Hello again.
Have 2 Centos 7 with Virtualmin installed. Was having this problme in both.
Decided to uninstall and reinstall all clamav related packages with yum:
clamav-0.101.5-1.el7.x86_64
clamav-update-0.101.5-1.el7.x86_64
clamav-lib-0.101.5-1.el7.x86_64
clamav-data-0.101.5-1.el7.noarch
clamav-filesystem-0.101.5-1.el7.noarch
clamd-0.101.5-1.el7.x86_64
I had clamav-devel installed, but it’s not needed. In fact in one server after reinstallation (without clamav-devel), and commenting scan.conf to remove “Example” line
I set it up with:
Example config file for the Clam AV daemon
Please read the clamd.conf(5) manual before editing this file.
Comment or remove the line below.
#Example
Uncomment this option to enable logging.
LogFile must be writable for the user running daemon.
A full path is required.
Default: disabled
LogFile /var/log/clamd.scan
By default the log file is locked for writing - the lock protects against
running clamd multiple times (if want to run another clamd, please
copy the configuration file, change the LogFile variable, and run
the daemon with --config-file option).
This option disables log file locking.
Default: no
#LogFileUnlock yes
Maximum size of the log file.
Value of 0 disables the limit.
You may use ‘M’ or ‘m’ for megabytes (1M = 1m = 1048576 bytes)
and ‘K’ or ‘k’ for kilobytes (1K = 1k = 1024 bytes). To specify the size
in bytes just don’t use modifiers. If LogFileMaxSize is enabled, log
rotation (the LogRotate option) will always be enabled.
Default: 1M
LogFileMaxSize 2M
Log time with each message.
Default: no
LogTime yes
Also log clean files. Useful in debugging but drastically increases the
log size.
Default: no
#LogClean yes
Use system logger (can work together with LogFile).
Default: no
LogSyslog yes
Specify the type of syslog messages - please refer to ‘man syslog’
for facility names.
Default: LOG_LOCAL6
#LogFacility LOG_MAIL
Enable verbose logging.
Default: no
#LogVerbose yes
Enable log rotation. Always enabled when LogFileMaxSize is enabled.
Default: no
#LogRotate yes
Enable Prelude output.
Default: no
#PreludeEnable yes
Set the name of the analyzer used by prelude-admin.
Default: ClamAV
#PreludeAnalyzerName ClamAV
Log additional information about the infected file, such as its
size and hash, together with the virus name.
#ExtendedDetectionInfo yes
This option allows you to save a process identifier of the listening
daemon (main thread).
Default: disabled
#PidFile /run/clamd.scan/clamd.pid
Optional path to the global temporary directory.
Default: system specific (usually /tmp or /var/tmp).
#TemporaryDirectory /var/tmp
TemporaryDirectory /tmp
Path to the database directory.
Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
Only load the official signatures published by the ClamAV project.
Default: no
#OfficialDatabaseOnly no
The daemon can work in local mode, network mode or both.
Due to security reasons we recommend the local mode.
Path to a local socket file the daemon will listen on.
Default: disabled (must be specified by a user)
LocalSocket /var/run/clamd.scan/clamd.sock
Sets the group ownership on the unix socket.
Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup
Sets the permissions on the unix socket to the specified mode.
Default: disabled (socket is world accessible)
#LocalSocketMode 660
Remove stale socket after unclean shutdown.
Default: yes
#FixStaleSocket yes
TCP port address.
Default: no
#TCPSocket 3310
TCP address.
By default we bind to INADDR_ANY, probably not wise.
Enable the following to provide some degree of protection
from the outside world. This option can be specified multiple
times if you want to listen on multiple IPs. IPv6 is now supported.
Default: no
#TCPAddr 127.0.0.1
Maximum length the queue of pending connections may grow to.
Default: 200
#MaxConnectionQueueLength 30
Clamd uses FTP-like protocol to receive data from remote clients.
If you are using clamav-milter to balance load between remote clamd daemons
on firewall servers you may need to tune the options below.
Close the connection when the data size limit is exceeded.
The value should match your MTA’s limit for a maximum attachment size.
Default: 25M
#StreamMaxLength 10M
Limit port range.
Default: 1024
#StreamMinPort 30000
Default: 2048
#StreamMaxPort 32000
Maximum number of threads running at the same time.
