On Tue, 18 Jun 2024, Mikhail Soumar via clamav-users wrote:
Thank you both for your responses.
Regarding the centralized server (or just running it remotely in
general), is there a certain limit for how many VM's a central VM
running ClamAV can scan? I'm guessing it's a function of disk space
on the machines to be scanned + memory/cores on the host running
ClamAV, but are there any other things to watch out for?
If you have enough available memory for the malware database (times two
while the database is refreshed, unless you disable the option
ConcurrentDatabaseReload) plus the current file being scanned I don't
*think* memory on the scan server will be an issue, but I haven't tried.
Depending on the connections between the VMs and the ClamAV server,
network bandwidth could also be a bottleneck.
What do you intend to scan ?
A whole-disk (or partition) scan of a VM isn't as useful as you may think;
what do you if/when you find something ? With an on-access scan at
least there is some context about the file being scanned which might
allow more graceful failure or recovery.
How long do your VMs stay up ? Do they store data between reboots, or
just load a shared static image and compute with data passed from and to
their clients ? If the latter, does it even make sense to scan the disks
from within the VM ? It might be more sensible to scan the disk image
from the host, as it doesn't need scanning every time a VM starts.
ClamAV cannot scan files bigger than 2GB, although very recently
a wrapper has been released which can scan files within larger
iso images, tar and zip files etc.
https://github.com/Cisco-Talos/clamav-large-archive-scanner
We expect the number of VMs to grow over time, which may pose a
problem as to how to detect that we are approaching capacity, but
we'd also need to figure out how to test such a system at scale.
As for the "curating our own database" option, other than the manual
setup at the start, I assume that even with the incremental updates
we would need to continue actively curating the database going
forward, to avoid picking up Windows virus signatures in order to
keep the database size at a manageable level? If we would be able to
automate the process going forward I think it is a viable option,
but it would be less so if we would have to devote resources to
actively monitoring the contents of the curated database.
How much memory does Microsoft Defender use on Linux ?
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
