I have an Ubuntu 14.04 using ClamAV to scan some files manually as part of some software. I have clamd running all the time and am using clamdscan to let it scan my files. Scanning the files is pretty fast, restarting the daemon because of configuration changes or freshclam etc. is pretty slow. Slow means that it takes around 5 minutes with 100 % CPU load, but without any I/O on a 2,93 GHz Xeon X5570. Restarting the same daemon in another VM with Ubuntu and the same version of ClamAV the daemon restarts in around 20 seconds.

The only difference between the two machines is the number of assigned CPUs, 10 vs. 2, main memory, 48 vs. 6 GB, and load, because one machine is production, the other one for dev and testing purposes. The production machine always has a around 20 to 25 GB of RAM in cache and buffers etc. I've already provided 48 GB of RAM to the dev machine as well and even filled caches up to 40 GB by copying files, which didn't change anything regarding restart times, they were still around 20 seconds.

I'm guessing that clamd scans memory during restart and things like cache and buffers make the difference here. But I can't find any documentation or configuration proving if RAM is scanned and if so, which of it. I have lots of different daemons running with different users and clamd is running as user clamav only, so in theory is not easily capable of reading other processes memory.

ClamAV had some bugs around slow restarts in the past, but none of the things I find regarding those fit to the version 0.99.2 of ClamAV I'm using currently. So this behaviour should not be a bug, especially as this doesn't happen in my dev machine.

Are there some docs available which proof my guess? If so, is there some configuration available to change that behaviour?