directory determination system which allows for recursively watching include paths.
.br
Default: no
.TP
\fBOnAccessPrevention BOOL\fR
Enables fanotify blocking when malicious files are found.
.br
Default: disabled
.TP
\fBOnAccessRetryAttempts NUMBER\fR
Number of times the OnAccess client will retry a failed scan due to connection problems (or other issues).
.br
Default: 0
.TP
\fBOnAccessDenyOnError BOOL\fR
When using prevention, if this option is turned on, any errors that occur during scanning will result in the event attempt being denied. This could potentially lead to unwanted system behaviour with certain configurations, so the client defaults this to off and prefers allowing access events in case of scan or connection error.
.br
Default: no
.TP
\fBOnAccessExtraScanning BOOL\fR
Toggles extra scanning and notifications when a file or directory is created or moved.
.br
Requires the DDD system to kick-off extra scans.
.br
Default: no
.TP
\fBDisableCertCheck BOOL\fR
Disable authenticode certificate chain verification in PE files.
.br
Default: no
.SH "NOTES"
.LP
All options expressing a size are limited to max 4GB. Values in excess will be reset to the maximum.
.SH "FILES"
.LP
@CONFDIR@/clamd.conf
.SH "AUTHORS"
.LP
Tomasz Kojm <tkojm@clamav.net>, Kevin Lin <klin@sourcefire.com>
.SH "SEE ALSO"
.LP
clamd(8), clamdscan(1), clamav-milter(8), freshclam(1), freshclam.conf(5)