On the central server, I'm not sure what the limits are. Our server is busy 24x7 and we've got a couple of hundred hosts pointed at it.
Jon Schewe Principal Software Systems Technologist C: +1 612.263.2718 O: +1 952.545.5720 jon.sch...@rtx.com<mailto:jon.sch...@rtx.com> RTX BBN Technologies 5775 Wayzata Blvd. Suite 630 St. Louis Park, MN 55416 ________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Mikhail Soumar via clamav-users <clamav-users@lists.clamav.net> Sent: Tuesday, June 18, 2024 1:46 PM To: ClamAV users ML <clamav-users@lists.clamav.net> Cc: Mikhail Soumar <msou...@microsoft.com> Subject: Re: [clamav-users] [External] Re: Question on ClamAV memory usage with respect to the signature database Thank you both for your responses. Regarding the centralized server (or just running it remotely in general), is there a certain limit for how many VM’s a central VM running ClamAV can scan? I’m guessing it’s a function of disk space on the machines to be scanned + memory/cores on the host running ClamAV, but are there any other things to watch out for? We expect the number of VMs to grow over time, which may pose a problem as to how to detect that we are approaching capacity, but we’d also need to figure out how to test such a system at scale. As for the “curating our own database” option, other than the manual setup at the start, I assume that even with the incremental updates we would need to continue actively curating the database going forward, to avoid picking up Windows virus signatures in order to keep the database size at a manageable level? If we would be able to automate the process going forward I think it is a viable option, but it would be less so if we would have to devote resources to actively monitoring the contents of the curated database. From: clamav-users <clamav-users-boun...@lists.clamav.net> On Behalf Of Schewe, Jon P RTX via clamav-users Sent: Tuesday, June 18, 2024 10:07 AM To: Mikhail Soumar via clamav-users <clamav-users@lists.clamav.net> Cc: Schewe, Jon P RTX <jon.sch...@rtx.com> Subject: Re: [clamav-users] [External] Re: Question on ClamAV memory usage with respect to the signature database You don't often get email from clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>. Learn why this is important<https://urldefense.com/v3/__https://aka.ms/LearnAboutSenderIdentification__;!!MvWE!EbNtGptt9TqYK1GMiql4VDSxNWN-KMQiw__KfRo2wFnuuZM8ZUcxeHB-V5hZrHprcowLQLY1GCzftn6XDXjYF8VjOWo$> Another option is to use a centralized scanning server. We've done that for our hosts. That central host has lots of memory and cores and the individual systems don't need nearly as much resources. https://www.libellux.com/clamav/<https://urldefense.com/v3/__https://www.libellux.com/clamav/*prerequisites__;Iw!!MvWE!EbNtGptt9TqYK1GMiql4VDSxNWN-KMQiw__KfRo2wFnuuZM8ZUcxeHB-V5hZrHprcowLQLY1GCzftn6XDXjYVObvGwQ$> has some notes about this. Jon Schewe Principal Software Systems Technologist C: +1 612.263.2718 O: +1 952.545.5720 jon.sch...@rtx.com<mailto:jon.sch...@rtx.com> RTX BBN Technologies 5775 Wayzata Blvd. Suite 630 St. Louis Park, MN 55416 ________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net<mailto:clamav-users-boun...@lists.clamav.net>> on behalf of Andrew C Aitchison via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> Sent: Tuesday, June 18, 2024 1:37 AM To: Mikhail Soumar via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> Cc: Andrew C Aitchison <cla...@aitchison.me.uk<mailto:cla...@aitchison.me.uk>> Subject: [External] Re: [clamav-users] Question on ClamAV memory usage with respect to the signature database On Tue, 18 Jun 2024, Mikhail Soumar via clamav-users wrote: > We are a team from Microsoft Azure running ClamAV on small Linux > VMs, and due to business and cost reasons we cannot use larger > VMs. Peak memory usage of ClamAV is between 1.2GB and 1.5GB, which > is unsustainable on our VMs, and we are looking for ways to reduce > this. There are some tips to reduce memory usage in the Docker > section of the documentation (Docker - ClamAV > Documentation<https://urldefense.com/v3/__https://docs.clamav.net/manual/Installing/Docker.html*memory-ram-requirements__;Iw!!MvWE!GGcYKjlXs5_7sgZFQQ_R2x34KYiuNb-IuNvT5lpY14HStd-gWDGefpV5PD3IYP9qx7LGgkVo6tsNrnJHGyK2symMZM4$ > > <https://urldefense.com/v3/__https:/docs.clamav.net/manual/Installing/Docker.html*memory-ram-requirements__;Iw!!MvWE!GGcYKjlXs5_7sgZFQQ_R2x34KYiuNb-IuNvT5lpY14HStd-gWDGefpV5PD3IYP9qx7LGgkVo6tsNrnJHGyK2symMZM4$%20> > >) > although if I understand correctly the 1.2GB load is unavoidable > even with the suggestions listed on this page. > > We have been told that one possibility is to remove all virus > signatures that are Windows-specific, which would reduce the memory > footprint to about 300 MB. Elsewhere on the ClamAV FAQ I see a few > different ways to add signatures to the database but none about > taking a subset. Would this be something you support or recommend > for our use case? If not, are there alternatives we can consider to > reduce the memory footprint of ClamAV well below 1.2GB? ClamAV has never caught a Linux virus for me, so I don't know whether it makes sense to run ClamAV without the Windows data. Do you have the resources to curate a custom database, bearing in mind that the standard dbs are updated daily ? (freshclam and cvdupdate do work with the cdiff incremental updates, so at least you would not have to remove the same signatures from the database every day.) I don't know how viable this is, but you do not have to run the ClamAV daemon on every VM; you can use a remote daemon and pass files to be scanned with clamdscan. This would also save you more than 10 seconds at startup. How much memory does Microsoft Defender use on Linux ? -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk<mailto:and...@aitchison.me.uk> _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://urldefense.com/v3/__https://lists.clamav.net/mailman/listinfo/clamav-users__;!!MvWE!GGcYKjlXs5_7sgZFQQ_R2x34KYiuNb-IuNvT5lpY14HStd-gWDGefpV5PD3IYP9qx7LGgkVo6tsNrnJHGyK202w9q94$ Help us build a comprehensive ClamAV guide: https://urldefense.com/v3/__https://github.com/Cisco-Talos/clamav-documentation__;!!MvWE!GGcYKjlXs5_7sgZFQQ_R2x34KYiuNb-IuNvT5lpY14HStd-gWDGefpV5PD3IYP9qx7LGgkVo6tsNrnJHGyK2zWGEVjg$ https://urldefense.com/v3/__https://docs.clamav.net/*mailing-lists-and-chat__;Iw!!MvWE!GGcYKjlXs5_7sgZFQQ_R2x34KYiuNb-IuNvT5lpY14HStd-gWDGefpV5PD3IYP9qx7LGgkVo6tsNrnJHGyK2eTrWKAI$
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
