[clamav-users] Best Practice for ClamAV Setup

Wed, 25 Dec 2024 04:39:12 -0800 

Hello all!

I have some additional questions regarding my antivirus setup, as I’m
currently not entirely confident in how it’s configured. Here’s what I’ve
done so far:

   1.

   *Antivirus Installation and Updates:*
   I installed the antivirus software and enabled it. As far as I
   understand, the freshclam daemon updates the antivirus database
   automatically once a day. In my case, it runs at 10 a.m and I think this is
   OK for me.
   2.

   *Configuration Changes in clamd.conf:*
   I made the following changes to the clamd.conf file:
   - MaxScanSize: 50M (was 100M)
      - MaxFileSize: 10M (was 25M)
      - MaxRecursion: 8 (was 16)
      - ScanSWF: false (was true, I don't need to scan this type of files)
      - ScanHWP3: false (was true, I don't need to scan this type of files )
      - LogFileMaxSize: 10M (was 0)
      - MaxThreads: 8 (was 12)
      - MaxConnectionQueueLength: 10 (was 15)
      - IdleTimeout: 10 (was 30)
   3. Added a *whitelist of paths*:
      - ExcludePath ^/proc
      - ExcludePath ^/sys
      - ExcludePath ^/run
      - ExcludePath ^/dev
      - ExcludePath ^/snap
      - ExcludePath ^/var/lib
      - ExcludePath ^/var/ossec
      - ExcludePath ^/var/snap
      - ExcludePath \.png$
      - ExcludePath \.jpeg$
      - ExcludePath \.bmp$
      - ExcludePath \.mp3$
      - ExcludePath \.mp4$
      - ExcludePath \.log$
   4.

   *Scheduled Scans:*
   I plan to set up a cron job to perform weekly scans using the following
   command:

   bash
   сlamdscan --fdpass --log=/var/log/clamav/clamdscan.log
--move=/root/quarantine /

   5.

   *On-Access Scanning:*
   I decided against enabling on-access scanning because I’m concerned it
   might negatively impact the performance of our servers. This is something
   my admins are particularly worried about.

Questions:

   1.

   *What Should I Turn On or Turn OFF?*
   Are there any important configurations or features that I might have
   overlooked, either to enable or disable, for better performance or security?

To add more context, we need these for PCI DSS compliance.

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Reply via email to