Is it safe to disable clamd?

All of the other answers for some reason seem to assume that clamd actually scans your system automatically. In reality, clamd does not scan your system on its own. All it does is wait for another process to ask it to scan the system, and thus doesn't do much more then speed up the "clamscan" procedure (since it doesn't have to reload virus definitions on each scan). If you are running a mail or file sharing server and want to scan files as they are passed through, this can be a highly useful optimization. However, if you are like me and simply want to make sure nobody's trying to host Windows malware on your server with a once-daily cronjob scan, clamd is largely unnecessary.

I realize that this is three years old, but it comes in the first few entries when someone searches "what's the point of clamd", "is it safe to turn of clamd" and the like.


I would definitely disable it. Not because of memory usage particularly, but because more stuff running means more complexity means more chance of failure. In particular, running an AV scanner means:

  • more chance of false-positive detections flagging (in the worst case, deleting) something you don't want messed with;

  • the possibility that the scanner itself has security vulnerabilities, potentially making you more vulnerable. (Many scanners have had exploits, including several for ClamAV.)

The sort of security risks you face on a Linux web server (SQL injections, account password compromise, custom-built rootkits and so on) are not the kind of risks that a scanner like Clam will be able to detect for you. This makes the AV a particularly bad trade-off in your case. You would be better off with a general-purpose Intrusion Detection System.


My view is that 5% is trivial. If your web server actually needs all 2GB of RAM and you really can't spare that 5% you should be looking elsewhere for improvements and not jumping on clamd. ClamAV will detect some non-virus malware, which is not included in the claim that there are no Linux viruses (yet).

Another consideration is email, regardless of the volume. While an email infected with a Windows virus may be a non-event on Linux you must bear in mind that your system is not working in a vacuum. It is connected to all manner of other systems, including Windows machines. Consequently, an infected message detected as coming from your system can and probably will get you listed on one or more blocklists. Whether that's a real concern for you or not only you can decide. I personally believe all email systems should be scanning all messages, in and out, for viruses.


You will increase risk of infection, but you need to weigh things up.

If

  • you are running Linux,

  • the server is for your own use

  • you are not passing on email or files to Windows machines,

  • you need back the 5% due to limited resources.

Then stop clamd.

However, I have found recently Joomla exploits using cross site scripting running on Linux servers which were found by clamav so Linux is not immune to all malware that clamav will find.

It is not an all or nothing though. As a compromise you could run a clamscan in cron during quiet periods, for example 3am.

Something like

clamscan --tempdir=/tmp/ --infected --recursive /home | mail -s "Clamscan Report" [email protected]

will get you started. See the manpage for more details.


Safety risks are a relative thing. Clamd is running the ClamAV engine on files and directories.

Where are you getting the figure that it's taking up that much memory? Linux memory management can be misleading; sometimes it is just telling you what's allocated, but not actually resident, and Linux is usually pretty good about juggling applications out when they're not active. You'll probably see that a lot more memory is used in caching than this application is taking up.

Personally, I'd not kill it. It is a relatively simple way to add another layer of "Peace of Mind", and if it's not impacting your system performance significantly then let Linux do its thing with managing memory. If you're hitting a lot of swap or disk thrashing, then see about trimming processes, but really at that point you might need to consider upping memory instead.

The flip side to ask is how much it will hurt you if the site is hacked and you don't realize it. Time to restore from backup, time to untangle any blacklists, do you have clients or others that depend on access to this system that will be affected, reputation, etc...is it really worth it to you to kill the malware scanner in that case? Is it worth investing in more memory instead of killing the application, when weighed against the alternative? That should give you the answer you need.

My answer if you asked me in person this question is that yes, there's a security risk in that this gives you one more layer of protection and another vector of discovering potential exploit attempts. Is it a huge security risk, I wouldn't think so, as long as you're careful. But it does increase your risk, just as not wearing your seatbelt increases your risk of injury or death in a car accident but it doesn't mean that you're doomed the next time you don't do it. Risk is up to you to quantify in your own situation.