Default: 10
#MaxThreads 20
Waiting for data from a client socket will timeout after this time (seconds).
Default: 120
#ReadTimeout 300
This option specifies the time (in seconds) after which clamd should
timeout if a client doesn’t provide any initial command after connecting.
Default: 30
#CommandReadTimeout 30
This option specifies how long to wait (in milliseconds) if the send buffer
is full.
Keep this value low to prevent clamd hanging
Default: 500
#SendBufTimeout 200
Maximum number of queued items (including those being processed by
MaxThreads threads)
It is recommended to have this value at least twice MaxThreads if possible.
WARNING: you shouldn’t increase this too much to avoid running out of file
descriptors,
the following condition should hold:
MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
max is 1024)
Default: 100
#MaxQueue 200
Waiting for a new job will timeout after this time (seconds).
Default: 30
#IdleTimeout 60
Don’t scan files and directories matching regex
This directive can be used multiple times
Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/
Maximum depth directories are scanned at.
Default: 15
#MaxDirectoryRecursion 20
Follow directory symlinks.
Default: no
#FollowDirectorySymlinks yes
Follow regular file symlinks.
Default: no
#FollowFileSymlinks yes
Scan files and directories on other filesystems.
Default: yes
#CrossFilesystems yes
Perform a database check.
Default: 600 (10 min)
#SelfCheck 600
Execute a command when virus is found. In the command string %v will
be replaced with the virus name.
Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 “VIRUS ALERT: %v”
Run as another user (clamd must be started by root for this option to work)
Default: don’t drop privileges
User clamscan
Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
Don’t fork into background.
Default: no
#Foreground yes
Enable debug messages in libclamav.
Default: no
#Debug yes
Do not remove temporary files (for debug purposes).
Default: no
#LeaveTemporaryFiles yes
Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
any ALLMATCHSCAN command as invalid.
Default: yes
#AllowAllMatchScan no
Detect Possibly Unwanted Applications.
Default: no
#DetectPUA yes
Exclude a specific PUA category. This directive can be used multiple times.
the complete list of PUA categories.
Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
Only include a specific PUA category. This directive can be used multiple
times.
Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT
This option causes memory or nested map scans to dump the content to disk.
If you turn on this option, more data is written to disk and is available
when the LeaveTemporaryFiles option is enabled.
#ForceToDisk yes
This option allows you to disable the caching feature of the engine. By
default, the engine will store an MD5 in a cache of any files that are
not flagged as virus or that hit limits checks. Disabling the cache will
have a negative performance impact on large scans.
Default: no
#DisableCache yes
In some cases (eg. complex malware, exploits in graphic files, and others),
ClamAV uses special algorithms to detect abnormal patterns and behaviors that
may be malicious. This option enables alerting on such heuristically
detected potential threats.
Default: yes
#HeuristicAlerts yes
Allow heuristic alerts to take precedence.
When enabled, if a heuristic scan (such as phishingScan) detects
a possible virus/phish it will stop scan immediately. Recommended, saves CPU
scan-time.
When disabled, virus/phish detected by heuristic scans will be reported only at
the end of a scan. If an archive contains both a heuristically detected
virus/phish, and a real malware, the real malware will be reported
Keep this disabled if you intend to handle “.Heuristics.” viruses
differently from “real” malware.
If a non-heuristically-detected virus (signature-based) is found first,
the scan is interrupted immediately, regardless of this config option.
Default: no
#HeuristicScanPrecedence yes
Heuristic Alerts
With this option clamav will try to detect broken executables (both PE and
ELF) and alert on them with the Broken.Executable heuristic signature.
Default: no
#AlertBrokenExecutables yes
Alert on encrypted archives and documents with heuristic signature (encrypted .zip, .7zip, .rar, .pdf).
Default: no
#AlertEncrypted yes
Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, .rar).
Default: no
#AlertEncryptedArchive yes
Alert on encrypted archives with heuristic signature (encrypted .pdf).
Default: no
#AlertEncryptedDoc yes
With this option enabled OLE2 files containing VBA macros, which were not
detected by signatures will be marked as “Heuristics.OLE2.ContainsMacros”.
Default: no
#AlertOLE2Macros yes
Alert on SSL mismatches in URLs, even if the URL isn’t in the database.
