DOCUMENTATION
Non-Debian documentation has been removed (I.e how to install on UnixXXX
etc.) The original documentation is still available in the source
package. Download the source using the command 'apt-get source clamav'.
CONFIGURATION
There are several changes made to the default configuration provided by
upstream. Both the autogenerated configuration files and the ones
shipped under examples/ have been edited to provide FHS compliant paths
for things like logfiles, pidfiles, and sockets. The autogenerated
configuration files additionally contain some non-default values, as I
feel the upstream defaults do not provide the 'out of the box'
arrangement most suited to the average user.
In particular, I believe the following choices are more suited to most
default configurations than the upstream defaults:
FixStaleSocket
This removes a socket file left over from a previous clamd that had
an unclean shutdown. This allows for easier restarting
LogFileMaxSize
Setting this to 0 disables truncation of the logfile. As the default
Debian configuration uses logrotate, this is not an issue except on
severely disk constrained systems.
DetectBrokenExecutables
This will pick up many viral fragments that are likely not harmful
in and of themselves, but may cause end users to worry that they
received something their A/V scanner identifies.
ArchiveBlockMax
This makes the assumptions that if you are setting the various
Archive* options, you would rather block than pass through if one of
those conditions is met.
All ClamAV configuration files (in other words, all files under /etc/)
are handled by ucf, as they are dynamically generated. If you want
to affect ucf's behavior with regard to conffile handling, please see
/etc/ucf.conf or ucf(1).
CLAMAV-DAEMON
CONFIG FILE HANDLING
Configuration handling for clamav-daemon has debconf support. During
install the default values stored in debconf-template are used to
create a configuration file. Due to the complexity of configuring the
daemon no questions are asked during install. If you want to change this
configuration you have two options:
1. 'point-and-click' re-configuration using debconf
The vast majority of options can be accessed by running
'dpkg-reconfigure clamav-daemon'
Clamav-daemon's configuration is quite complex. However its full
complexity shouldn't be felt by users since the majority of the
questions already have sensible defaults.
2. The package also handles manual editing of its configuration file,
/etc/clamav/clamd.conf, gracefully.
While it's possible to mix debconf and manual editing, it isn't
recommended, since it can lead to confusing results. Debconf attempts to
respect any changes you have done manually in /etc/clamav/clamd.conf.
Every care has been taken to make sure your changes are preserved over
upgrade, but if you are going to manage your conf file manually, please
take a moment and run dpkg-reconfigure clamav-daemon, and answer no to
debconf management.
Just running dpkg-reconfigure clamav-daemon won't reset
/etc/clamav/clamd.conf to a debconf generated configuration
file. If you want to discard all your manual changes just run 'ucf -p
/etc/clamav/clamd.conf;dpkg-reconfigure clamav-daemon'
WARNINGS
The ScanMail option has stabilized somewhat over previous releases, and
is now enabled by default. However, this is where the bulk of libclamav's
bugs lie. This is largely due to the arms race nature of trying to keep
up with virus writers interesting ideas about MIME, and certain MUA's
willingness to go along with those ideas. Caveat emptor, you have been
warned.
As of version 0.71-1, clamd will no longer run as root by default. This
decision was made due to the fact that it is still pre-1.0 software, and
there are still many bugs to be worked out. This decision can be
overridden by editing /etc/clamav/clamd.conf, and changing User to the
value desired. This decision will help isolate your system from any
flaws in clamd (see http://bugs.debian.org/247574 for an example of a
problem caused by clamd following symlinks in an archive), but will mean
some compromises in functionality.
In case you happen to have the TMPDIR variable set in your root environment,
please make sure that TemporaryDirectory is set to something sane in
/etc/clamav/clamd.conf (the Debian packages default to /tmp), as otherwise
clamd will fail to operate after changing its user id as noted above.
MTA INTEGRATION
SENDMAIL
So long as sendmail can write to clamav-milter's socket, the rest
of the communication is handled between the milter and clamd, and
permissions are not a problem. apt-get install clamav-milter, and
see the configuration instructions for CLAMAV-MILTER found below.
EXIM4
Exim4 users will want to either run clamd as User Debian-exim, so clamd
has read and write permissions on the scan/ directory, or (better)
add clamav to group Debian-exim. You may also need to ensure the scan/
directory is group writable (on Debian systems, this is
/var/spool/exim4/scan)
To enable clamav in the Debian exim4 packages, add
av_scanner = clamd:/var/run/clamav/clamd.ctl
(or if you've chosen tcp sockets)
av_scanner = clamd:127.0.0.1 3310
to the main configuration settings (a new file under
/etc/exim4/conf.d/main/ if split config is being used)
Then add the following to your data time acl:
deny message = This message contains a virus: ($malware_name) please scan your system.
malware = *
(The data acl is defined in /etc/exim4/conf.d/acl/40_exim4-config_check_data
by default if split config is being used)
AMAVIS
Amavis variants can achieve the same functionality by adding the clamav
user to the amavis group.
POSTFIX
Recent versions of postfix have support for milters. This allows
clamav-milter to be used reasonably well with postfix, although the
problem of group permissions on the actual socket can be a problem.
See the end of the CLAMAV-MILTER section below for some details.
Other MTAs I am not as familiar with, but the same principles apply -
clamav needs read and write access to the directory where messages are
unpacked (as is the case with amavis and exim4), and the MTA needs
read/write permissions to clamav's socket file, if it is run listening
to a unix socket rather than a network socket.
