Mailing List Archive

Hi there,

On Mon, 20 Apr 2020, Tsutomu Oyamada wrote:

> There are two processes temporarily at clamd startup, is this a specification?

If I understand your English, yes. There will be two processes (or
threads) running every time the database is being reloaded. Each will
use about the same maximum amount of memory, although one will exit
after the reload is completed and its memory will then be released.

Please be aware of the distinction between a database update (which is
performed by freshclam) and a database reload (which is performed by
clamd itself). A reload may take place immediately after an update if
freshclam signals clamd to reload it; if freshclam does not do so, and
that is configurable, it will take place when clamd next notices that
the database has changed (usually when it is next called upon to scan
something).

Please also be aware that if you run 'clamscan' then it will load its
own copy of the databases too, but 'clamdscan' will not - it will use
the clamd daemon to do the scanning.

> Is this going to be three or more?

Not normally, but you are at liberty to run more than one clamd
process (if you configure them correctly) and I frequently do that.
In such a case you are expected to know exactly what you are doing,
and why you are doing it, and to have enough memory.

> On my system, after booting, it is in a state of following a few seconds.
>
> ps -aux
> root 75687 100 44.2 944120 899844 ? RN 00:00 0:27 /usr/lib/clamav/clamd --config-file=/etc/clamav/clamd.conf
> root 75856 0.0 44.0 1017852 895532 ? SNsl 00:00 0:00 /usr/lib/clamav/clamd --config-file=/etc/clamav/clamd.conf

The command which you gave above did not produce the output which you
claim was produced. It would be more helpful to give a command such as

ps -aux | grep clam

So that we can see exactly what is happening.

> This was not the case on systems with a lot of memory.

You have not said how much memory is present on the system! But for a
system running clamd you should normally expect to need more than two
GBytes because during a database update clamd will have two copies of
the databases loaded (and just a single copy of the official databases
uses about one GByte of RAM) - and of course the rest of the system
needs memory too. You _can_ get away with using swap, but it will
slow things down dramatically. Even if it does not need to use swap,
for just the official databases, depending on the performance of your
systems you can expect a database reload to take anywhere between some
seconds and some minutes. In addition to the 'official' databases
from Cisco/Talos I will typically use 30 - 40 'unofficial' databases;
most of them aim to recognize spam rather than malware, but there is a
lot of overlap.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi,

Thank you for your reply.
I'm sorry for the slow reply.

I understood that there were two processes when clamd was started. In
addition, since the DB load time of clamd varies depending on the amount
of memory installed in the system, the existence time of the two
processes varies depending on the system.

If the clamd process is using an official CVD file, it will require 2GB
or more of the system's memory.

Thank you so much.

Betregard,
T.O.

On Mon, 20 Apr 2020 14:21:00 +0100 (BST)
"G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Mon, 20 Apr 2020, Tsutomu Oyamada wrote:
>
> > There are two processes temporarily at clamd startup, is this a specification?
>
> If I understand your English, yes. There will be two processes (or
> threads) running every time the database is being reloaded. Each will
> use about the same maximum amount of memory, although one will exit
> after the reload is completed and its memory will then be released.
>
> Please be aware of the distinction between a database update (which is
> performed by freshclam) and a database reload (which is performed by
> clamd itself). A reload may take place immediately after an update if
> freshclam signals clamd to reload it; if freshclam does not do so, and
> that is configurable, it will take place when clamd next notices that
> the database has changed (usually when it is next called upon to scan
> something).
>
> Please also be aware that if you run 'clamscan' then it will load its
> own copy of the databases too, but 'clamdscan' will not - it will use
> the clamd daemon to do the scanning.
>
> > Is this going to be three or more?
>
> Not normally, but you are at liberty to run more than one clamd
> process (if you configure them correctly) and I frequently do that.
> In such a case you are expected to know exactly what you are doing,
> and why you are doing it, and to have enough memory.
>
> > On my system, after booting, it is in a state of following a few seconds.
> >
> > ps -aux
> > root 75687 100 44.2 944120 899844 ? RN 00:00 0:27 /usr/lib/clamav/clamd --config-file=/etc/clamav/clamd.conf
> > root 75856 0.0 44.0 1017852 895532 ? SNsl 00:00 0:00 /usr/lib/clamav/clamd --config-file=/etc/clamav/clamd.conf
>
> The command which you gave above did not produce the output which you
> claim was produced. It would be more helpful to give a command such as
>
> ps -aux | grep clam
>
> So that we can see exactly what is happening.
>
> > This was not the case on systems with a lot of memory.
>
> You have not said how much memory is present on the system! But for a
> system running clamd you should normally expect to need more than two
> GBytes because during a database update clamd will have two copies of
> the databases loaded (and just a single copy of the official databases
> uses about one GByte of RAM) - and of course the rest of the system
> needs memory too. You _can_ get away with using swap, but it will
> slow things down dramatically. Even if it does not need to use swap,
> for just the official databases, depending on the performance of your
> systems you can expect a database reload to take anywhere between some
> seconds and some minutes. In addition to the 'official' databases
> from Cisco/Talos I will typically use 30 - 40 'unofficial' databases;
> most of them aim to recognize spam rather than malware, but there is a
> lot of overlap.
>
> --
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml