Hello, The /var/spool/mail/root log files on our servers are logging every file that clamav scans, causing the files to become huge. I don't see what in our clamd.conf configuration files would be causing this. Our configuration file follows - any help would be appreciated. ## ## Config file for the Clam AV daemon ## Please read the clamd.conf(5) manual before editing this file. ## # Uncomment this option to enable logging. # LogFile must be writable for the user running daemon. # A full path is required. # Default: disabled LogFile /var/log/clam/clamd.log # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). # This option disables log file locking. # Default: no #LogFileUnlock yes # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 1M LogFileMaxSize 10M # Log time with each message. # Default: no LogTime yes # Also log clean files. Useful in debugging but drastically increases the # log size. # Default: no LogClean no # Use system logger (can work together with LogFile). # Default: no LogSyslog no # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 LogFacility LOG_LOCAL6 # Enable verbose logging. # Default: no LogVerbose no # This option allows you to save a process identifier of the listening # daemon (main thread). # Default: disabled PidFile /var/lib/clamav/clamd.pid # Optional path to the global temporary directory. # Default: system specific (usually /tmp or /var/tmp). #TemporaryDirectory /var/tmp # Path to the database directory. # Default: hardcoded (depends on installation options) #DatabaseDirectory /var/lib/clamav # The daemon works in a local OR a network mode. Due to security reasons we # recommend the local mode. # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) LocalSocket /var/lib/clamav/clamd-socket # Remove stale socket after unclean shutdown. # Default: no FixStaleSocket yes # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default: 15 #MaxConnectionQueueLength 30 # Clamd uses FTP-like protocol to receive data from remote clients. # If you are using clamav-milter to balance load between remote clamd daemons # on firewall servers you may need to tune the options below. # Close the connection when the data size limit is exceeded. # The value should match your MTA's limit for a maximum attachment size. # Default: 10M #StreamMaxLength 20M # Limit port range. # Default: 1024 #StreamMinPort 30000 # Default: 2048 #StreamMaxPort 32000 # Maximum number of threads running at the same time. # Default: 10 MaxThreads 20 # Waiting for data from a client socket will timeout after this time (seconds). # Value of 0 disables the timeout. # Default: 120 #ReadTimeout 300 # Waiting for a new job will timeout after this time (seconds). # Default: 30 #IdleTimeout 60 # Maximum depth directories are scanned at. # Default: 15 MaxDirectoryRecursion 20 # Follow directory symlinks. # Default: no #FollowDirectorySymlinks yes # Follow regular file symlinks. # Default: no #FollowFileSymlinks yes # Perform a database check. # Default: 1800 (30 min) #SelfCheck 600 # Execute a command when virus is found. In the command string %v will # be replaced with the virus name. # Default: no VirusEvent /bin/echo "VIRUS ALERT: %v" | /bin/mail -s "ClamAV" -r [EMAIL PROTECTED] [EMAIL PROTECTED] # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges #User vscan # Initialize supplementary group access (clamd must be started by root). # Default: no #AllowSupplementaryGroups no # Stop daemon when libclamav reports out of memory condition. #ExitOnOOM yes # Don't fork into background. # Default: no Foreground no # Enable debug messages in libclamav. # Default: no #Debug yes # Do not remove temporary files (for debug purposes). # Default: no #LeaveTemporaryFiles yes # Detect Possibly Unwanted Applications. # Default: no #DetectPUA yes # In some cases (eg. complex malware, exploits in graphic files, and others), # ClamAV uses special algorithms to provide accurate detection. This option # controls the algorithmic detection. # Default: yes #AlgorithmicDetection yes
## ## Executable files ## # PE stands for Portable Executable - it's an executable file format used # in all 32 and 64-bit versions of Windows operating systems. This option allows # ClamAV to perform a deeper analysis of executable files and it's also # required for decompression of popular executable packers such as UPX, FSG, # and Petite. # Default: yes #ScanPE yes # Executable and Linking Format is a standard format for UN*X executables. # This option allows you to control the scanning of ELF files. # Default: yes #ScanELF yes # With this option clamav will try to detect broken executables (both PE and # ELF) and mark them as Broken.Executable. # Default: no #DetectBrokenExecutables yes ## ## Documents ## # This option enables scanning of OLE2 files, such as Microsoft Office # documents and .msi files. # Default: yes #ScanOLE2 yes # This option enables scanning within PDF files. # Default: no #ScanPDF yes ## ## Mail files ## # Enable internal e-mail scanner. # Default: yes #ScanMail yes # If an email contains URLs ClamAV can download and scan them. # WARNING: This option may open your system to a DoS attack. # Never use it on loaded servers. # Default: no #MailFollowURLs no # Recursion level limit for the mail scanner. # Default: 64 #MailMaxRecursion 128 # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes # Use phishing detection only for domains listed in the .pdb database. It is # not recommended to have this option turned off, because scanning of all # domains may lead to many false positives! # Default: yes #PhishingRestrictedScan yes # Always block SSL mismatches in URLs, even if the URL isn't in the database. # This can lead to false positives. # # Default: no #PhishingAlwaysBlockSSLMismatch no # Always block cloaked URLs, even if URL isn't in database. # This can lead to false positives. # # Default: no #PhishingAlwaysBlockCloak no ## ## HTML ## # Perform HTML normalisation and decryption of MS Script Encoder code. # Default: yes #ScanHTML yes ## ## Archives ## # ClamAV can scan within archives and compressed files. # Default: yes #ScanArchive yes # The options below protect your system against Denial of Service attacks # using archive bombs. # Files in archives larger than this limit won't be scanned. # Value of 0 disables the limit. # Default: 10M ArchiveMaxFileSize 100M # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR # file, all files within it will also be scanned. This options specifies how # deeply the process should be continued. # Value of 0 disables the limit. # Default: 8 ArchiveMaxRecursion 0 # Number of files to be scanned within an archive. # Value of 0 disables the limit. # Default: 1000 ArchiveMaxFiles 1500 # If a file in an archive is compressed more than ArchiveMaxCompressionRatio # times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip) # Value of 0 disables the limit. # Default: 250 #ArchiveMaxCompressionRatio 300 # Use slower but memory efficient decompression algorithm. # only affects the bzip2 decompressor. # Default: no ArchiveLimitMemoryUsage yes # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). # Default: no #ArchiveBlockEncrypted no # Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit) # if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is # reached. # Default: no #ArchiveBlockMax no # Enable support for Sensory Networks' NodalCore hardware accelerator. # Default: no #NodalCoreAcceleration yes ## ## Clamuko settings ## WARNING: This is experimental software. It is very likely it will hang ## up your system!!! ## # Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running. # # When enabling this, you most probably have to set "User root" above, # so that clamav can access the files to be scanned. # # Default: no ClamukoScanOnAccess yes # Set access mask for Clamuko. # Default: no ClamukoScanOnOpen yes ClamukoScanOnClose yes ClamukoScanOnExec yes # Set the include paths (all files inside them will be scanned). You can have # multiple ClamukoIncludePath directives but each directory must be added # in a seperate line. # Default: disabled ClamukoIncludePath /home #ClamukoIncludePath /students ClamukoIncludePath /media ClamukoIncludePath /root # Set the exclude paths. All subdirectories are also excluded. # Default: disabled #ClamukoExcludePath /home/bofh # Don't scan files larger than ClamukoMaxFileSize # Value of 0 disables the limit. # Default: 5M #ClamukoMaxFileSize 10M -------------------------------------------------------- This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. If you have received this e-mail in error, or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately if you have received this e-mail by mistake, and delete it from your system. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
