[clamav-users] OfficialDatabaseOnly yes ignored
Al Varnell
alvarnell at mac.com
Mon Nov 25 09:40:42 UTC 2019
Evidently you don’t have the path to your ClamAV installation available. I’m starting to wonder if your Unix skills are sufficient for you to be using ClamAV.
That said, here’s what you should have seen:
> clamd.conf(5) Clam AntiVirus clamd.conf(5)
>
>
>
> NAME
>
>
> clamd.conf - Configuration file for Clam AntiVirus Daemon
>
> DESCRIPTION
>
>
> clamd.conf configures the Clam AntiVirus daemon, clamd(8).
>
> FILE FORMAT
>
>
> The file consists of comments and options with arguments. Each line
> which starts with a hash (#) symbol is ignored by the parser. Options
> and arguments are case sensitive and of the form Option Argument. The
> arguments are of the following types:
>
> BOOL Boolean value (yes/no or true/false or 1/0).
>
> STRING String without blank characters.
>
> SIZE Size in bytes. You can use 'M' or 'm' modifiers for megabytes
> and 'K' or 'k' for kilobytes. To specify the size in bytes just
> don't use modifiers.
>
> NUMBER Unsigned integer.
>
> DIRECTIVES
>
>
> When some option is not used (commented out or not included in the con-
> figuration file at all) clamd takes a default action.
>
> Example
> If this option is set clamd will not run.
>
> LogFile STRING
> Save all reports to a log file.
> Default: disabled
>
> LogFileUnlock BOOL
> By default the log file is locked for writing and only a single
> daemon process can write to it. This option disables the lock.
> Default: no
>
> LogFileMaxSize SIZE
> Maximum size of the log file.
> Value of 0 disables the limit.
> Default: 1048576
>
> LogTime BOOL
> Log time for each message.
> Default: no
>
> LogClean BOOL
> Log all clean files.
> Useful in debugging but drastically increases the log size.
> Default: no
>
> LogSyslog BOOL
> Use the system logger (can work together with LogFile).
> Default: no
>
> LogFacility STRING
> Type of syslog messages
> Please refer to 'man syslog' for facility names.
> Default: LOG_LOCAL6
>
> LogVerbose BOOL
> Enable verbose logging.
> Default: no
>
> LogRotate BOOL
> Rotate log file. Requires LogFileMaxSize option set prior to
> this option.
> Default: no
>
> ExtendedDetectionInfo BOOL
> Log additional information about the infected file, such as its
> size and hash, together with the virus name.
> Default: no
>
> PidFile STRING
> Save the process identifier of a listening daemon (main thread)
> to a specified file.
> Default: disabled
>
> TemporaryDirectory STRING
> This option allows you to change the default temporary direc-
> tory.
> Default: system specific (usually /tmp or /var/tmp).
>
> DatabaseDirectory STRING
> This option allows you to change the default database directory.
> If you enable it, please make sure it points to the same direc-
> tory in both clamd and freshclam.
> Default: defined at configuration (/usr/local/share/clamav)
>
> OfficialDatabaseOnly BOOL
> Only load the official signatures published by the ClamAV
> project.
> Default: no
>
> LocalSocket STRING
> Path to a local (Unix) socket the daemon will listen on.
> Default: disabled
>
> LocalSocketGroup STRING
> Sets the group ownership on the unix socket.
> Default: the primary group of the user running clamd
>
> LocalSocketMode STRING
> Sets the permissions on the unix socket to the specified mode.
> Default: socket is world readable and writable
>
> FixStaleSocket BOOL
> Remove stale socket after unclean shutdown.
> Default: yes
>
> TCPSocket NUMBER
> TCP port number the daemon will listen on.
> Default: disabled
>
> TCPAddr STRING
> By default clamd binds to INADDR_ANY.
> This option allows you to restrict the TCP address and provide
> some degree of protection from the outside world. This option
> can be specified multiple times in order to listen on multiple
> IPs. IPv6 is now supported.
> Default: disabled
>
> MaxConnectionQueueLength NUMBER
> Maximum length the queue of pending connections may grow to.
> Default: 200
>
> StreamMaxLength SIZE
> Close the STREAM session when the data size limit is exceeded.
> The value should match your MTA's limit for the maximum attach-
> ment size.
> Default: 25M
>
> StreamMinPort NUMBER
> The STREAM command uses an FTP-like protocol.
> This option sets the lower boundary for the port range.
> Default: 1024
>
> StreamMaxPort NUMBER
> This option sets the upper boundary for the port range.
> Default: 2048
>
> MaxThreads NUMBER
> Maximum number of threads running at the same time.