This can lead to false positives.
Default: no
#AlertPhishingSSLMismatch yes
Alert on cloaked URLs, even if URL isn’t in database.
This can lead to false positives.
Default: no
#AlertPhishingCloak yes
Alert on raw DMG image files containing partition intersections
Default: no
#AlertPartitionIntersection yes
Executable files
PE stands for Portable Executable - it’s an executable file format used
in all 32 and 64-bit versions of Windows operating systems. This option
allows ClamAV to perform a deeper analysis of executable files and it’s also
required for decompression of popular executable packers such as UPX, FSG,
and Petite. If you turn off this option, the original files will still be
scanned, but without additional processing.
Default: yes
#ScanPE yes
Certain PE files contain an authenticode signature. By default, we check
the signature chain in the PE file against a database of trusted and
revoked certificates if the file being scanned is marked as a virus.
If any certificate in the chain validates against any trusted root, but
does not match any revoked certificate, the file is marked as whitelisted.
If the file does match a revoked certificate, the file is marked as virus.
The following setting completely turns off authenticode verification.
Default: no
#DisableCertCheck yes
Executable and Linking Format is a standard format for UN*X executables.
This option allows you to control the scanning of ELF files.
If you turn off this option, the original files will still be scanned, but
without additional processing.
Default: yes
#ScanELF yes
Documents
This option enables scanning of OLE2 files, such as Microsoft Office
documents and .msi files.
If you turn off this option, the original files will still be scanned, but
without additional processing.
Default: yes
#ScanOLE2 yes
This option enables scanning within PDF files.
If you turn off this option, the original files will still be scanned, but
without decoding and additional processing.
Default: yes
#ScanPDF yes
This option enables scanning within SWF files.
If you turn off this option, the original files will still be scanned, but
without decoding and additional processing.
Default: yes
#ScanSWF yes
This option enables scanning xml-based document files supported by libclamav.
If you turn off this option, the original files will still be scanned, but
without additional processing.
Default: yes
#ScanXMLDOCS yes
This option enables scanning of HWP3 files.
If you turn off this option, the original files will still be scanned, but
without additional processing.
Default: yes
#ScanHWP3 yes
Mail files
Enable internal e-mail scanner.
If you turn off this option, the original files will still be scanned, but
without parsing individual messages/attachments.
Default: yes
#ScanMail yes
Scan RFC1341 messages split over many emails.
You will need to periodically clean up $TemporaryDirectory/clamav-partial
directory.
WARNING: This option may open your system to a DoS attack.
Never use it on loaded servers.
Default: no
#ScanPartialMessages yes
With this option enabled ClamAV will try to detect phishing attempts by using
HTML.Phishing and Email.Phishing NDB signatures.
Default: yes
#PhishingSignatures no
With this option enabled ClamAV will try to detect phishing attempts by
analyzing URLs found in emails using WDB and PDB signature databases.
Default: yes
#PhishingScanURLs no
Data Loss Prevention (DLP)
Enable the DLP module
Default: No
#StructuredDataDetection yes
This option sets the lowest number of Credit Card numbers found in a file
to generate a detect.
Default: 3
#StructuredMinCreditCardCount 5
This option sets the lowest number of Social Security Numbers found
in a file to generate a detect.
Default: 3
#StructuredMinSSNCount 5
With this option enabled the DLP module will search for valid
SSNs formatted as xxx-yy-zzzz
Default: yes
#StructuredSSNFormatNormal yes
With this option enabled the DLP module will search for valid
SSNs formatted as xxxyyzzzz
Default: no
#StructuredSSNFormatStripped yes
HTML
Perform HTML normalisation and decryption of MS Script Encoder code.
Default: yes
If you turn off this option, the original files will still be scanned, but
without additional processing.
#ScanHTML yes
Archives
ClamAV can scan within archives and compressed files.
If you turn off this option, the original files will still be scanned, but
without unpacking and additional processing.
Default: yes
#ScanArchive yes
Limits
The options below protect your system against Denial of Service attacks
using archive bombs.
This option sets the maximum amount of time to a scan may take.
In this version, this field only affects the scan time of ZIP archives.
