9

Clamd is taking up about 5% of my memory (2GB) on my dedicated server (running linux) and I'm wondering if I can disable it without any security risks.

The server just hosts a few of my own websites. For the most part, email received and sent is done through gmail (which connects to my pop3 accounts).

The only other email use case is where one of my websites parses all emails and grabs attached images and the subject line.

Would there be any security / risks of virus infection if I disable clamd?

Richard Holloway
  • 7,256
  • 2
  • 24
  • 30
mk1000
  • 255
  • 1
  • 3
  • 4
  • Feel free to tell us something about the system, such as what operating system it's running. – John Gardeniers Apr 11 '10 at 21:57
  • I'm running linux – mk1000 Apr 11 '10 at 22:05
  • Thank you for asking this. I recently installed a full protection system including clamd etc. This is a huge recourse drain for me also. I am seriously considering removing everything and only use the firewall. The one question remains is the mail as. I have always heard that Linux was virus free, what's up with that statement? – Saif Bechan Apr 11 '10 at 22:21

8 Answers8

13

All of the other answers for some reason seem to assume that clamd actually scans your system automatically. In reality, clamd does not scan your system on its own. All it does is wait for another process to ask it to scan the system, and thus doesn't do much more then speed up the "clamscan" procedure (since it doesn't have to reload virus definitions on each scan). If you are running a mail or file sharing server and want to scan files as they are passed through, this can be a highly useful optimization. However, if you are like me and simply want to make sure nobody's trying to host Windows malware on your server with a once-daily cronjob scan, clamd is largely unnecessary.

I realize that this is three years old, but it comes in the first few entries when someone searches "what's the point of clamd", "is it safe to turn of clamd" and the like.

persona15
  • 299
  • 2
  • 9
2

You will increase risk of infection, but you need to weigh things up.

If

  • you are running Linux,

  • the server is for your own use

  • you are not passing on email or files to Windows machines,

  • you need back the 5% due to limited resources.

Then stop clamd.

However, I have found recently Joomla exploits using cross site scripting running on Linux servers which were found by clamav so Linux is not immune to all malware that clamav will find.

It is not an all or nothing though. As a compromise you could run a clamscan in cron during quiet periods, for example 3am.

Something like

clamscan --tempdir=/tmp/ --infected --recursive /home | mail -s "Clamscan Report" you@example.com

will get you started. See the manpage for more details.

Richard Holloway
  • 7,256
  • 2
  • 24
  • 30
2

I would definitely disable it. Not because of memory usage particularly, but because more stuff running means more complexity means more chance of failure. In particular, running an AV scanner means:

  • more chance of false-positive detections flagging (in the worst case, deleting) something you don't want messed with;

  • the possibility that the scanner itself has security vulnerabilities, potentially making you more vulnerable. (Many scanners have had exploits, including several for ClamAV.)

The sort of security risks you face on a Linux web server (SQL injections, account password compromise, custom-built rootkits and so on) are not the kind of risks that a scanner like Clam will be able to detect for you. This makes the AV a particularly bad trade-off in your case. You would be better off with a general-purpose Intrusion Detection System.

bobince
  • 776
  • 3
  • 8
  • Can you suggest one 'Intrusion Detection System'. And is this method still recommended if you run a mail server. The mail server is however only used by admins, mostly in gmail using pop3. – Saif Bechan Apr 11 '10 at 22:18
  • For a mail server it's worthwhile to run AV (specifically over the mail) simply in order to reduce the quantity of mailworm junk. IDS is quite a big subject, see eg. http://serverfault.com/questions/18201/recommend-an-intrusion-detection-system-ids-ips-and-are-they-worth-it, http://serverfault.com/questions/126948/comparison-of-firewall-intrusion-prevention-detection-and-antivirus-technologie – bobince Apr 11 '10 at 22:30
  • +1 for repeating the fact that anti-virus software is not designed to withstand attack against themselves. – Alex Holst Apr 12 '10 at 08:27
2

My view is that 5% is trivial. If your web server actually needs all 2GB of RAM and you really can't spare that 5% you should be looking elsewhere for improvements and not jumping on clamd. ClamAV will detect some non-virus malware, which is not included in the claim that there are no Linux viruses (yet).

Another consideration is email, regardless of the volume. While an email infected with a Windows virus may be a non-event on Linux you must bear in mind that your system is not working in a vacuum. It is connected to all manner of other systems, including Windows machines. Consequently, an infected message detected as coming from your system can and probably will get you listed on one or more blocklists. Whether that's a real concern for you or not only you can decide. I personally believe all email systems should be scanning all messages, in and out, for viruses.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
1

Safety risks are a relative thing. Clamd is running the ClamAV engine on files and directories.

