Is it safe to disable clamd?

Question

Clamd is taking up about 5% of my memory (2GB) on my dedicated server (running linux) and I'm wondering if I can disable it without any security risks.

The server just hosts a few of my own websites. For the most part, email received and sent is done through gmail (which connects to my pop3 accounts).

The only other email use case is where one of my websites parses all emails and grabs attached images and the subject line.

Would there be any security / risks of virus infection if I disable clamd?

Answer 1

All of the other answers for some reason seem to assume that clamd actually scans your system automatically. In reality, clamd does not scan your system on its own. All it does is wait for another process to ask it to scan the system, and thus doesn't do much more then speed up the "clamscan" procedure (since it doesn't have to reload virus definitions on each scan). If you are running a mail or file sharing server and want to scan files as they are passed through, this can be a highly useful optimization. However, if you are like me and simply want to make sure nobody's trying to host Windows malware on your server with a once-daily cronjob scan, clamd is largely unnecessary.

I realize that this is three years old, but it comes in the first few entries when someone searches "what's the point of clamd", "is it safe to turn of clamd" and the like.

Answer 2

You will increase risk of infection, but you need to weigh things up.

If

• you are running Linux,

• the server is for your own use

• you are not passing on email or files to Windows machines,

• you need back the 5% due to limited resources.

Then stop clamd.

However, I have found recently Joomla exploits using cross site scripting running on Linux servers which were found by clamav so Linux is not immune to all malware that clamav will find.

It is not an all or nothing though. As a compromise you could run a clamscan in cron during quiet periods, for example 3am.

Something like

clamscan --tempdir=/tmp/ --infected --recursive /home | mail -s "Clamscan Report" you@example.com

will get you started. See the manpage for more details.

Answer 3

I would definitely disable it. Not because of memory usage particularly, but because more stuff running means more complexity means more chance of failure. In particular, running an AV scanner means:

• more chance of false-positive detections flagging (in the worst case, deleting) something you don't want messed with;

• the possibility that the scanner itself has security vulnerabilities, potentially making you more vulnerable. (Many scanners have had exploits, including several for ClamAV.)

The sort of security risks you face on a Linux web server (SQL injections, account password compromise, custom-built rootkits and so on) are not the kind of risks that a scanner like Clam will be able to detect for you. This makes the AV a particularly bad trade-off in your case. You would be better off with a general-purpose Intrusion Detection System.

Answer 4

My view is that 5% is trivial. If your web server actually needs all 2GB of RAM and you really can't spare that 5% you should be looking elsewhere for improvements and not jumping on clamd. ClamAV will detect some non-virus malware, which is not included in the claim that there are no Linux viruses (yet).

Another consideration is email, regardless of the volume. While an email infected with a Windows virus may be a non-event on Linux you must bear in mind that your system is not working in a vacuum. It is connected to all manner of other systems, including Windows machines. Consequently, an infected message detected as coming from your system can and probably will get you listed on one or more blocklists. Whether that's a real concern for you or not only you can decide. I personally believe all email systems should be scanning all messages, in and out, for viruses.

Answer 5

Safety risks are a relative thing. Clamd is running the ClamAV engine on files and directories.

Where are you getting the figure that it's taking up that much memory? Linux memory management can be misleading; sometimes it is just telling you what's allocated, but not actually resident, and Linux is usually pretty good about juggling applications out when they're not active. You'll probably see that a lot more memory is used in caching than this application is taking up.

Personally, I'd not kill it. It is a relatively simple way to add another layer of "Peace of Mind", and if it's not impacting your system performance significantly then let Linux do its thing with managing memory. If you're hitting a lot of swap or disk thrashing, then see about trimming processes, but really at that point you might need to consider upping memory instead.

The flip side to ask is how much it will hurt you if the site is hacked and you don't realize it. Time to restore from backup, time to untangle any blacklists, do you have clients or others that depend on access to this system that will be affected, reputation, etc...is it really worth it to you to kill the malware scanner in that case? Is it worth investing in more memory instead of killing the application, when weighed against the alternative? That should give you the answer you need.

My answer if you asked me in person this question is that yes, there's a security risk in that this gives you one more layer of protection and another vector of discovering potential exploit attempts. Is it a huge security risk, I wouldn't think so, as long as you're careful. But it does increase your risk, just as not wearing your seatbelt increases your risk of injury or death in a car accident but it doesn't mean that you're doomed the next time you don't do it. Risk is up to you to quantify in your own situation.

Answer 6

1. I only the service clamd uses that memory. If you use clamscan instead of clamdscan you can disable the service: sudo systemctl disable --now clamd # for debian systems

2. I recommend to run clam on a web server but you may need the new clamonacc for on-access scanning because some simple scans at 00:00 don't help a lot - the hacker is already in (you have hope that he doesn't have root-privilleges because then he simply could manipulate clam, if that didn't happen it may help to run it then but remember that the hacker already is in www-data)

Answer 7

If you are hosting a website, Clam may give you early warning that a windows virus is present - something which is likely the result of an attack. I would suggest that you'd like to remove said virus as soon as possible, for the safety of your site's visitors (and your own windows kit for that matter), as the purpose of many hacks is to cause the victim to serve malicious content in order to infect client PCs.

IDS (assuming you bother to read the logs) is NOT an alternative, but rather something that could work in concert with host AV. IPS isn't an alternative either, and carries similar false-pos risks to AV.

As someone else said, you are paying a small price RAM-wise. If this is your own server, another 2Gb of RAM is unlikely to set you back more than tens of $.

Answer 8

I do not run it... causes too many issues on a heavy load server.

The sort of security risks you face on a Linux web server (SQL injections, account password compromise, custom-built rootkits and so on) are not the kind of risks that a scanner like Clam will be able to detect for you. This makes the AV a particularly bad trade-off in your case. You would be better off with a general-purpose Intrusion Detection System.

THIS ^

It doesn't find anything, I run 100's of websites and ClamAV is almost useless. I run a separate scanner every once in awhile and limit php options/chmod dirs, etc...