> Default: 10
>
> ReadTimeout NUMBER
> This option specifies the time (in seconds) after which clamd
> should timeout if a client doesn't provide any data.
> Default: 120
>
> CommandReadTimeout NUMBER
> This option specifies the time (in seconds) after which clamd
> should timeout if a client doesn't provide any initial command
> after connecting. The default is set to 30 to avoid timeouts
> with TCP sockets when processing large messages. If using a
> Unix socket, the value can be changed to 5. Note: the timeout
> for subsequents commands, and/or data chunks is specified by
> ReadTimeout.
> Default: 30
>
> SendBufTimeout NUMBER
> This option specifies how long to wait (in milliseconds) if the
> send buffer is full. Keep this value low to prevent clamd hang-
> ing.
> Default: 500
>
> MaxQueue NUMBER
> Maximum number of queued items (including those being processed
> by MaxThreads threads). It is recommended to have this value at
> least twice MaxThreads if possible.
> WARNING: you shouldn't increase this too much to avoid running
> out of file descriptors, the following condition should hold:
> MaxThreads*MaxRecursion + MaxQueue - MaxThreads + 6 <
> RLIMIT_NOFILE. RLIMIT_NOFILE is the maximum number of open file
> descriptors (usually 1024), set by ulimit -n.
> Default: 100
>
> IdleTimeout NUMBER
> This option specifies how long (in seconds) the process should
> wait for a new job.
> Default: 30
>
> ExcludePath REGEX
> Don't scan files and directories matching REGEX. This directive
> can be used multiple times.
> Default: disabled
>
> MaxDirectoryRecursion NUMBER
> Maximum depth directories are scanned at.
> Default: 15
>
> FollowDirectorySymlinks BOOL
> Follow directory symlinks.
> Default: no
>
> CrossFilesystems BOOL
> Scan files and directories on other filesystems.
> Default: yes
>
> FollowFileSymlinks BOOL
> Follow regular file symlinks.
> Default: no
>
> SelfCheck NUMBER
> This option specifies the time intervals (in seconds) in which
> clamd should perform a database check.
> Default: 600
>
> VirusEvent COMMAND
> Execute a command when a virus is found. In the command string
> %v will be replaced with the virus name. Additionally, two envi-
> ronment variables will be defined: $CLAM_VIRUSEVENT_FILENAME and
> $CLAM_VIRUSEVENT_VIRUSNAME.
> Default: disabled
>
> ExitOnOOM BOOL
> Stop daemon when libclamav reports out of memory condition.
> Default: no
>
> AllowAllMatchScan BOOL
> Permit use of the ALLMATCHSCAN command.
> Default: yes
>
> Foreground BOOL
> Don't fork into background.
> Default: no
>
> Debug BOOL
> Enable debug messages from libclamav.
> Default: no
>
> LeaveTemporaryFiles BOOL
> Do not remove temporary files (for debugging purpose).
> Default: no
>
> User STRING
> Run the daemon as a specified user (the process must be started
> by root).
> Default: disabled
>
> Bytecode BOOL
> With this option enabled ClamAV will load bytecode from the
> database. It is highly recommended you keep this option turned
> on, otherwise you may miss detections for many new viruses.
> Default: yes
>
> BytecodeSecurity STRING
> Set bytecode security level.
> Possible values:
> TrustSigned - trust bytecode loaded from signed .c[lv]d
> files and insert runtime safety checks for bytecode loaded
> from other sources,
> Paranoid - don't trust any bytecode, insert runtime checks
> for all.
> Recommended: TrustSigned, because bytecode in .cvd files already
> has these checks.
> Default: TrustSigned
>
> BytecodeTimeout NUMBER
> Set bytecode timeout in milliseconds.
> Default: 5000
>
> BytecodeUnsigned BOOL
> Allow loading bytecode from outside digitally signed .c[lv]d
> files.
> Default: no
>
> BytecodeMode STRING
> Set bytecode execution mode.
> Possible values:
> Auto - automatically choose JIT if possible, fallback to
> interpreter
> ForceJIT - always choose JIT, fail if not possible
> ForceInterpreter - always choose interpreter
> Test - run with both JIT and interpreter and compare
> results. Make all failures fatal.
> Default: Auto
>
> DetectPUA BOOL
> Detect Possibly Unwanted Applications.
> Default: No
>
> ExcludePUA CATEGORY
> Exclude a specific PUA category. This directive can be used mul-
> tiple times. See https://www.clamav.net/documents/potentially-
> unwanted-applications-pua for the complete list of PUA cate-
> gories.
