[clamav-users] Limit memory usage of Clamd

Mon Jun 21 08:36:36 UTC 2021

Hi there,

On Mon, 21 Jun 2021, Kosala Lakshitha De Silva via clamav-users wrote:

> ... without disabling clam demon, is there a way to reduce
> the memory footprint?

Yes, but you're really not going to like it.

ClamAV primarily operates by scanning data for signatures.  These are
(more or less) regular expressions.  As you know, regular expressions
are written by humans in a form comprehensible to humans.  But for use
in the machine they're 'compiled' into a form in which it is efficient
for the machine to use them.  The memory usage is roughly proportional
to the number of signatures.  When compiled, of course the memory used
by an expression depends on the complexity of the expression, but the
average for a ClamAV signature is of the order of 125 bytes, and there
are *millions* of signatures in the 'official' signature database.  In
every daily update typically one or two hundred more are added, so the
database keeps on growing and you may need to plan for that.  There is
always a chance that some disruptive technology may come along but you
can't really bank on that.

Up to and including all the memory available, a clamd daemon will use
what it needs when it loads signatures.  If you have any swap space
available and it runs out of memory it can use swap.  If it uses swap
then the performance will be terribly slow; it will still work, but I
think most people would find it unacceptable.

For these reasons I use a separate server just for clamd.  You won't
be surprised that the server uses about a gigabyte of the available
memory, just for one single clamd process.  It briefly uses twice that
when it reloads the database because, again for efficiency, one clamd
thread can scan using the old database, while a second loads the new
database.  This behaviour is configurable (see e.g. "man clamd.conf")
so you can tell clamd to drop the old signatures before loading the
new ones but at the cost of not being able to scan during reloads.  I
don't do it that way because my clamd server is slow.  It takes about
30 seconds to reload.  If it runs on a quick machine a reload may take
only a few seconds, so that may be an acceptable tradeoff.

A lot of this has been discussed in the list archives.  You can run
clamd with very few signatures, see for example

https://marc.info/?l=clamav-users&m=156670280401692&w=2
https://marc.info/?l=clamav-users&m=156672768005089&w=2

but of course if you have no other control over the threats, the fewer
signatures you have the more likely you are to miss something.  It's
easy to delve into the databases, to take a view on whether some class
or classes of signatures may not be required, and to remove those you
(think you) do not need.  Of the official 'main' and 'daily' databases
'main' changes very infrequently, but as its name suggests 'daily'
changes every day.  At present it is the larger of the two, but that
may change if some of the daily content gets moved to main.  If you
decided to run a stripped-down daily database, you would probably need
to devise a means of keeping it up to date by scripting the database
update/stripping process.  For other reasons you would still need to
use freshclam to download the official database from the mirrors, see
the very recent discussions about abuse of the servers on this list.

HTH

-- 

73,
Ged.