Hi there, On Mon, 20 Apr 2020, Tsutomu Oyamada wrote:
There are two processes temporarily at clamd startup, is this a specification?
If I understand your English, yes. There will be two processes (or threads) running every time the database is being reloaded. Each will use about the same maximum amount of memory, although one will exit after the reload is completed and its memory will then be released. Please be aware of the distinction between a database update (which is performed by freshclam) and a database reload (which is performed by clamd itself). A reload may take place immediately after an update if freshclam signals clamd to reload it; if freshclam does not do so, and that is configurable, it will take place when clamd next notices that the database has changed (usually when it is next called upon to scan something). Please also be aware that if you run 'clamscan' then it will load its own copy of the databases too, but 'clamdscan' will not - it will use the clamd daemon to do the scanning.
Is this going to be three or more?
Not normally, but you are at liberty to run more than one clamd process (if you configure them correctly) and I frequently do that. In such a case you are expected to know exactly what you are doing, and why you are doing it, and to have enough memory.
On my system, after booting, it is in a state of following a few seconds. ps -aux root 75687 100 44.2 944120 899844 ? RN 00:00 0:27 /usr/lib/clamav/clamd --config-file=/etc/clamav/clamd.conf root 75856 0.0 44.0 1017852 895532 ? SNsl 00:00 0:00 /usr/lib/clamav/clamd --config-file=/etc/clamav/clamd.conf
The command which you gave above did not produce the output which you claim was produced. It would be more helpful to give a command such as ps -aux | grep clam So that we can see exactly what is happening.
This was not the case on systems with a lot of memory.
You have not said how much memory is present on the system! But for a system running clamd you should normally expect to need more than two GBytes because during a database update clamd will have two copies of the databases loaded (and just a single copy of the official databases uses about one GByte of RAM) - and of course the rest of the system needs memory too. You _can_ get away with using swap, but it will slow things down dramatically. Even if it does not need to use swap, for just the official databases, depending on the performance of your systems you can expect a database reload to take anywhere between some seconds and some minutes. In addition to the 'official' databases from Cisco/Talos I will typically use 30 - 40 'unofficial' databases; most of them aim to recognize spam rather than malware, but there is a lot of overlap. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml