DEV Community

Cover image for How to Run Efficient ClamAV Scans on a 4GB RAM Server (Without Killing Your Machine)
Athreya aka Maneshwar
Athreya aka Maneshwar

Posted on

How to Run Efficient ClamAV Scans on a 4GB RAM Server (Without Killing Your Machine)

#devops #webdev #programming #security

Hello, I'm Maneshwar. I'm working on FreeDevTools online currently building *one place for all dev tools, cheat codes, and TLDRs* — a free, open-source hub where developers can quickly find and use tools without any hassle of searching all over the internet.

Server admins often install ClamAV using the default package and immediately hit a wall:
clamscan eats RAM, the server freezes, and everything goes to hell.

The fix?
Stop using clamscan and switch to clamd + clamdscan with proper tuning.

This guide shows you exactly how to install, configure, and run ClamAV scans safely on a 4GB RAM machine.

Why clamscan Is a Problem on Low-RAM Servers

clamscan is the standalone command-line scanner.
Every time you run it:

  • It loads the ENTIRE virus database (600MB–900MB) into RAM
  • It unloads it after the scan
  • It does this again for each run

This creates high CPU + heavy RAM spikes → a 4GB server suffers.

Why clamd + clamdscan Fixes Everything

clamd is a persistent daemon:

  • Loads the virus database once
  • Stays in memory
  • clamdscan sends scan requests to the daemon
  • Fast scanning
  • Lower peak RAM usage
  • No repeated DB loading

You only start the daemon when you want to scan (e.g., nightly), and stop it afterward.

Perfect for low-RAM VPS.

1. Install ClamAV Daemon 

sudo apt update
sudo apt install clamav-daemon
Enter fullscreen mode Exit fullscreen mode

This gives you:

  • /usr/sbin/clamd
  • /usr/bin/clamdscan
  • A systemd service: clamav-daemon

2. Configure clamd for Low-RAM Usage

Edit:

/etc/clamav/clamd.conf
Enter fullscreen mode Exit fullscreen mode

Use these settings:

ConcurrentDatabaseReload no
ExitOnOOM yes
MaxThreads 1
MaxQueue 2
ScanOnAccess no
#CompressLocalDatabase false
Enter fullscreen mode Exit fullscreen mode

What these do:

  • MaxThreads 1 → prevents CPU/RAM spikes
  • ExitOnOOM yes → daemon dies safely instead of killing your server
  • ScanOnAccess no → disables real-time scanning (you don’t want this on 4GB)
  • MaxQueue 2 → limits queued scan jobs (double of threads)
  • ConcurrentDatabaseReload no → prevents expensive DB reloads

These are safe defaults and keep RAM usage predictable.

3. Configure freshclam (Database Updater)

Edit:

/etc/clamav/freshclam.conf
Enter fullscreen mode Exit fullscreen mode

Example (your actual config):

TestDatabases no
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
Checks 0
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
Enter fullscreen mode Exit fullscreen mode

The main part here is Checks 0.
This means freshclam won't auto-update.

If you want ClamAV to update daily (recommended):

Change to:

Checks 1
Enter fullscreen mode Exit fullscreen mode

This runs 1 updates per day.

4. Start clamd ONLY When You Need It

On a 4GB server, you should not run clamd constantly.

Disable:

sudo systemctl disable clamav-daemon
sudo systemctl stop clamav-daemon
Enter fullscreen mode Exit fullscreen mode

Later, when scanning:

sudo systemctl start clamav-daemon
sleep 20  # wait for DB load
Enter fullscreen mode Exit fullscreen mode

After scanning:

sudo systemctl stop clamav-daemon
Enter fullscreen mode Exit fullscreen mode

5. Run Scan Using clamdscan (Not clamscan)

Use:

sudo clamdscan --multiscan --fdpass --move=/var/quarantine /
Enter fullscreen mode Exit fullscreen mode
  • --multiscan = splits work
  • --fdpass = lets clamd access protected files
  • --move=/var/quarantine = moves infected files

This runs MUCH faster than clamscan and uses less RAM.

6. Automating Nightly Scans

Cron example:

30 04 * * * sudo /bin/bash -lc "/home/ubuntu/crons/scan_and_audit.sh"
Enter fullscreen mode Exit fullscreen mode

Your script should:

  1. start clamd
  2. run clamdscan
  3. stop clamd
  4. log results
  5. notify (optional)

This avoids clamd running all day and eating RAM.

7. Expected RAM Usage

On a 4GB machine:

  • clamd running: 800MB–1.1GB RAM
  • clamd stopped: 0 RAM
  • freshclam occasionally: 20–40MB

This is why starting/stopping clamd is perfect.

Conclusion

Running ClamAV on a 4GB server is totally safe if you use:

  • clamd + clamdscan
  • low-RAM configs
  • scheduled scans
  • on-access scanning disabled
  • clamd started only when scanning

This setup avoids RAM spikes and gives you fast, efficient scanning on even the smallest VPS.

FreeDevTools

I’ve been building FreeDevTools.

A collection of UI/UX-focused tools crafted to simplify workflows, save time, and reduce friction in searching tools/materials.

Any feedback or contributors are welcome!

It’s online, open-source, and ready for anyone to use.

👉 Check it out: FreeDevTools
⭐ Star it on GitHub: freedevtools

Top comments (0)