Value of 0 disables the limit
Note: disabling this limit or setting it too high may result allow scanning
of certain files to lock up the scanning process/threads resulting in a Denial
of Service.
Time is in milliseconds.
Default: 120000
#MaxScanTime 300000
This option sets the maximum amount of data to be scanned for each input
file.
Archives and other containers are recursively extracted and scanned up to
this value.
Value of 0 disables the limit
Note: disabling this limit or setting it too high may result in severe damage
to the system.
Default: 100M
#MaxScanSize 150M
Files larger than this limit won’t be scanned. Affects the input file itself
as well as files contained inside it (when the input file is an archive, a
document or some other kind of container).
Value of 0 disables the limit.
Note: disabling this limit or setting it too high may result in severe damage
to the system.
Default: 25M
#MaxFileSize 30M
Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
file, all files within it will also be scanned. This options specifies how
deeply the process should be continued.
Note: setting this limit too high may result in severe damage to the system.
Default: 16
#MaxRecursion 10
Number of files to be scanned within an archive, a document, or any other
container file.
Value of 0 disables the limit.
Note: disabling this limit or setting it too high may result in severe damage
to the system.
Default: 10000
#MaxFiles 15000
Maximum size of a file to check for embedded PE. Files larger than this value
will skip the additional analysis step.
Note: disabling this limit or setting it too high may result in severe damage
to the system.
Default: 10M
#MaxEmbeddedPE 10M
Maximum size of a HTML file to normalize. HTML files larger than this value
will not be normalized or scanned.
Note: disabling this limit or setting it too high may result in severe damage
to the system.
Default: 10M
#MaxHTMLNormalize 10M
Maximum size of a normalized HTML file to scan. HTML files larger than this
value after normalization will not be scanned.
Note: disabling this limit or setting it too high may result in severe damage
to the system.
Default: 2M
#MaxHTMLNoTags 2M
Maximum size of a script file to normalize. Script content larger than this
value will not be normalized or scanned.
Note: disabling this limit or setting it too high may result in severe damage
to the system.
Default: 5M
#MaxScriptNormalize 5M
Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
than this value will skip the step to potentially reanalyze as PE.
Note: disabling this limit or setting it too high may result in severe damage
to the system.
Default: 1M
#MaxZipTypeRcg 1M
This option sets the maximum number of partitions of a raw disk image to be
scanned.
Raw disk images with more partitions than this value will have up to
the value number partitions scanned. Negative values are not allowed.
Note: setting this limit too high may result in severe damage or impact
performance.
Default: 50
#MaxPartitions 128
This option sets the maximum number of icons within a PE to be scanned.
PE files with more icons than this value will have up to the value number
icons scanned.
Negative values are not allowed.
WARNING: setting this limit too high may result in severe damage or impact
performance.
Default: 100
#MaxIconsPE 200
This option sets the maximum recursive calls for HWP3 parsing during
scanning. HWP3 files using more than this limit will be terminated and
alert the user.
Scans will be unable to scan any HWP3 attachments if the recursive limit
is reached.
Negative values are not allowed.
WARNING: setting this limit too high may result in severe damage or impact
performance.
Default: 16
#MaxRecHWP3 16
This option sets the maximum calls to the PCRE match function during
an instance of regex matching.
Instances using more than this limit will be terminated and alert the user
but the scan will continue.
For more information on match_limit, see the PCRE documentation.
Negative values are not allowed.
WARNING: setting this limit too high may severely impact performance.
Default: 100000
#PCREMatchLimit 20000
This option sets the maximum recursive calls to the PCRE match function
during an instance of regex matching.
Instances using more than this limit will be terminated and alert the user
but the scan will continue.
For more information on match_limit_recursion, see the PCRE documentation.
Negative values are not allowed and values > PCREMatchLimit are superfluous.
WARNING: setting this limit too high may severely impact performance.
Default: 2000
#PCRERecMatchLimit 10000
This option sets the maximum filesize for which PCRE subsigs will be
executed. Files exceeding this limit will not have PCRE subsigs executed
unless a subsig is encompassed to a smaller buffer.
Negative values are not allowed.
Setting this value to zero disables the limit.
WARNING: setting this limit too high or disabling it may severely impact
performance.