> Default: disabled
>
> IncludePUA CATEGORY
> Only include a specific PUA category. This directive can be used
> multiple times. See https://www.clamav.net/documents/poten-
> tially-unwanted-applications-pua for the complete list of PUA
> categories.
> Default: disabled
>
> HeuristicAlerts BOOL
> In some cases (eg. complex malware, exploits in graphic files,
> and others), ClamAV uses special algorithms to provide accurate
> detection. This option controls the algorithmic detection.
> Default: yes
>
> HeuristicScanPrecedence BOOL
> Allow heuristic match to take precedence. When enabled, if a
> heuristic scan (such as phishingScan) detects a possible
> virus/phishing it will stop scanning immediately. Recommended,
> saves CPU scan-time. When disabled, virus/phishing detected by
> heuristic scans will be reported only at the end of a scan. If
> an archive contains both a heuristically detected virus/phish-
> ing, and a real malware, the real malware will be reported. Keep
> this disabled if you intend to handle "*.Heuristics.*" viruses
> differently from "real" malware. If a non-heuristically-detected
> virus (signature-based) is found first, the scan is interrupted
> immediately, regardless of this config option.
> Default: no
>
> ScanPE BOOL
> PE stands for Portable Executable - it's an executable file for-
> mat used in all 32 and 64-bit versions of Windows operating sys-
> tems. This option allows ClamAV to perform a deeper analysis of
> executable files and it's also required for decompression of
> popular executable packers such as UPX.
> If you turn off this option, the original files will still be
> scanned, but without additional processing.
> Default: yes
>
> ScanELF BOOL
> Executable and Linking Format is a standard format for UN*X exe-
> cutables. This option allows you to control the scanning of ELF
> files.
> If you turn off this option, the original files will still be
> scanned, but without additional processing.
> Default: yes
>
> ScanMail BOOL
> Enable scanning of mail files.
> If you turn off this option, the original files will still be
> scanned, but without parsing individual messages/attachments.
> Default: yes
>
> ScanPartialMessages BOOL
> Scan RFC1341 messages split over many emails. You will need to
> periodically clean up $TemporaryDirectory/clamav-partial direc-
> tory. WARNING: This option may open your system to a DoS attack.
> Never use it on loaded servers.
> Default: no
>
> PhishingSignatures BOOL
> Enable email signature-based phishing detection.
> Default: yes
>
> PhishingScanURLs BOOL
> Enable URL signature-based phishing detection (Phishing.Heuris-
> tics.Email.*)
> Default: yes
>
> StructuredDataDetection BOOL
> Enable the DLP module.
> Default: no
>
> StructuredMinCreditCardCount NUMBER
> This option sets the lowest number of Credit Card numbers found
> in a file to generate a detect.
> Default: 3
>
> StructuredMinSSNCount NUMBER
> This option sets the lowest number of Social Security Numbers
> found in a file to generate a detect.
> Default: 3
>
> StructuredSSNFormatNormal BOOL
> With this option enabled the DLP module will search for valid
> SSNs formatted as xxx-yy-zzzz.
> Default: Yes
>
> StructuredSSNFormatStripped BOOL
> With this option enabled the DLP module will search for valid
> SSNs formatted as xxxyyzzzz.
> Default: No
>
> ScanHTML BOOL
> Perform HTML/JavaScript/ScriptEncoder normalisation and decryp-
> tion.
> If you turn off this option, the original files will still be
> scanned, but without additional processing.
> Default: yes
>
> ScanOLE2 BOOL
> This option enables scanning of OLE2 files, such as Microsoft
> Office documents and .msi files.
> If you turn off this option, the original files will still be
> scanned, but without additional processing.
> Default: yes
>
> ScanPDF BOOL
> This option enables scanning within PDF files.
> If you turn off this option, the original files will still be
> scanned, but without additional processing.
> Default: yes
>
> ScanSWF BOOL
> This option enables scanning within SWF files.
> If you turn off this option, the original files will still be
> scanned, but without decoding and additional processing.
> Default: yes
>
> ScanXMLDOCS BOOL
> This option enables scanning xml-based document files supported
> by libclamav.
> If you turn off this option, the original files will still be
> scanned, but without additional processing.
> Default: yes
>
> ScanHWP3 BOOL
> This option enables scanning HWP3 files.
> If you turn off this option, the original files will still be
> scanned, but without additional processing.
> Default: yes
>
> ScanArchive BOOL
> Scan within archives and compressed files.
> If you turn off this option, the original files will still be
> scanned, but without unpacking and additional processing.
> Default: yes
>
> AlertBrokenExecutables BOOL
> Alert on broken executable files (PE & ELF).