Where are you getting the figure that it's taking up that much memory? Linux memory management can be misleading; sometimes it is just telling you what's allocated, but not actually resident, and Linux is usually pretty good about juggling applications out when they're not active. You'll probably see that a lot more memory is used in caching than this application is taking up.

Personally, I'd not kill it. It is a relatively simple way to add another layer of "Peace of Mind", and if it's not impacting your system performance significantly then let Linux do its thing with managing memory. If you're hitting a lot of swap or disk thrashing, then see about trimming processes, but really at that point you might need to consider upping memory instead.

The flip side to ask is how much it will hurt you if the site is hacked and you don't realize it. Time to restore from backup, time to untangle any blacklists, do you have clients or others that depend on access to this system that will be affected, reputation, etc...is it really worth it to you to kill the malware scanner in that case? Is it worth investing in more memory instead of killing the application, when weighed against the alternative? That should give you the answer you need.

My answer if you asked me in person this question is that yes, there's a security risk in that this gives you one more layer of protection and another vector of discovering potential exploit attempts. Is it a huge security risk, I wouldn't think so, as long as you're careful. But it does increase your risk, just as not wearing your seatbelt increases your risk of injury or death in a car accident but it doesn't mean that you're doomed the next time you don't do it. Risk is up to you to quantify in your own situation.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • I have always heard that Linux was virus free. What kind of ways are there to get your server infected? – Saif Bechan Apr 11 '10 at 22:23
  • I guess its for passing mails and if there is any sharing of files to windows based machines. Not the server per say. – artifex Apr 12 '10 at 08:16
  • @Saif: Linux isn't virus-free. But it has only a fraction of the malware that is in the wild for Windows. A very small fraction. Part of it is because it's less common (you'll get more money from people running Windows and don't care about things like security when phishing or rootkitting them). Another part is design; you can only "infect" the system if you have privilege escalation, otherwise you can only "infect" what the logged in user can access, and by default users shouldn't be able to alter system files. – Bart Silverstrim Apr 12 '10 at 10:19
  • @Saif: How to infect a server? Well, if you're running a web server, there are vulnerabilities in the server, and there are PHP/SQL injection attacks, sniffing passwords if not encrypted to get privileged information to break in, etc. – Bart Silverstrim Apr 12 '10 at 10:21
  • @artifex: it's primary purpose was to scan mails and Windows files being shared ("being a good network neighbor"). But it will find various phishing and malware signatures that may end up on a web server. Just because your system can't execute the malware doesn't mean it won't act as a carrier. A few percent of memory use or one or two percent of processor usage is a small price to pay if you're responsible for other systems or a business in my book. – Bart Silverstrim Apr 12 '10 at 10:23
0
  1. I only the service clamd uses that memory. If you use clamscan instead of clamdscan you can disable the service: sudo systemctl disable --now clamd # for debian systems

  2. I recommend to run clam on a web server but you may need the new clamonacc for on-access scanning because some simple scans at 00:00 don't help a lot - the hacker is already in (you have hope that he doesn't have root-privilleges because then he simply could manipulate clam, if that didn't happen it may help to run it then but remember that the hacker already is in www-data)

france1
  • 23
  • 9
0

If you are hosting a website, Clam may give you early warning that a windows virus is present - something which is likely the result of an attack. I would suggest that you'd like to remove said virus as soon as possible, for the safety of your site's visitors (and your own windows kit for that matter), as the purpose of many hacks is to cause the victim to serve malicious content in order to infect client PCs.

IDS (assuming you bother to read the logs) is NOT an alternative, but rather something that could work in concert with host AV. IPS isn't an alternative either, and carries similar false-pos risks to AV.

As someone else said, you are paying a small price RAM-wise. If this is your own server, another 2Gb of RAM is unlikely to set you back more than tens of $.

Tom Newton
  • 4,021
  • 2
  • 23
  • 28
0

I do not run it... causes too many issues on a heavy load server.

The sort of security risks you face on a Linux web server (SQL injections, account password compromise, custom-built rootkits and so on) are not the kind of risks that a scanner like Clam will be able to detect for you. This makes the AV a particularly bad trade-off in your case. You would be better off with a general-purpose Intrusion Detection System.

THIS ^

It doesn't find anything, I run 100's of websites and ClamAV is almost useless. I run a separate scanner every once in awhile and limit php options/chmod dirs, etc...

jd-
  • 1
  • 2
    It's not just about protecting your own systems though, it's also about protecting other people's systems in case someone uploads a malicious file to your server, you can stop it from being served to other users who might try to download it. – Mark Henderson Feb 09 '11 at 02:09