Default: 25M
#PCREMaxFileSize 100M
When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
MaxRecursion limit will be flagged with the virus
“Heuristics.Limits.Exceeded”.
Default: no
#AlertExceedsMax yes
On-access Scan Settings
Enable on-access scanning. Currently, this is supported via fanotify.
Clamuko/Dazuko support has been deprecated.
Default: no
#ScanOnAccess yes
Set the mount point to be scanned. The mount point specified, or the mount
point containing the specified directory will be watched. If any directories
are specified, this option will preempt the DDD system. This will notify
only. It can be used multiple times.
(On-access scan only)
Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
Don’t scan files larger than OnAccessMaxFileSize
Value of 0 disables the limit.
Default: 5M
#OnAccessMaxFileSize 10M
Set the include paths (all files inside them will be scanned). You can have
multiple OnAccessIncludePath directives but each directory must be added
in a separate line. (On-access scan only)
Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
Set the exclude paths. All subdirectories are also excluded.
(On-access scan only)
Default: disabled
#OnAccessExcludePath /home/bofh
With this option you can whitelist the root UID (0). Processes run under
root with be able to access all files without triggering scans or
permission denied events.
Note that if clamd cannot check the uid of the process that generated an
on-access scan event (e.g., because OnAccessPrevention was not enabled, and
the process already exited), clamd will perform a scan. Thus, setting
OnAccessExcludeRootUID is not guaranteed to prevent every access by the
root user from triggering a scan (unless OnAccessPrevention is enabled).
Default: no
#OnAccessExcludeRootUID no
With this option you can whitelist specific UIDs. Processes with these UIDs
will be able to access all files without triggering scans or permission
denied events.
This option can be used multiple times (one per line).
Using a value of 0 on any line will disable this option entirely.
To whitelist the root UID (0) please enable the OnAccessExcludeRootUID
option.
Also note that if clamd cannot check the uid of the process that generated an
on-access scan event (e.g., because OnAccessPrevention was not enabled, and
the process already exited), clamd will perform a scan. Thus, setting
OnAccessExcludeUID is not guaranteed to prevent every access by the
specified uid from triggering a scan (unless OnAccessPrevention is enabled).
Default: disabled
#OnAccessExcludeUID -1
Toggles dynamic directory determination. Allows for recursively watching
include paths.
(On-access scan only)
Default: no
#OnAccessDisableDDD yes
Modifies fanotify blocking behaviour when handling permission events.
If off, fanotify will only notify if the file scanned is a virus,
and not perform any blocking.
(On-access scan only)
Default: no
#OnAccessPrevention yes
Toggles extra scanning and notifications when a file or directory is
created or moved.
Requires the DDD system to kick-off extra scans.
NOTE: This feature is disabled until a thread resource leak bug
in the OnAccessExtraScanning code can be resolved.
(On-access scan only)
Default: no
#OnAccessExtraScanning yes
Bytecode
With this option enabled ClamAV will load bytecode from the database.
It is highly recommended you keep this option on, otherwise you’ll miss
detections for many new viruses.
Default: yes
#Bytecode yes
Set bytecode security level.
Possible values:
None - No security at all, meant for debugging.
DO NOT USE THIS ON PRODUCTION SYSTEMS.
This value is only available if clamav was built
with --enable-debug!
TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert
runtime safety checks for bytecode loaded from other sources.
Paranoid - Don’t trust any bytecode, insert runtime checks for all.
Recommended: TrustSigned, because bytecode in .cvd files already has these
checks.
Note that by default only signed bytecode is loaded, currently you can only
load unsigned bytecode in --enable-debug mode.
Default: TrustSigned
#BytecodeSecurity TrustSigned
Set bytecode timeout in milliseconds.
Default: 5000
BytecodeTimeout 1000
Statistics gathering and submitting
And yes, without PID line in scan.conf it is working properly and scanning all mail in server #1
Also, in default/sample conf file I found that sock file path was /run/clamd.scan
I changed it to /var/run/clamd.scan/clamd.sock
Like I said, all is working, so…
Tried to replicate to server #2 without success, same error:
ERROR: Could not connect to clamd on LocalSocket /var/run/clamd.scan/clamd.sock: Permission denied
This is solvable? I’m sure it is. What I’m not sure is if I will be able to find out.
Can someone help please? Thanks.