Scanning Settings

Maximum directory depth - scan_max_depth
The maximum directory depth that the scanner will search, a value of 10-15 is recommended. (changing this may have an impact on scan performance)
Default: 15

Minimum file size - scan_min_filesize
The minimum file size in bytes for a file to be included in LMD scans. (changing this may have an impact on scan performance)
Default: 24

scan_max_filesize - scan_max_filesize
The maximum file size for a file to be included in LMD scans. Accepted value formats are b, k, M. When using the clamscan engine, the max_filesize will be dynamically set based on the largest known filesize from the MD5 hash signature file. (changing this may have an impact on scan performance)
Default: 2048k

Maximum file size - scan_hexdepth
The maximum byte depth that the scanner will search into a files content. The default signature rules expect a depth size of at least 65536 bytes. (changing this may have an impact on scan performance)
Default: 65536

Use named pipe instead of stdin - scan_hexfifo
Use named pipe (FIFO) for passing file contents hex data instead of stdin default; improved performance and greater scanning depth. This is highly recommended and works on most systems. The hexfifo will be disabled automatically if for any reason it can not be successfully utilized.
Default: 1

Maximum named pipe depth - scan_hexfifo_depth
The maximum byte depth that the scanner will search into a files content when using named pipe (FIFO). Improved performance allows for greater scan depth over default scan_hexdepth value. (changing this may have an impact on scan performance)
Default: 524288

Use ClamAV clamscan binary - scan_clamscan
If installed, use ClamAV clamscan binary as default scan engine which provides improved scan performance on large file sets. The clamscan engine is used in conjunction with native ClamAV signatures updated through freshclam along with LMD signatures providing additional detection capabilities.
Default: 1

Tmp directory paths - scan_tmpdir_paths
Include the scanning of known temporary world-writable paths.
Default: /tmp /var/tmp /dev/shm

Allow non-root users access - scan_user_access
Allows non-root users to perform scans. This must be enabled when using mod_security2 upload scanning or if you want to allow users to perform scans. When enabled, this will populate "pub/" with user owned quarantine, session and temporary paths to faciliate scans.
Default: 0

Process CPU scheduling priority - scan_cpunice
Process CPU scheduling (nice) priority level for scan operations. (-19 = high prio, 19 = low prio, default = 19)
Default: 19

Process IO scheduling priority - scan_ionice
Process IO scheduling (ionice) priority levels for scan operations. (0 = most favorable IO, 7 = least favorable IO)
Default: 6

CPU usage limit - scan_cpulimit
Set hard limit on CPU usage for find and clam(d)scan processes. This requires the "cpulimit" binary to be available on the server. The values are expressed as relative percentage * N cores on system. An 8 CPU core system would accept values from 0 - 800, a 12 cores system would accept 0 - 1200 etc.
Default: 0

Ignore files owned by root - scan_ignore_root
As a design and common use case, LMD typically only scans user space paths and as such it makes sense to ignore files that are root owned. It is recommended to leave this enabled for best performance.
Default: 1

Ignore users - scan_ignore_user
Ignore specific users from scans. This option should be used with care and is not ideal for ignoring false positives. Instead, you should use one of the ignore files.
Default: empty

Ignore groups - scan_ignore_group
Ignore specific groups from scans. This option should be used with care and is not ideal for ignoring false positives. Instead, you should use one of the ignore files.
Default: empty

Find timeout - scan_find_timeout
The maximum amount of time, in seconds, that the "find" file list generation. will run before it is terminated. All "find" results up to the point of termination will be fully scanned. If performing a full scan of all user paths on a large server, it is reasonable to expect the find operation may take a long time to complete and as such this feature may interfere.
Default: 0

Export filelist - scan_export_filelist
The daily cron "find" operation performed by LMD detects recently created/modified user files. This "find" operation can be especially resource intensive and it may be desirable to persist the file list results so that other applications/tasks may make use of the results. When scan_export_filelist is enabled the most recent result set will be saved to "/usr/local/maldetect/tmp/find_results.last"
Default: 0

Related Pages