[BNPPFSLA-1108] Updated config file

matteo-holvoet · matteo-holvoet · commit 6af751e71416 · 2025-07-01T09:44:06.000+02:00
diff --git a/image/clamd.conf b/image/clamd.conf
@@ -11,6 +11,7 @@
 # LogFile must be writable for the user running daemon.
 # A full path is required.
 # Default: disabled
+
 LogFile /var/log/clamav/clamd.log
 
 # By default the log file is locked for writing - the lock protects against
@@ -50,7 +51,6 @@ LogTime yes
 
 # Enable verbose logging.
 # Default: no
-# Modified by Xenit
 LogVerbose yes
 
 # Enable log rotation. Always enabled when LogFileMaxSize is enabled.
@@ -70,12 +70,12 @@ LogVerbose yes
 #ExtendedDetectionInfo yes
 
 # This option allows you to save a process identifier of the listening
-# daemon (main thread).
+# daemon.
 # This file will be owned by root, as long as clamd was started by root.
 # It is recommended that the directory where this file is stored is
 # also owned by root to keep other users from tampering with it.
 # Default: disabled
-PidFile /run/lock/clamd.pid
+PidFile /run/clamav/clamd.pid
 
 # Optional path to the global temporary directory.
 # Default: system specific (usually /tmp or /var/tmp).
@@ -89,12 +89,18 @@ PidFile /run/lock/clamd.pid
 # Default: no
 #OfficialDatabaseOnly no
 
+# Return with a nonzero error code if the virus database is older than
+# the specified number of days.
+# Default: -1
+#FailIfCvdOlderThan 7
+
 # The daemon can work in local mode, network mode or both.
 # Due to security reasons we recommend the local mode.
 
 # Path to a local socket file the daemon will listen on.
 # Default: disabled (must be specified by a user)
 LocalSocket /run/clamav/clamd.sock
+#LocalSocket /tmp/clamd.sock
 
 # Sets the group ownership on the unix socket.
 # Default: disabled (the primary group of the user running clamd)
@@ -106,7 +112,7 @@ LocalSocket /run/clamav/clamd.sock
 
 # Remove stale socket after unclean shutdown.
 # Default: yes
-#FixStaleSocket yes
+#FixStaleSocket no
 
 # TCP port address.
 # Default: no
@@ -118,7 +124,7 @@ TCPSocket 3310
 # from the outside world. This option can be specified multiple
 # times if you want to listen on multiple IPs. IPv6 is now supported.
 # Default: no
-#TCPAddr 0.0.0.0
+#TCPAddr localhost
 
 # Maximum length the queue of pending connections may grow to.
 # Default: 200
@@ -131,7 +137,6 @@ TCPSocket 3310
 # Close the connection when the data size limit is exceeded.
 # The value should match your MTA's limit for a maximum attachment size.
 # Default: 100M
-# Modified by Xenit
 StreamMaxLength 2048M
 
 # Limit port range.
@@ -195,7 +200,7 @@ StreamMaxLength 2048M
 
 # Scan files and directories on other filesystems.
 # Default: yes
-#CrossFilesystems yes
+#CrossFilesystems no
 
 # Perform a database check.
 # Default: 600 (10 min)
@@ -211,12 +216,18 @@ StreamMaxLength 2048M
 # Default: yes
 #ConcurrentDatabaseReload no
 
-# Execute a command when virus is found. In the command string %v will
-# be replaced with the virus name and %f will be replaced with the file name.
-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
-# and $CLAM_VIRUSEVENT_VIRUSNAME.
+# Execute a command when virus is found.
+# Use the following environment variables to identify the file and virus names:
+# - $CLAM_VIRUSEVENT_FILENAME
+# - $CLAM_VIRUSEVENT_VIRUSNAME
+# In the command string, '%v' will also be replaced with the virus name.
+# Note: The '%f' filename format character has been disabled and will no longer
+# be replaced with the file name, due to command injection security concerns.
+# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
+# For the same reason, you should NOT use the environment variables in the
+# command directly, but should use it carefully from your executed script.
 # Default: no
-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
+#VirusEvent /opt/send_virus_alert_sms.sh
 
 # Run as another user (clamd must be started by root for this option to work)
 # Default: don't drop privileges
@@ -279,12 +290,17 @@ User clamav
 # Default: no
 #DisableCache yes
 
+# This option allows you to set the number of entries the cache can store.
+# The value should be a square number or will be rounded up to the nearest
+# square number.
+#CacheSize 65536
+
 # In some cases (eg. complex malware, exploits in graphic files, and others),
 # ClamAV uses special algorithms to detect abnormal patterns and behaviors that
 # may be malicious.  This option enables alerting on such heuristically
 # detected potential threats.
 # Default: yes
-#HeuristicAlerts yes
+#HeuristicAlerts no
 
 # Allow heuristic alerts to take precedence.
 # When enabled, if a heuristic scan (such as phishingScan) detects
@@ -362,7 +378,7 @@ User clamav
 # and Petite. If you turn off this option, the original files will still be
 # scanned, but without additional processing.
 # Default: yes
-#ScanPE yes
+#ScanPE no
 
