How to Run Efficient ClamAV Scans on a 4GB RAM Server (Without Killing Your Machine)

Hello, I'm Maneshwar. I'm building git-lrc, an AI code reviewer that runs on every commit. It is free, unlimited, and source-available on Github. Star Us to help devs discover the project. Do give it a try and share your feedback for improving the product.

Server admins often install ClamAV using the default package and immediately hit a wall:
clamscan eats RAM, the server freezes, and everything goes to hell.

The fix?
Stop using clamscan and switch to clamd + clamdscan with proper tuning.

This guide shows you exactly how to install, configure, and run ClamAV scans safely on a 4GB RAM machine.

Why clamscan Is a Problem on Low-RAM Servers

clamscan is the standalone command-line scanner.
Every time you run it:

• It loads the ENTIRE virus database (600MB–900MB) into RAM
• It unloads it after the scan
• It does this again for each run

This creates high CPU + heavy RAM spikes → a 4GB server suffers.

Why clamd + clamdscan Fixes Everything

clamd is a persistent daemon:

• Loads the virus database once
• Stays in memory
• clamdscan sends scan requests to the daemon
• Fast scanning
• Lower peak RAM usage
• No repeated DB loading

You only start the daemon when you want to scan (e.g., nightly), and stop it afterward.

Perfect for low-RAM VPS.

1. Install ClamAV Daemon

sudo apt update
sudo apt install clamav-daemon

This gives you:

• /usr/sbin/clamd
• /usr/bin/clamdscan
• A systemd service: clamav-daemon

2. Configure clamd for Low-RAM Usage

Edit:

/etc/clamav/clamd.conf

Use these settings:

ConcurrentDatabaseReload no
ExitOnOOM yes
MaxThreads 1
MaxQueue 2
ScanOnAccess no
#CompressLocalDatabase false

What these do:

• MaxThreads 1 → prevents CPU/RAM spikes
• ExitOnOOM yes → daemon dies safely instead of killing your server
• ScanOnAccess no → disables real-time scanning (you don’t want this on 4GB)
• MaxQueue 2 → limits queued scan jobs (double of threads)
• ConcurrentDatabaseReload no → prevents expensive DB reloads

These are safe defaults and keep RAM usage predictable.

3. Configure freshclam (Database Updater)

Edit:

/etc/clamav/freshclam.conf

Example (your actual config):

TestDatabases no
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
Checks 0
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

The main part here is Checks 0.
This means freshclam won't auto-update.

If you want ClamAV to update daily (recommended):

Change to:

Checks 1

This runs 1 updates per day.

4. Start clamd ONLY When You Need It

On a 4GB server, you should not run clamd constantly.

Disable:

sudo systemctl disable clamav-daemon
sudo systemctl stop clamav-daemon

Later, when scanning:

sudo systemctl start clamav-daemon
sleep 20  # wait for DB load

After scanning:

sudo systemctl stop clamav-daemon

5. Run Scan Using clamdscan (Not clamscan)

Use:

sudo clamdscan --multiscan --fdpass --move=/var/quarantine /

• --multiscan = splits work
• --fdpass = lets clamd access protected files
• --move=/var/quarantine = moves infected files

This runs MUCH faster than clamscan and uses less RAM.

6. Automating Nightly Scans

Cron example:

30 04 * * * sudo /bin/bash -lc "/home/ubuntu/crons/scan_and_audit.sh"

Your script should:

1. start clamd
2. run clamdscan
3. stop clamd
4. log results
5. notify (optional)

This avoids clamd running all day and eating RAM.

7. Expected RAM Usage

On a 4GB machine:

• clamd running: 800MB–1.1GB RAM
• clamd stopped: 0 RAM
• freshclam occasionally: 20–40MB

This is why starting/stopping clamd is perfect.

Conclusion

Running ClamAV on a 4GB server is totally safe if you use:

• clamd + clamdscan
• low-RAM configs
• scheduled scans
• on-access scanning disabled
• clamd started only when scanning

This setup avoids RAM spikes and gives you fast, efficient scanning on even the smallest VPS.

*AI agents write code fast. They also silently remove logic, change behavior, and introduce bugs -- without telling you. You often find out in production.

git-lrc fixes this. It hooks into git commit and reviews every diff before it lands. 60-second setup. Completely free.*

Any feedback or contributors are welcome! It's online, source-available, and ready for anyone to use.

⭐ Star it on GitHub:

HexmosTech / git-lrc

Free, Unlimited AI Code Reviews That Run on Commit

| 🇩🇰 Dansk | 🇪🇸 Español | 🇮🇷 Farsi | 🇫🇮 Suomi | 🇯🇵 日本語 | 🇳🇴 Norsk | 🇵🇹 Português | 🇷🇺 Русский | 🇦🇱 Shqip | 🇨🇳 中文 |

git-lrc

Free, Unlimited AI Code Reviews That Run on Commit

 

     

---

AI agents write code fast. They also silently remove logic, change behavior, and introduce bugs -- without telling you. You often find out in production.

git-lrc fixes this. It hooks into git commit and reviews every diff before it lands. 60-second setup. Completely free.

See It In Action

See git-lrc catch serious security issues such as leaked credentials, expensive cloud operations, and sensitive material in log statements

git-lrc-intro-60s.mp4

Why

• 🤖 AI agents silently break things. Code removed. Logic changed. Edge cases gone. You won't notice until production.
• 🔍 Catch it before it ships. AI-powered inline comments show you exactly what changed and what looks wrong.
• 🔁 Build a…

View on GitHub