Hi there, On Mon, 21 Jun 2021, Kosala Lakshitha De Silva via clamav-users wrote:
... without disabling clam demon, is there a way to reduce the memory footprint?
Yes, but you're really not going to like it. ClamAV primarily operates by scanning data for signatures. These are (more or less) regular expressions. As you know, regular expressions are written by humans in a form comprehensible to humans. But for use in the machine they're 'compiled' into a form in which it is efficient for the machine to use them. The memory usage is roughly proportional to the number of signatures. When compiled, of course the memory used by an expression depends on the complexity of the expression, but the average for a ClamAV signature is of the order of 125 bytes, and there are *millions* of signatures in the 'official' signature database. In every daily update typically one or two hundred more are added, so the database keeps on growing and you may need to plan for that. There is always a chance that some disruptive technology may come along but you can't really bank on that. Up to and including all the memory available, a clamd daemon will use what it needs when it loads signatures. If you have any swap space available and it runs out of memory it can use swap. If it uses swap then the performance will be terribly slow; it will still work, but I think most people would find it unacceptable. For these reasons I use a separate server just for clamd. You won't be surprised that the server uses about a gigabyte of the available memory, just for one single clamd process. It briefly uses twice that when it reloads the database because, again for efficiency, one clamd thread can scan using the old database, while a second loads the new database. This behaviour is configurable (see e.g. "man clamd.conf") so you can tell clamd to drop the old signatures before loading the new ones but at the cost of not being able to scan during reloads. I don't do it that way because my clamd server is slow. It takes about 30 seconds to reload. If it runs on a quick machine a reload may take only a few seconds, so that may be an acceptable tradeoff. A lot of this has been discussed in the list archives. You can run clamd with very few signatures, see for example https://marc.info/?l=clamav-users&m=156670280401692&w=2 https://marc.info/?l=clamav-users&m=156672768005089&w=2 but of course if you have no other control over the threats, the fewer signatures you have the more likely you are to miss something. It's easy to delve into the databases, to take a view on whether some class or classes of signatures may not be required, and to remove those you (think you) do not need. Of the official 'main' and 'daily' databases 'main' changes very infrequently, but as its name suggests 'daily' changes every day. At present it is the larger of the two, but that may change if some of the daily content gets moved to main. If you decided to run a stripped-down daily database, you would probably need to devise a means of keeping it up to date by scripting the database update/stripping process. For other reasons you would still need to use freshclam to download the official database from the mirrors, see the very recent discussions about abuse of the servers on this list. HTH -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
