> For the complete documentation index, see [llms.txt](https://docs.xygeni.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.xygeni.io/xygeni-products/code-security-cs/malware-scanner/malware-scanner-configuration.md).

# Malware Scanner Configuration

### Malware Scanner Configuration

The [**Malware Scanner**](/xygeni-products/code-security-cs/malware-scanner.md) is configured in the **YAML file** `conf/xygeni.malware.yml` :

```yaml
# Configuration for xygeni Malware evidences scanner.
# Arguments from command line have priority over properties in this file.

# Includes: list of glob patterns to include in analysis.
#
# A pattern could use ** (to match zero or more directories), * (zero or more characters
# in a directory or file name), and ? (one character).
# Examples: **/*.txt matches all files with 'txt' extension. **/test/** matches all files under any test directory.
#
# If empty, ALL files will be matched.
# The command-line argument -i or --include will be used when specified.
#
# A file is analyzed when matched by 'includes' AND NOT matched by 'excludes'.
includes: []

# Excludes: list of glob patterns to exclude from analysis.
# If empty, NO file will be excluded.
# The command-line argument -e or --exclude will be used when specified.
excludes:
  - ".git/**/*"
  - ".vscode/**/*"
  - "build/**/*"
  - "dev/**/*"
  - "**/__pycache__/**/*"
  - "**/.eggs/**/*"
  - "**/bower_components/**/*"
  - "**/integration/**/*"
  - "**/locales/**/*"
  - "**/spec/**/*"
  - "**/specs/**/*"
  - "**/test/**/*"
  - "**/tests/**/*"
  - "**/mock/**/*"
  - "**/mocks/**/*"
  - "**/node_modules/**/*"
  - "**/.xygeni.*.json"

# mode=sequential runs analyzers sequentially;
# mode=parallel runs analyzers in multiple threads, when analyzer is capable of parallel runs.
mode: sequential

# Config for reporters
report:
  - format: json
    prettyPrint: true

  - format: sarif
    prettyPrint: true

  - format: csv

    # Allowed values: kind, hash, severity, confidence, detector, file, beginLine, endLine, code, tags
    columns: [ "severity", "kind", "hash", "resource", "detector", "file", "beginLine", "endLine", "confidence", "tags" ]

    # Order specification. 'default' lists highest severe first, then by type, file and line.
    # One of 'default', 'type', 'exposure' or 'severity-confidence'. Blank for no sort
    sort: default

  - format: text

    # Allowed values: kind, hash, type, severity, confidence, detector, file, beginLine, endLine, code, tags
    columns: [ "severity", "kind", "detector", "file", "beginLine", "tags" ]

    # Order specification. 'default' lists highest severe first, then by type, file and line.
    # One of 'default', 'type', 'exposure' or 'severity-confidence'. Blank for no sort
    sort: default

    # The style for table borders.
    # One of 'full', 'none', 'outside', 'inside', 'horizontal', 'vertical', 'topbottom'.
    # Use 'default' for border that works well for the underlying OS.
    borders: full

    # The block characters to use: 'ascii' (use '+', '|', '-' and '=')
    # or 'utf8' for UTF-8 block characters.
    # Use 'default' for the encoding that works best for the underlying OS.
    bordersEncoding: utf8

# The detectors to use for detecting Malware evidences
# are configured in resource files under malware/*.yml

# List of detectors to run: IDs or severity.
# runDetectors: ['high'] will run all detectors with severity 'high' or greater.
# runDetectors: ['hidden_file_extension'] will run these.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --detectors overrides this.
runDetectors: []

# Same format as runDetectors, but for skipping the selected detectors.
# skipDetectors: ['high'] will skip all detectors with severity 'high' or lower.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --skip-detectors overrides this.
skipDetectors: []# Configuration for xygeni Malware evidences scanner.
