# cpanel-importer freshclam config.
#
# Minimal subset of /etc/freshclam.conf that the EL `clamav-update`
# package ships. We run freshclam at image build time AND at container
# start time (via entrypoint.sh when CLAMAV_REFRESH=true) so the rules
# DB is reasonably current.
#
# Anything not listed here uses the package defaults.

DatabaseDirectory /var/lib/clamav
UpdateLogFile     /var/log/clamav/freshclam.log
LogVerbose        no
LogTime           yes
LogFileMaxSize    10M
Foreground        yes
# NOTE: DatabaseOwner is intentionally omitted. At build time freshclam
# runs as root and we chown the DB to whp-import after the pull. At
# runtime the entrypoint is already running as UID 999 (whp-import) via
# the docker `--user 999:999` flag, so no privilege drop is needed —
# leaving DatabaseOwner set would cause freshclam to refuse to start as
# whp-import (it tries to setuid to its configured DatabaseOwner before
# accepting the running uid is already that user).

# Mainline ClamAV signatures.
DatabaseMirror    database.clamav.net

# Bound the SaneSecurity refresh attempts. SaneSecurity rules are
# secondary defense for us; the mainline ClamAV DB is the primary.
Checks            12
ConnectTimeout    30
ReceiveTimeout    60

# Skip the bytecode signatures — they target binary malware and add ~30
# MB to the rules DB with limited payoff against PHP webshells.
# (Comment out the next line to re-enable.)
Bytecode          no

# Proxy support left at compile-time defaults (none). To enable, set
# HTTPProxyServer <host> and HTTPProxyPort <port>. We deliberately do
# NOT emit empty values for these — freshclam rejects empty option
# values with "Missing argument for option" and refuses to start.