Scanning Settings

Scan portable executable files - ScanPE
PE stands for Portable Executable - it is an executable file format used in all 32 and 64-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it is also required for decompression of popular executable packers such as UPX, FSG, and Petite. If you turn off this option, the original files will still be scanned, but without additional processing.
Default: yes

Disable cert check - DisableCertCheck
Certain PE files contain an authenticode signature. By default, we check the signature chain in the PE file against a database of trusted and revoked certificates if the file being scanned is marked as a virus. If any certificate in the chain validates against any trusted root, but does not match any revoked certificate, the file is marked as whitelisted. If the file does match a revoked certificate, the file is marked as virus. The following setting completely turns off authenticode verification.
Default: no

Scan ELF files - ScanELF
Executable and Linking Format is a standard format for UN*X executables. This option allows you to control the scanning of ELF files. If you turn off this option, the original files will still be scanned, but without additional processing.
Default: yes

Detect broken executables - DetectBrokenExecutables
ClamAV will try to detect broken executables (both PE and ELF) and mark them as "Broken.Executable".
Default: yes

Scan OLE2 files - ScanOLE2
Enable scanning of OLE2 files, such as Microsoft Office documents and .msi files. If you turn off this option, the original files will still be scanned, but without additional processing.
Default: yes

Block OEL2 macros - OLE2BlockMacros
Enable OLE2 files with VBA macros, which were not detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
Default: no

Scan PDFs - ScanPDF
Enable scanning within PDF files. If you turn off this option, the original files will still be scanned, but without decoding and additional processing.
Default: yes

Scan SWFs - ScanSWF
Enables scanning within SWF files. If you turn off this option, the original files will still be scanned, but without decoding and additional processing.
Default: yes

Scan mail - ScanMail
Enable internal e-mail scanner. If you turn off this option, the original files will still be scanned, but without parsing individual messages/attachments.
Default: yes

Scan partial messages - ScanPartialMessages
Scan RFC1341 messages split over many emails. You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. WARNING: This option may open your system to a DoS attack. Never use it on loaded servers.
Default: yes

Phishing signatures - PhishingSignatures
Try to detect phishing attempts by using signatures.
Default: yes

Phishing scan URLs - PhishingScanURLs
Scan URLs found in mails for phishing attempts using heuristics.
Default: yes

Phishing block SSL mismatch - PhishingAlwaysBlockSSLMismatch
Always block SSL mismatches in URLs, even if the URL is not in the database. This can lead to false positives.
Default: no

Phishing always block cloak - PhishingAlwaysBlockCloak
Always block cloaked URLs, even if URL is not in the database. This can lead to false positives.
Default: no

Partition intersection - PartitionIntersection
Detect partition intersections in raw disk images using heuristics.
Default: no

Heuristic scan precedence - HeuristicScanPrecedence
Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phish, and a real malware, the real malware will be reported. Keep this disabled if you intend to handle ".Heuristics." viruses differently from "real" malware.
Default: no

Structured data detection - StructuredDataDetection
Enable the data loss prevention module.
Default: no

Structured min credit card count - StructuredMinCreditCardCount
Set the lowest number of credit card numbers found in a file to generate a detect.
Default: 3

Structured min SSN count - StructuredMinSSNCount
Set the lowest number of social security numbers found in a file to generate a detect.
Default: 3

Structured SSN format normal - StructuredSSNFormatNormal
Search for valid SSNs formatted as xxx-yy-zzzz.
Default: yes

Structured SSN format stripped - StructuredSSNFormatStripped
Search for valid SSNs formatted as xxxyyzzzz.
Default: no

Scan HTML - ScanHTML
Perform HTML normalisation and decryption of MS Script Encoder code. If you turn off this option, the original files will still be scanned, but without additional processing.
Default: yes

Scan archive - ScanArchive
Scan within archives and compressed files. If you turn off this option, the original files will still be scanned, but without unpacking and additional processing.
Default: yes

Archive block encrypted - ArchiveBlockEncrypted
Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
Default: no

Alert broken executables - AlertBrokenExecutables
With this option clamav will try to detect broken executables (both PE and ELF) and alert on them with the Broken.Executable heuristic signature.
Default: no

Alert encrypted - AlertEncrypted
Alert on encrypted archives and documents with heuristic signature (encrypted .zip, .7zip, .rar, .pdf).
Default: no

Alert encrypted archive - AlertEncryptedArchive
Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, .rar).
Default: no

Alert encrypted doc - AlertEncryptedDoc
Alert on encrypted archives with heuristic signature (encrypted .pdf).
Default: no

Alert OLE2 macros - AlertOLE2Macros
With this option enabled OLE2 files containing VBA macros, which were not detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
Default: no

Alert phishing SSL mismatch - AlertPhishingSSLMismatch
Alert on SSL mismatches in URLs, even if the URL is not in the database. This can lead to false positives.
Default: no

Alert phishing cloak - AlertPhishingCloak
Alert on cloaked URLs, even if URL is not in the database. This can lead to false positives. Default: no

Alert partition intersection - AlertPartitionIntersection
Alert on raw DMG image files containing partition intersections. Default: no

Related Pages