Configure the ClamAV antivirus service scan settings.
sentinel --task=antivirus:scanning
Option |
Value |
Default | Description |
---|---|---|---|
--HeuristicAlerts |
<yes|no> | yes | In some cases (eg. complex malware, exploits in graphic files, and others, the antivirus uses special algorithms to provide accurate detection. This option enables alerting on such heuristically detected potential threats. |
--HeuristicScanPrecedence |
<yes|no> | no | Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phish, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle ".Heuristics." viruses differently from "real" malware. |
--AlertBrokenExecutables |
<yes|no> | no | With this option clamav will try to detect broken executables (both PE and ELF) and alert on them with the Broken.Executable heuristic signature. |
--AlertOLE2Macros |
<yes|no> | no | Alert on OLE2 files containing VBA macros, which were not detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". |
--AlertPhishingCloak |
<yes|no> | no | Alert on cloaked URLs, even if URL is not in the database. This can lead to false positives. |
--AlertPhishingSSLMismatch |
<yes|no> | no | Alert on SSL mismatches in URLs, even if the URL is not in the database. This can lead to false positives. |
--AlertPartitionIntersection |
<yes|no> | no | Alert on raw DMG image files containing partition intersections. |
--AlertEncrypted |
<yes|no> | no | Alert on encrypted archives and documents with heuristic signature (encrypted .zip, .7zip, .rar, .pdf). |
--AlertEncryptedArchive |
<yes|no> | no | Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, .rar). |
--AlertEncryptedDoc |
<yes|no> | no | Alert on encrypted archives with heuristic signature (encrypted .pdf). |
--ScanPE |
<yes|no> | yes | PE stands for Portable Executable - it is an executable file format used in all 32 and 64-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it is also required for decompression of popular executable packers such as UPX, FSG, and Petite. If you turn off this option, the original files will still be scanned, but without additional processing. |
--DisableCertCheck |
<yes|no> | no | Certain PE files contain an authenticode signature. By default, we check the signature chain in the PE file against a database of trusted and revoked certificates if the file being scanned is marked as a virus. If any certificate in the chain validates against any trusted root, but does not match any revoked certificate, the file is marked as whitelisted. If the file does match a revoked certificate, the file is marked as virus. The following setting completely turns off authenticode verification. |
--ScanELF |
<yes|no> | yes | Executable and Linking Format is a standard format for UN*X executables. This option allows you to control the scanning of ELF files. If you turn off this option, the original files will still be scanned, but without additional processing. |
--ScanOLE2 |
<yes|no> | yes | Enable scanning of OLE2 files, such as Microsoft Office documents and .msi files. If you turn off this option, the original files will still be scanned, but without additional processing. |
--ScanPDF |
<yes|no> | yes | Enable scanning within PDF files. If you turn off this option, the original files will still be scanned, but without decoding and additional processing. |
--ScanSWF |
<yes|no> | yes | Enables scanning within SWF files. If you turn off this option, the original files will still be scanned, but without decoding and additional processing. |
--ScanXMLDOCS |
<yes|no> | yes | Enables scanning xml-based document files supported by libclamav. If you turn off this option, the original files will still be scanned, but without additional processing. |
--ScanHWP3 |
<yes|no> | yes | Enables scanning xml-based document files supported by libclamav. If you turn off this option, the original files will still be scanned, but without additional processing. |
--ScanMail |
<yes|no> | yes | Enable internal e-mail scanner. If you turn off this option, the original files will still be scanned, but without parsing individual messages/attachments. |
--ScanPartialMessages |
<yes|no> | no | Scan RFC1341 messages split over many emails. You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. WARNING: This option may open your system to a DoS attack. Never use it on loaded servers. |
--PhishingSignatures |
<yes|no> | yes | Try to detect phishing attempts by using signatures. |
--PhishingScanURLs |
<yes|no> | yes | Scan URLs found in mails for phishing attempts using heuristics. |
--StructuredDataDetection |
<yes|no> | no | Enable the data loss prevention module. |
--StructuredMinCreditCardCount |
<digit> | 3 | Set the lowest number of credit card numbers found in a file to generate a detect. |
--StructuredMinSSNCount |
<digit> | 3 | Set the lowest number of social security numbers found in a file to generate a detect. |
--StructuredSSNFormatNormal |
<yes|no> | yes | Search for valid SSNs formatted as xxx-yy-zzzz. |
--StructuredSSNFormatStripped |
<yes|no> | no | search for valid SSNs formatted as xxxyyzzzz. |
--ScanHTML |
<yes|no> | yes | Perform HTML normalisation and decryption of MS Script Encoder code. If you turn off this option, the original files will still be scanned, but without additional processing. |
--ScanArchive |
<yes|no> | yes | Scan within archives and compressed files. If you turn off this option, the original files will still be scanned, but without unpacking and additional processing. |
--AlertBrokenMedia |
<yes|no> | no | Alert on broken media files (JPEG, TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature. |
--default |
<yes> | Reset all settings to their default values. | |
--default_option |
<option> | Reset a specific setting to its default value. | |
--restart |
<yes> | Restart the service after saving settings. |
// disable HeuristicAlerts
sentinel --task=antivirus:scanning --HeuristicAlerts=no --restart=yes
// reset the HeuristicAlerts back to its default value
sentinel --task=antivirus:scanning --default_option=HeuristicAlerts --restart=yes
// reset all settings to their default values
sentinel --task=antivirus:scanning --default=yes --restart=yes