clamav

CAVLite: Lightweight, Memory-Efficient Security Audit for Low-RAM Servers.

Ganesh Kumar

Nov 30, 2025 — 3 min read

If you run a server with limited resources—specifically, standard 4GB RAM and 2 vCPU setup- you are likely familiar with the constant, stressful balancing act between performance and security.

You know you need antivirus protection and system audits. You know the risks of leaving a server vulnerable to intruders, malware, and data theft.

But you also know that running a standard security scan on a lean VPS can be a death sentence for your uptime.

Ultimately, you are forced into a terrible choice: leave the server vulnerable, or risk crashing the entire machine by running a heavy security scan.

Standard security tools assume you have hardware to spare.

But when you are running a production environment on 4GB of RAM, a sudden memory spike doesn't just slow things down.

It pins your CPU at 100%, triggers Out of Memory (OOM) kills, takes down your web services, and leaves you scrambling to reboot while your users face downtime.

We faced this exact problem. After months of continuous trial and error, witnessing servers choke on default configurations, we realized we needed a better way.

After some continuous trial and error with configurations, we found a way to run ClamAV and Lynis without crashing the system.

This is why we built CAVLite.

Why clamscan Is a Problem on Low-RAM Servers?

The industry standard for open-source Linux security is ClamAV.

It is powerful, effective, and free. However, it is also notoriously resource-intensive.

clamscan is the standalone command-line scanner.
Every time you run it:

It loads the ENTIRE virus database (600MB–900MB) into RAM
It unloads it after the scan
It does this again for each run
This creates high CPU + heavy RAM spikes → a 4GB server suffers.

Why Using Clamd and ClamdScan Is a Better Option

Clamd is the ClamAV daemon.

Loads the virus database once
Stays in memory
clamdscan sends scan requests to the daemon
Fast scanning
Lower peak RAM usage
No repeated DB loading

Install ClamAV Daemon

sudo apt update
sudo apt install clamav-daemon -y

This will add clamav-daemon to your system.
Clamd config file will be created at /etc/clamav/clamd.conf

Configure clamd for Low-RAM Usage

Edit the config file to limit the memory usage.

sudo vim /etc/clamav/clamd.conf

You can copy the config file from here : Link

sudo vim /etc/clamav/freshclam.conf

You can copy the config file from here : Link

By above configuration, you can run ClamAV daemon with low RAM usage.

But, there are a lot of manual steps to run a scan.

So, we created CAVLite to run scan with ease.

Introducing CAVLite

CAVLite is a wrapper script that automates the process of running ClamAV scans on your server.

This will help you configure configs while installing.

curl -fsSL https://raw.githubusercontent.com/HexmosTech/CAVLite/main/install.sh | sudo bash

Start Security Scan

sudo cavlite --start

It starts clamav-daemon only when you ask for a scan.
It waits for the virus definitions to load safely in the background.
It uses clamdscan (the lightweight client) to talk to the daemon. This is significantly faster and lighter than the standalone clamscan.
Infected files are immediately moved to a quarantine directory (/var/quarantine).
It simultaneously triggers Lynis to perform a system-wide security audit to check for hardening issues.
The moment the scan is done, CAVLite stops the daemon. This immediately releases that 1GB of RAM back to your web server or database.
You get a summary log and a notification (via Discord or other webhooks).