> Default: no
>
> AlertEncrypted BOOL
> Alert on encrypted archives and documents (encrypted .zip,
> .7zip, .rar, .pdf).
> Default: no
>
> AlertEncryptedArchive BOOL
> Alert on encrypted archives (encrypted .zip, .7zip, .rar).
> Default: no
>
> AlertEncryptedDoc BOOL
> Alert on encrypted documents (encrypted .pdf).
> Default: no
>
> AlertOLE2Macros BOOL
> Alert on OLE2 files containing VBA macros (Heuristics.OLE2.Con-
> tainsMacros).
> Default: no
>
> AlertExceedsMax BOOL
> Alert on files that exceed max file size, max scan size, or max
> recursion limit (Heuristics.Limits.Exceeded).
> Default: no
>
> AlertPhishingSSLMismatch BOOL
> Alert on emails containing SSL mismatches in URLs (might lead to
> false positives!).
> Default: no
>
> AlertPhishingCloak BOOL
> Alert on emails containing cloaked URLs (might lead to some
> false positives).
> Default: no
>
> AlertPartitionIntersection BOOL
> Alert on raw DMG image files containing partition intersections.
> Default: no
>
> ForceToDisk
> This option causes memory or nested map scans to dump the con-
> tent to disk.
> If you turn on this option, more data is written to disk and is
> available when the leave-temps option is enabled at the cost of
> more disk writes.
> Default: no
>
> MaxScanSize SIZE
> Sets the maximum amount of data to be scanned for each input
> file. Archives and other containers are recursively extracted
> and scanned up to this value. The size of an archive plus the
> sum of the sizes of all files within archive count toward the
> scan size. For example, a 1M uncompressed archive containing a
> single 1M inner file counts as 2M toward the max scan size.
> Warning: disabling this limit or setting it too high may result
> in severe damage to the system.
> Default: 100M
>
> MaxFileSize SIZE
> Files larger than this limit won't be scanned. Affects the input
> file itself as well as files contained inside it (when the input
> file is an archive, a document or some other kind of container).
> Warning: disabling this limit or setting it too high may result
> in severe damage to the system.
> Default: 25M
>
> MaxRecursion NUMBER
> Nested archives are scanned recursively, e.g. if a Zip archive
> contains a RAR file, all files within it will also be scanned.
> This options specifies how deeply the process should be contin-
> ued. Warning: setting this limit too high may result in severe
> damage to the system.
> Default: 16
>
> MaxFiles NUMBER
> Number of files to be scanned within an archive, a document, or
> any other kind of container. Warning: disabling this limit or
> setting it too high may result in severe damage to the system.
> Default: 10000
>
> MaxEmbeddedPE SIZE
> This option sets the maximum size of a file to check for embed-
> ded PE.
> Files larger than this value will skip the additional analysis
> step.
> Negative values are not allowed.
> Default: 10M
>
> MaxHTMLNormalize SIZE
> This option sets the maximum size of a HTML file to normalize.
> HTML files larger than this value will not be normalized or
> scanned.
> Negative values are not allowed.
> Default: 10M
>
> MaxHTMLNoTags SIZE
> This option sets the maximum size of a normalized HTML file to
> scan.
> HTML files larger than this value after normalization will not
> be scanned.
> Negative values are not allowed.
> Default: 2M
>
> MaxScriptNormalize SIZE
> This option sets the maximum size of a script file to normalize.
> Script content larger than this value will not be normalized or
> scanned.
> Negative values are not allowed.
> Default: 5M
>
> MaxZipTypeRcg SIZE
> This option sets the maximum size of a ZIP file to reanalyze
> type recognition.
> ZIP files larger than this value will skip the step to poten-
> tially reanalyze as PE.
> Negative values are not allowed.
> WARNING: setting this limit too high may result in severe damage
> or impact performance.
> Default: 1M
>
> MaxPartitions SIZE
> This option sets the maximum number of partitions of a raw disk
> image to be scanned.
> Raw disk images with more partitions than this value will have
> up to the value partitions scanned.
> Negative values are not allowed.
> WARNING: setting this limit too high may result in severe damage
> or impact performance.
> Default: 50
>
> MaxIconsPE SIZE
> This option sets the maximum number of icons within a PE to be
> scanned.
> PE files with more icons than this value will have up to the
> value number icons scanned.
> Negative values are not allowed.
> WARNING: setting this limit too high may result in severe damage
> or impact performance.
> Default: 100
>
> MaxRecHWP3 NUMBER
> This option sets the maximum recursive calls to HWP3 parsing
> function.
> HWP3 files using more than this limit will be terminated and
> alert the user.
> Scans will be unable to scan any HWP3 attachments if the recur-
> sive limit is reached.
