Check the Status of the ClamAV Daemon
You can check the ClamAV daemon status under the Anti-virus line in the Services dashboard widget. It should be green and Active. You can click on the Active or Inactive in the status column to get more information.
Check the Status of the ClamAV Daemon From the Command Line
AlmaLinux/Centos/RockyLinux/RHEL/CloudLinux
systemctl status clamd@scan
Debian/Ubuntu
systemctl status clamav-daemonChecking the Current Configuration From the Command Line
You can view the current ClamAV configuration using the clamconf command:
clamconfViewing the ClamAV Daemon Logs
You can view the ClamAV daemon logs under Warden -> Logs -> Anti-virus Logs. To view the logs on the command line:
AlmaLinux/Centos/RockyLinux/RHEL/CloudLinux
tail -f /var/log/clamd.scan
Debian/Ubuntu
tail -f /var/log/clamav/clamav.logMonitoring the ClamAV Daemon Memory and CPU Usage
Administrators can use the clamdtop command to monitor ClamAV daemon memory and CPU usage statistics from the command line:
RHEL/Almalinux/CloudLinux/RockyLinux
clamdtop --config-file=/etc/clamd.d/scan.confDebian/Ubuntu
clamdtop --config-file=/etc/clamav/clamd.conf
High Server Load / CPU Usage Problems
Normally high server load is caused by the clamscan binary when the ClamAV daemon is down. By default Amavis will fall back to the secondary clamscan binary when the ClamAV daemon is down or having problems. Note that the clamscan binary is NOT the same as clamd. Clamd is the highly efficient daemon version of ClamAV while clamscan is the inefficient non-demonized version. Clamscan is not suitable for scanning large amounts of mail because the ClamAV signatures have to be loaded into memory for every scan (This is what causes the high load on the server). Look below for how to disable the clamscan secondary fallback scanner if you don't want Amavis to fall back to it.
How to Disable the Clamscan Fallback Scanner
To disable the secondary fallback scanner go to Warden -> Settings -> Scanner Settings -> Scanner backup template -> set it to None. Then press the Update button to save the page.
To check that the backup scanner is disabled on Centos/RHEL/CloudLinux/AlmaLinux edit the file /etc/amavisd/warden.conf or on Debian/Ubuntu edit the file /etc/amavis/conf.d/99-warden and look for the following line. It should look like the following:
@av_scanners_backup = ();ClamAV Memory Problems
The most common problem is not enough free memory for the ClamAV daemon. You can check the free memory of the server using the command: free -m (look at the free column):
# free -m
total used free shared buff/cache available
Mem: 64049 30895 15313 3113 17840 29387
Swap: 15259 4333 10926If the server is running low on free memory sometimes the out of memory killer (OOM Killer) will kill the ClamAV daemon. We recommend a minimum of at least 4 GB of server memory (sometimes more depending on how many additional services you have running):
// AlmaLinux/Centos/RockyLinux/CloudLinux/RHEL
zgrep "Out of memory" /var/log/messages*
// Debian/Ubuntu
zgrep "Out of memory" /var/log/syslog*
Jun 19 19:35:21 el8p18 kernel: Out of memory: Killed process 1650121 (clamd) total-vm:3118856kB, anon-rss:2262988kB, file-rss:0kB, shmem-rss:0kB, UID:981 pgtables:5888kB oom_score_adj:0
Jun 19 20:30:33 el8p18 kernel: Out of memory: Killed process 1992340 (clamd) total-vm:3072516kB, anon-rss:1895824kB, file-rss:0kB, shmem-rss:0kB, UID:981 pgtables:5792kB oom_score_adj:0
Jun 19 21:22:52 el8p18 kernel: Out of memory: Killed process 2007089 (clamd) total-vm:3093760kB, anon-rss:1779240kB, file-rss:0kB, shmem-rss:0kB, UID:981 pgtables:5816kB oom_score_adj:0Create a Swap File if your VM Doesn't Have One
Some times service providers create a virtual machine without any swap file. If your virtual machine doesn't have a swap file then you should create one. You can check if your VM has a swap file using the command:
# cat /proc/swaps
Filename Type Size Used Priority
/dev/dm-1 partition 2097148 735832 -2Instructions for creating a swap file can be found here.
Disable the Out of Memory Killer for ClamAV
Edit the ClamAV service file:
// RHEL/CloudLinux/AlmaLinux/RockyLinux
systemctl edit --full clamd@scan
// Debian/Ubuntu
# systemctl edit --full clamav-daemonAdd the option OOMScoreAdjust=-1000 to the [Service] section:
Example (taken from Ubuntu 22.04):
[Unit]
Description=Clam AntiVirus userspace daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/
# Check for database existence
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}
[Service]
ExecStart=/usr/sbin/clamd --foreground=true
# Reload the database
ExecReload=/bin/kill -USR2 $MAINPID
StandardOutput=syslog
TimeoutStartSec=420
OOMScoreAdjust=-1000
[Install]
WantedBy=multi-user.target
Restart ClamAV
// RHEL/CloudLinux/AlmaLinux/RockyLinux
systemctl restart clamd@scan
// Debian/Ubuntu
systemctl restart clamav-daemonDisable Concurrent Database Reloads to Free Up Memory
If the option ConcurrentDatabaseReload in enabled in ClamAV then during a database reload clamd will load the new DB first and then drop the old one. This concurrent database reload strategy allows it to keep scanning files while loading the new database. The drawback is that it requires twice as much memory as during normal operations. As a result the clamd process can keep getting killed. For servers with under 8 GB of memory we recommend that you disable this option. You can disable this under Warden -> Settings -> Anti-virus Settings -> Concurrent database reload (make sure it is unchecked).
Adjusting How Much Memory Amavis Uses
Admins can adjust how much free memory Amavis uses by lowering the Max servers option under Warden -> Settings -> Content Filter -> Filter Settings. This will free up memory for use by the ClamAV daemon. See here for more information.
