Hi there,

On Mon, 20 Apr 2020, Tsutomu Oyamada wrote:

There are two processes temporarily at clamd startup, is this a specification?

If I understand your English, yes.  There will be two processes (or
threads) running every time the database is being reloaded.  Each will
use about the same maximum amount of memory, although one will exit
after the reload is completed and its memory will then be released.

Please be aware of the distinction between a database update (which is
performed by freshclam) and a database reload (which is performed by
clamd itself).  A reload may take place immediately after an update if
freshclam signals clamd to reload it; if freshclam does not do so, and
that is configurable, it will take place when clamd next notices that
the database has changed (usually when it is next called upon to scan
something).

Please also be aware that if you run 'clamscan' then it will load its
own copy of the databases too, but 'clamdscan' will not - it will use
the clamd daemon to do the scanning.

Is this going to be three or more?

Not normally, but you are at liberty to run more than one clamd
process (if you configure them correctly) and I frequently do that.
In such a case you are expected to know exactly what you are doing,
and why you are doing it, and to have enough memory.

On my system, after booting, it is in a state of following a few seconds.

ps -aux
root      75687  100 44.2 944120 899844 ?       RN   00:00   0:27 
/usr/lib/clamav/clamd --config-file=/etc/clamav/clamd.conf
root      75856  0.0 44.0 1017852 895532 ?      SNsl 00:00   0:00 
/usr/lib/clamav/clamd --config-file=/etc/clamav/clamd.conf

The command which you gave above did not produce the output which you
claim was produced.  It would be more helpful to give a command such as

ps -aux | grep clam

So that we can see exactly what is happening.

This was not the case on systems with a lot of memory.

You have not said how much memory is present on the system!  But for a
system running clamd you should normally expect to need more than two
GBytes because during a database update clamd will have two copies of
the databases loaded (and just a single copy of the official databases
uses about one GByte of RAM) - and of course the rest of the system
needs memory too.  You _can_ get away with using swap, but it will
slow things down dramatically.  Even if it does not need to use swap,
for just the official databases, depending on the performance of your
systems you can expect a database reload to take anywhere between some
seconds and some minutes.  In addition to the 'official' databases
from Cisco/Talos I will typically use 30 - 40 'unofficial' databases;
most of them aim to recognize spam rather than malware, but there is a
lot of overlap.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to