By default, Postfix in Debian runs in a chroot, so the default Unix socket
location for clamav-milter will not work together. To resolve this issue,
either unchroot Postfix, change the clamav-milter socket to an inet socket,
or change the Unix socket path to the location in the chroot (/var/spool/
postfix).
ERRATA
For those who use clamav-daemon primarily for system scans (although
since clamd detects largely MS viruses, the utility of doing this on
a regular basis is somewhat limited in most linux-only environments),
there is probably no alternative but to run clamd as User root or
use clamscan (see below). If you are doing this, I highly suggest
running it listening on a Unix socket, and restricting read/write
permissions to it to prevent unauthorized access. In these
circumstances, running clamscan instead is probably safer as the
overhead of per-instance database loading is vastly outweighed by the
length of the scan, and it eliminates running a daemon as root.
As of 0.75-1, there is support for running both clamd and clamav-milter
under daemon. Just install daemon, and add Foreground to clamd.conf.
Beware that this affects both clamd and clamav-milter, it is not either
or.
Note also that the clamd package contains an empty directory
/etc/clamav/virusevent.d/ Admins and other packagers are encouraged to
use this directory to store scripts that should be executed after a virus
is detected. To enable the feature, you will have to add:
VirusEvent /bin/run-parts --lsbsysinit /etc/clamav/virusevent.d/
to /etc/clamav/clamd.conf
CLAMSCAN
It has the same flaws as clamav-daemon when it comes to handling mbox
attachments (the code with the bugs are in the library). The result of
such bugs are not as heavy in clamscan since it is completely restarted on
each invocation, and clamd may be taken down by the same bug. If you do
a high number of scans (for example, a separate scan for each received
email), then clamd may better suit your needs. If you are doing full
system scans, then there is no noticeable performance benefit to the daemon,
and you can easily substitute clamscan, and eliminate the need to run clamd
as root.
CLAMAV-FRESHCLAM
Clam Antivirus doesn't support the oav-database anymore. The freshclam
auto updating setup is much simpler than the oav counterpart.
The clamav-freshclam package includes virus databases, but these
are only used if fresh ones cannot be downloaded directly from the
database servers, or if you do not have them already in place (e.g.,
from the clamav-data package)
If you don't have Internet access you should install the clamav-data
package, which contains a static database. You can even (re)create
a clamav-data package yourself from an Internet connected computer
using the clamav-getfiles package. Note that this feature will likely
be phased out in the future - freshclam already verifies digital
signatures on the databases, and it may refuse to load an unsigned one.
Hopefully at that point, though, there will be a better mechanism to
self-sign databases, and feed the correct signature to freshclam.
Note also that the freshclam package contains the empty directories
/etc/clamav/onupdateexecute.d and /etc/clamav/onerrorexecute.d.
Admins and other packagers are encouraged to use this directory to store
scripts that should be executed after an update or an error. To enable
the feature, you will have to add to /etc/clamav/freshclam.conf:
OnUpdateExecute /bin/run-parts --lsbsysinit /etc/clamav/onupdateexecute.d/
OnErrorExecute /bin/run-parts --lsbsysinit /etc/clamav/onerrorexecute.d/
CLAMAV-MILTER
Configuration instructions:
Installations for Debian:
New option, contributed by Elrond <elrond+bugs.debian.org@samba-tng.org>:
Add to /etc/mail/sendmail.mc:
include(`/etc/mail/m4/clamav-milter.m4')dnl
and run sendmailconfig.
Otherwise:
Add to /etc/mail/sendmail.mc:
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clamav')
Check entry in /etc/clamav/clamd.conf of the form:
LocalSocket /var/run/clamav/clamd.ctl
If you already have a filter (such as spamassassin-milter from
http://savannah.nongnu.org/projects/spamass-milt) add it thus:
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')
define(`confINPUT_MAIL_FILTERS', `spamassassin,clamav')dnl
and run sendmailconfig.
You may find INPUT_MAIL_FILTERS is not needed on your machine, however it
is recommended by the Sendmail documentation and I recommend going along
with that.
I suggest putting SpamAssassin first since you're more likely to get spam
than a virus/worm sent to you.
As of 0.96, clamav-milter will take care of making the socket
writable for a group. This is done by setting MilterSocketGroup and
MilterSocketMode to useful values in your /etc/clamav/clamav-milter.conf
(for instance, "postfix" and "0664", respectively).
APPARMOR PROFILES
If your system uses apparmor, please note that the shipped enforcing profile
works with the default installation, and changes in your configuration may
require changes to the installed apparmor profile. Please see
https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
software.
In particular, clamav-daemon runs as it's own user and is confined from
accessing all but a limited set of files. These include the home directory
of the user calling clamav-daemon, but not system files. If you want to
scan files outside of your home directory, the apparmor profile will need to
be updated.
The freshclam utility is also protected by an enforcing profile. If you
want to add files to the /etc/clamav/onerrorexecute.d,
/etc/clamav/onupdateexecute.d, or /etc/clamav/virusevent.d directories,
appropriate rules need to be added to the apparmor profile.
If you prefer to fully disable AppArmor confinement for
clamav-daemon or freshclam, run respectively:
aa-disable /usr/sbin/clamd
or:
aa-disable /usr/bin/freshclam
Please see https://wiki.debian.org/AppArmor for information and
documentation on modifying apparmor profiles.
Generated by dwww version 1.16 on Tue Dec 16 05:30:56 CET 2025.