# Arguments from command line have priority over properties in this file.

# Includes: list of glob patterns to include in analysis.
#
# A pattern could use ** (to match zero or more directories), * (zero or more characters
# in a directory or file name), and ? (one character).
# Examples: **/*.txt matches all files with 'txt' extension. **/test/** matches all files under any test directory.
#
# If empty, ALL files will be matched.
# The command-line argument -i or --include will be used when specified.
#
# A file is analyzed when matched by 'includes' AND NOT matched by 'excludes'.
includes: []

# Excludes: list of glob patterns to exclude from analysis.
# If empty, NO file will be excluded.
# The command-line argument -e or --exclude will be used when specified.
excludes:
  - ".git/**/*"
  - ".vscode/**/*"
  - "build/**/*"
  - "dev/**/*"
  - "**/__pycache__/**/*"
  - "**/.eggs/**/*"
  - "**/bower_components/**/*"
  - "**/integration/**/*"
  - "**/locales/**/*"
  - "**/spec/**/*"
  - "**/specs/**/*"
  - "**/test/**/*"
  - "**/tests/**/*"
  - "**/mock/**/*"
  - "**/mocks/**/*"
  - "**/node_modules/**/*"
  - "**/.xygeni.*.json"

# mode=sequential runs analyzers sequentially;
# mode=parallel runs analyzers in multiple threads, when analyzer is capable of parallel runs.
mode: sequential

# Config for reporters
report:
  - format: json
    prettyPrint: true

  - format: sarif
    prettyPrint: true

  - format: csv

    # Allowed values: kind, hash, severity, confidence, detector, file, beginLine, endLine, code, tags
    columns: [ "severity", "kind", "hash", "resource", "detector", "file", "beginLine", "endLine", "confidence", "tags" ]

    # Order specification. 'default' lists highest severe first, then by type, file and line.
    # One of 'default', 'type', 'exposure' or 'severity-confidence'. Blank for no sort
    sort: default

  - format: text

    # Allowed values: kind, hash, type, severity, confidence, detector, file, beginLine, endLine, code, tags
    columns: [ "severity", "kind", "detector", "file", "beginLine", "tags" ]

    # Order specification. 'default' lists highest severe first, then by type, file and line.
    # One of 'default', 'type', 'exposure' or 'severity-confidence'. Blank for no sort
    sort: default

    # The style for table borders.
    # One of 'full', 'none', 'outside', 'inside', 'horizontal', 'vertical', 'topbottom'.
    # Use 'default' for border that works well for the underlying OS.
    borders: full

    # The block characters to use: 'ascii' (use '+', '|', '-' and '=')
    # or 'utf8' for UTF-8 block characters.
    # Use 'default' for the encoding that works best for the underlying OS.
    bordersEncoding: utf8

# The detectors to use for detecting Malware evidences
# are configured in resource files under malware/*.yml

# List of detectors to run: IDs or severity.
# runDetectors: ['high'] will run all detectors with severity 'high' or greater.
# runDetectors: ['hidden_file_extension'] will run these.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --detectors overrides this.
runDetectors: []

# Same format as runDetectors, but for skipping the selected detectors.
# skipDetectors: ['high'] will skip all detectors with severity 'high' or lower.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --skip-detectors overrides this.
skipDetectors: []

```

### Malware Detectors Configuration

Detectors are configured with different YAML files located under the `conf/malware` directory of the [Xygeni scanner](/xygeni-scanner-cli/xygeni-cli-overview.md).

There is a sample `_template.yml_` file that can be used to create your own [custom detectors](/introduction-to-xygeni/customizations.md#custom_detectors).

{% hint style="info" %}
Specify a directory for custom detectors with the `--custom-detectors-dir` command-line option to prevent scanner updates from overwriting your configurations.
{% endhint %}

Please refer to the [Malware detectors](/xygeni-products/code-security-cs/malware-scanner/malware-detectors.md) documentation for more information.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.xygeni.io/xygeni-products/code-security-cs/malware-scanner/malware-scanner-configuration.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.