 # Certain PE files contain an authenticode signature. By default, we check
 # the signature chain in the PE file against a database of trusted and
@@ -379,7 +395,7 @@ User clamav
 # If you turn off this option, the original files will still be scanned, but
 # without additional processing.
 # Default: yes
-#ScanELF yes
+#ScanELF no
 
 
 ##
@@ -391,31 +407,56 @@ User clamav
 # If you turn off this option, the original files will still be scanned, but
 # without additional processing.
 # Default: yes
-#ScanOLE2 yes
+#ScanOLE2 no
 
 # This option enables scanning within PDF files.
 # If you turn off this option, the original files will still be scanned, but
 # without decoding and additional processing.
 # Default: yes
-#ScanPDF yes
+#ScanPDF no
 
 # This option enables scanning within SWF files.
 # If you turn off this option, the original files will still be scanned, but
 # without decoding and additional processing.
 # Default: yes
-#ScanSWF yes
+#ScanSWF no
 
 # This option enables scanning xml-based document files supported by libclamav.
 # If you turn off this option, the original files will still be scanned, but
 # without additional processing.
 # Default: yes
-#ScanXMLDOCS yes
+#ScanXMLDOCS no
 
 # This option enables scanning of HWP3 files.
 # If you turn off this option, the original files will still be scanned, but
 # without additional processing.
 # Default: yes
-#ScanHWP3 yes
+#ScanHWP3 no
+
+# This option enables scanning of OneNote files.
+# If you turn off this option, the original files will still be scanned, but
+# without additional processing.
+# Default: yes
+#ScanOneNote no
+
+
+##
+## Other file types
+##
+
+# This option enables scanning of image (graphics).
+# If you turn off this option, the original files will still be scanned, but
+# without additional processing.
+# Default: yes
+#ScanImage no
+
+# This option enables detection by calculating a fuzzy hash of image (graphics)
+# files.
+# Signatures using image fuzzy hashes typically match files and documents by
+# identifying images embedded or attached to those files.
+# If you turn off this option, then some files may no longer be detected.
+# Default: yes
+#ScanImageFuzzyHash no
 
 
 ##
@@ -426,13 +467,13 @@ User clamav
 # If you turn off this option, the original files will still be scanned, but
 # without parsing individual messages/attachments.
 # Default: yes
-#ScanMail yes
+#ScanMail no
 
 # Scan RFC1341 messages split over many emails.
 # You will need to periodically clean up $TemporaryDirectory/clamav-partial
 # directory.
 # WARNING: This option may open your system to a DoS attack.
-#	   Never use it on loaded servers.
+#          Never use it on loaded servers.
 # Default: no
 #ScanPartialMessages yes
 
@@ -473,7 +514,7 @@ User clamav
 # With this option enabled the DLP module will search for valid
 # SSNs formatted as xxx-yy-zzzz
 # Default: yes
-#StructuredSSNFormatNormal yes
+#StructuredSSNFormatNormal no
 
 # With this option enabled the DLP module will search for valid
 # SSNs formatted as xxxyyzzzz
@@ -489,7 +530,7 @@ User clamav
 # Default: yes
 # If you turn off this option, the original files will still be scanned, but
 # without additional processing.
-#ScanHTML yes
+#ScanHTML no
 
 
 ##
@@ -500,7 +541,7 @@ User clamav
 # If you turn off this option, the original files will still be scanned, but
 # without unpacking and additional processing.
 # Default: yes
-#ScanArchive yes
+#ScanArchive no
 
 
 ##
@@ -527,7 +568,6 @@ User clamav
 # Note: disabling this limit or setting it too high may result in severe damage
 # to the system.
 # Default: 400M
-# Modified by Xenit
 MaxScanSize 2048M
 
 # Files larger than this limit won't be scanned. Affects the input file itself
@@ -539,7 +579,6 @@ MaxScanSize 2048M
 # Technical design limitations prevent ClamAV from scanning files greater than
 # 2 GB at this time.
 # Default: 100M
-# Modified by Xenit
 MaxFileSize 2048M
 
 # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
@@ -675,7 +714,7 @@ MaxFileSize 2048M
 #OnAccessMaxThreads 10
 
 # Max amount of time (in milliseconds) that the OnAccess client should spend
-# for every connect, send, and recieve attempt when communicating with clamd
+# for every connect, send, and receive attempt when communicating with clamd
 # via curl.
 # Default: 5000 (5 seconds)
 # OnAccessCurlTimeout 10000
@@ -774,7 +813,7 @@ MaxFileSize 2048M
 # It is highly recommended you keep this option on, otherwise you'll miss
 # detections for many new viruses.
 # Default: yes
-#Bytecode yes
+#Bytecode no
 
 # Set bytecode security level.
 # Possible values:
@@ -801,5 +840,5 @@ MaxFileSize 2048M
 
 # Set bytecode timeout in milliseconds.
 #
-# Default: 5000
-# BytecodeTimeout 1000
+# Default: 10000
+# BytecodeTimeout 1000