> Negative values are not allowed.
> WARNING: setting this limit too high may result in severe damage
> or impact performance.
> Default: 16
>
> PCREMatchLimit NUMBER
> This option sets the maximum calls to the PCRE match function
> during an instance of regex matching.
> Instances using more than this limit will be terminated and
> alert the user but the scan will continue.
> For more information on match_limit, see the PCRE documentation.
> Negative values are not allowed.
> WARNING: setting this limit too high may severely impact perfor-
> mance.
> Default: 10000
>
> PCRERecMatchLimit NUMBER
> This option sets the maximum recursive calls to the PCRE match
> function during an instance of regex matching.
> Instances using more than this limit will be terminated and
> alert the user but the scan will continue.
> For more information on match_limit_recursion, see the PCRE doc-
> umentation.
> Negative values are not allowed and values > PCREMatchLimit are
> superfluous.
> WARNING: setting this limit too high may severely impact perfor-
> mance.
> Default: 2000
>
> PCREMaxFileSize SIZE
> This option sets the maximum filesize for which PCRE subsigs
> will be executed.
> Files exceeding this limit will not have PCRE subsigs executed
> unless a subsig is encompassed to a smaller buffer.
> Negative values are not allowed.
> Setting this value to zero disables the limit.
> WARNING: setting this limit too high or disabling it may severe-
> ly impact performance.
> Default: 25M
>
> ScanOnAccess BOOL
> This option enables on-access scanning (Linux only)
> Default: disabled
>
> OnAccessIncludePath STRING
> This option specifies a directory (including all files and
> directories inside it), which should be scanned on access. This
> option can be used multiple times.
> Default: disabled
>
> OnAccessExcludePath STRING
> This option allows excluding directories from on-access scan-
> ning. It can be used multiple times.
> Default: disabled
>
> OnAccessExcludeRootUID BOOL
> With this option you can whitelist the root UID (0). Processes
> run under root will be able to access all files without trigger-
> ing scans or permission denied events.
> Note that if clamd cannot check the uid of the process that gen-
> erated an on-access scan event (e.g., because OnAccessPrevention
> was not enabled, and the process already exited), clamd will
> perform a scan. Thus, setting OnAccessExcludeRootUID is not
> guaranteed to prevent every access by the root user from trig-
> gering a scan (unless OnAccessPrevention is enabled).
> Default: no
>
> OnAccessExcludeUID NUMBER
> With this option you can whitelist specific UIDs. Processes with
> these UIDs will be able to access all files without triggering
> scans or permission denied events.
> This option can be used multiple times (one per line).
> Note: using a value of 0 on any line will disable this option
> entirely. To whitelist the root UID (0) please enable the OnAc-
> cessExcludeRootUID option.
> Also note that if clamd cannot check the uid of the process that
> generated an on-access scan event (e.g., because OnAccessPreven-
> tion was not enabled, and the process already exited), clamd
> will perform a scan. Thus, setting OnAccessExcludeUID is not
> guaranteed to prevent every access by the specified uid from
> triggering a scan (unless OnAccessPrevention is enabled).
> Default: disabled
>
> OnAccessMaxFileSize SIZE
> Files larger than this value will not be scanned in on access.
> Default: 5M
>
> OnAccessMountPath STRING
> Specifies a mount point (including all files and directories
> under it), which should be scanned on access. This option can be
> used multiple times.
> Default: disabled
>
> OnAccessDisableDDD BOOL
> Disables the dynamic directory determination system which allows
> for recursively watching include paths.
> Default: no
>
> OnAccessPrevention BOOL
> Enables fanotify blocking when malicious files are found.
> Default: disabled
>
> DisableCertCheck BOOL
> Disable authenticode certificate chain verification in PE files.
> Default: no
>
> NOTES
>
>
> All options expressing a size are limited to max 4GB. Values in excess
> will be reset to the maximum.
>
> FILES
>
>
> /usr/local/ClamXAV3/etc/clamd.conf
>
> AUTHORS
>
>
> Tomasz Kojm <tkojm at clamav.net>, Kevin Lin <klin at sourcefire.com>
>
> SEE ALSO
>
>
> clamd(8), clamdscan(1), clamav-milter(8), freshclam(1), fresh-
> clam.conf(5)
>
>
>
> ClamAV 0.101.4 December 4, 2013 clamd.conf(5)
On Nov 24, 2019, at 11:48 PM, Grscripts via clamav-users <clamav-users at lists.clamav.net> wrote:
>
> does not work "man clamd.conf"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20191125/c78300ca/attachment.htm>
More information about the clamav-users
mailing list