Support intro
Sorry to hear you’re facing problems. 
The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.
If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.
Getting help
In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.
Before clicking submit: Please check if your query is already addressed via the following resources:
- Official documentation (searchable and regularly updated)
- How to topics and FAQs
- Forum search
(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).
The Basics
- Nextcloud Server version (e.g., 29.x.x):
- 31.0.8
- Operating system and version (e.g., Ubuntu 24.04):
- Ubuntu 24.04.3 LTS
- PHP version (e.g, 8.3):
- 8.3.25
- Is this the first time you’ve seen this error? (Yes / No):
Yes
- Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
Docker compose
Summary of the issue you are facing:
- ClamAV is configured to scan only files smaller than 25MB during upload, but it is currently scanning much larger files, including those up to 200MB.
- The automatic background antivirus scan for files is not functioning as expected.
Log entries
Nextcloud
Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.
{"reqId":"Og4Wox2S6GcZrTiErnyC","level":3,"time":"2025-10-10T08:37:01+00:00","remoteAddr":"192.168.0.10","user":"admin","app":"files_antivirus","method":"MOVE","url":"/remote.php/dav/uploads/admin/web-file-upload-97678a414a5d7c03/.file","message":"Infected file deleted. Win.Test.EICAR_HDB-1 File: files/e0020d97a11a50bb606d1e048d2e24fc.ocTransferId1465772416.part Account: admin","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36","version":"31.0.8.1","data":{"app":"files_antivirus"},"id":"68e8c5b56465a"}
Configuration
Nextcloud
The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):
{
"system": {
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"overwriteprotocol": "https",
"overwritehost": "nextcloud.mydomain.com",
"overwrite.cli.url": "https:\/\/nextcloud.mydomain.com",
"upgrade.disable-web": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"nextcloud.mydomain.com"
],
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "31.0.8.1",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"twofactor_enforced": "true",
"0": {
"false": "",
"true": ""
},
"twofactor_enforced_groups": [],
"twofactor_enforced_excluded_groups": [],
"maintenance": false,
"mail_smtpmode": "smtp",
"mail_smtpsecure": "ssl",
"mail_sendmailmode": "smtp",
"defaultapp": "files,photos",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtptimeout": 30,
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465",
"mail_smtpauth": true,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"loglevel": 2,
"app_install_overwrite": []
}
}
Explanation
Hello all,
I’m currently experiencing an issue with the “Antivirus for files” app in Nextcloud.
I’ve been attempting to resolve it on my own over the past few days, but with my limited Linux experience, I’ve reached a dead end.
On my server I have Nextcloud installed in a container with the following docker compose file: (Copied only the relevant part)
nextcloud:
image: nextcloud:latest
container_name: nextcloud_app
restart: always
volumes:
- nextcloud_data:/var/www/html
- /var/run/clamav/:/var/run/clamav
depends_on:
- ncdb
environment:
- MYSQL_HOST=ncdb
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=${DB_USER}
- MYSQL_PASSWORD=${NC_DB_PASSWORD}
- OVERWRITEPROTOCOL=https
- TZ=${TZ}
networks:
- nextcloud
As I’ve been enjoying the experience with Nextcloud, I wanted to share my instance with other family members. To improve security, I decided to enable the “Antivirus for files” app. However, I’ve encountered a few issues.
The first issue was that background scanning wasn’t working (although scan on upload was working as expected).
After making some changes, background scanning still doesn’t run automatically, but the app now picks up files and logs them under Activity in the web portal by forcing the scan with ./occ files_antivirus:background-scan -v -m 200
Now I’m facing a second issue:
Files larger than 25MB are still being scanned during upload, even though ClamAV is configured to scan only files below that size during upload. According to the configuration, larger files should be scanned only during the background scan (which as mentioned, isn’t currently functioning properly)
Configuration of the “Antivirus for files”: ./occ config:list files_antivirus
{
"apps": {
"files_antivirus": {
"av_block_unreachable": "yes",
"av_block_unscannable": "0",
"av_cmd_options": "",
"av_host": "127.0.0.1",
"av_icap_mode": "reqmod",
"av_icap_request_service": "avscan",
"av_icap_response_header": "X-Infection-Found",
"av_icap_tls": "0",
"av_infected_action": "only_log",
"av_max_file_size": "-1",
"av_mode": "socket",
"av_path": "\/usr\/bin\/clamscan",
"av_port": "3310",
"av_scan_first_bytes": "-1",
"av_socket": "\/var\/run\/clamav\/clamd.ctl",
"av_stream_max_length": "26214400",
"enabled": "yes",
"installed_version": "6.0.6",
"types": "filesystem,dav"
}
}
}
Changing the value of av_max_file_size to 26214400will allow uploading files larger than 25MB without scanning. But as I understood it should not be it’s purpose as it’s about background scan.
Config of ClamAV on the host: /etc/clamav/clamd.conf
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
#Default streammaxlength is 25M
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMaxFileSize 5M
#AlertExceedsMax true
I tried to make the best out of the Nextcloud Antivirus doc and of the Clamav doc but i’m now not able to resolve it on my own.
I would appreciate any kind of help and thank you in advance for your time and effort.
Enjoy your day everyone !
