Hash type - scan_hashtype
The hash algorithm for file-hash signature matching (stage 1). Controls which hash-based signatures are checked during
scans. auto - use SHA-256 if CPU has hardware acceleration, else MD5 (recommended), sha256 - always use SHA-256
(requires sha256sum binary), md5 - always use MD5 (preserves performance on older CPUs without SHA-NI), both - run both
MD5 and SHA-256 stages (maximum coverage, ~2x stage 1 time).
Default: auto
Workers - scan_workers
The number of parallel workers for native scan passes (MD5, SHA-256, HEX, and CSIG). Auto-detection uses 2 workers per
CPU core, up to 8.
Default: auto
Use ClamAV - scan_clamscan
Use ClamAV clamscan as the scan engine for improved performance on large file sets. ClamAV also handles YARA rule
evaluation when native YARA scanning is not enabled. When set to "auto", LMD detects the clamscan binary at runtime and
enables ClamAV scanning only if available.
Default: auto
Use YARA - scan_yara
Enable native YARA scanning via the yara binary (or yr from YARA-X). Supports YARA modules, compiled rules, and custom
rule files that ClamAV cannot handle. When set to "auto", LMD enables native YARA scanning only when ClamAV is
unavailable and a yara/yr binary is found — this prevents duplicate rule evaluation since ClamAV already processes YARA
rules internally. To force native YARA alongside ClamAV, set to "1" and use scan_yara_scope to control which rules each
engine handles.
Default: auto
YARA scope - scan_yara_scope
Controls which YARA rules the native YARA engine processes when both ClamAV and native YARA are enabled
(scan_clamscan=1, scan_yara=1). This prevents double-scanning: ClamAV already evaluates YARA rules from rfxn.yara, so by
default native YARA only processes custom rules that ClamAV cannot handle (modules, compiled rules, custom.yara.d/).
all - scan all YARA rules natively (duplicates ClamAV YARA coverage)
custom - only scan custom.yara + custom.yara.d/ natively (recommended).
When ClamAV is disabled, this setting is ignored and all rules are scanned natively regardless of scope.
Default: custom
YARA timeout - scan_yara_timeout
The timeout in seconds for YARA scan invocations. Set to 0 for no timeout.
Default: 300
Use compound signature scanning - scan_csig
Enable compound signature (csig) scanning. Compound signatures support multi-pattern boolean logic (AND/OR/threshold),
case-insensitive matching, wide (UTF-16LE) matching, and bounded gap wildcards. csig scanning runs in native mode only
(not with ClamAV).
Default: 1
User access - scan_user_access
Allows non-root users to perform scans. This must be enabled when using mod_security2 upload scanning or if you want to
allow users to perform scans. When enabled, this will populate "pub/" with user owned quarantine, session and temporary
paths to facilitate scans.
Default: 0
User access min UID - scan_user_access_minuid
The minimum UID for users when creating per-user scan directories with --mkpubpaths. Users with UID below this value are
skipped.
Default: 10000
Maximum directory depth - scan_max_depth
The maximum directory depth that the scanner will search, a value of 10-15 is recommended. (changing this may have an
impact on scan performance)
Default: 15
Minimum file size - scan_min_filesize
The minimum file size in bytes for a file to be included in LMD scans. (changing this may have an impact on scan
performance)
Default: 24
Maximum file size - scan_max_filesize
The maximum file size for a file to be included in LMD scans. Accepted value formats are b, k, M. When using the
clamscan engine, the max_filesize will be dynamically set based on the largest known filesize from the MD5 hash
signature file. (changing this may have an impact on scan performance)
Default: 2048k
Hex depth - scan_hexdepth
The maximum byte depth that the scanner will search into a files content. The default signature rules expect a depth
size of at least 262144 bytes. (changing this may have an impact on scan performance)
Default: 262144
Hex chunk size - scan_hex_chunk_size
The maximum number of files processed per micro-batch during HEX+CSIG scanning. Valid range: 1024-20480. Values outside
this range are clamped with a logged warning. To increase throughput, raise scan_workers instead. To reduce disk usage,
lower scan_hexdepth instead. (changing this may have an impact on scan performance)
Default: 10240
Process CPU scheduling priority - scan_cpunice
Process CPU scheduling (nice) priority level for scan operations. (-19 = high prio, 19 = low prio, default = 19)
Default: 19
Process IO scheduling priority - scan_ionice
Process IO scheduling (ionice) priority levels for scan operations. (0 = most favorable IO, 7 = least favorable IO)
Default: 6
CPU limit - scan_cpulimit
Set hard limit on CPU usage for find and clam(d)scan processes. This requires the "cpulimit" binary to be available on
the server. The values are expressed as relative percentage * N cores on system. An 8 CPU core system would accept
values from 0 - 800, a 12 cores system would accept 0 - 1200 etc.
Default: 0
Ignore files owned by root - scan_ignore_root
As a design and common use case, LMD typically only scans user space paths and as such it makes sense to ignore files
that are root owned. It is recommended to leave this enabled for best performance.
Default: 1
Ignore users - scan_ignore_user
Ignore specific users from scans. This option should be used with care and is not ideal for ignoring false positives.
Instead, you should use one of the ignore files.
Default: empty
Ignore groups - scan_ignore_group
Ignore specific groups from scans. This option should be used with care and is not ideal for ignoring false positives.
Instead, you should use one of the ignore files.
Default: empty
Find timeout - scan_find_timeout
The maximum amount of time, in seconds, that the "find" file list generation. will run before it is terminated. All
"find" results up to the point of termination will be fully scanned. If performing a full scan of all user paths on a
large server, it is reasonable to expect the find operation may take a long time to complete and as such this feature
may interfere.
Default: 0
Export filelist - scan_export_filelist
The daily cron "find" operation performed by LMD detects recently created/modified user files. This "find" operation can
be especially resource intensive and it may be desirable to persist the file list results so that other
applications/tasks may make use of the results. When scan_export_filelist is enabled the most recent result set will be
saved to "/usr/local/maldetect/tmp/find_results.last"
Default: 0
Tmp directory paths - scan_tmpdir_paths
Include the scanning of known temporary world-writable paths.
Default: /tmp /var/tmp /dev/shm