In some cases, a customer may want to exclude the NFS server from participating in the ClamAV service. 

Note: This is under discussion with the product team and can be used as a reference.

Follow these steps to exclude the nfs_server job from having a collocated clamd and freshclam process on the nfs_server (blobstore).

1. With BOSH v1 CLI, find the job name for capi release:

$ bosh releases --jobs | egrep 'Name|capi'
Acting as user 'director' on 'p-bosh'
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
| Name                          | Versions  | Commit Hash | Jobs                                                                                                                                                                                               |
| capi                          | 1.28.19*  | 884d589e    | blobstore, cc_uploader, cloud_controller_clock, cloud_controller_ng, cloud_controller_worker, debian_nfs_server, nfs_mounter, nsync, stager, tps

2. If you are using BOSH v2.0 CLI, here is an example to obtain the job name (as BOSH CLI v2 does not have the "--jobs" option for releases).

$ bosh -e <environment> --ca-cert /var/tempest/workspaces/default/root_ca_certificate inspect-release capi/1.58.8 --json | jq .Tables[].Rows | grep job
"job": "blobstore/5582f6d61081ce05e87fc8d82da616159c658abd",
    "job": "cc_uploader/a310c36b3e69b4eefc8dccb88658a8fa1ef1c056",
    "job": "cloud_controller_clock/6fe054f4a62a5ad41224ac49b95d4c419c6d6dfe",
    "job": "cloud_controller_ng/747e4689c71c439de0c373caba5d8d8e58232744",
    "job": "cloud_controller_worker/640d7920075032ca920b832b2f607dde32b2ec3b",
    "job": "debian_nfs_server/8c6159eca06f8b8dfbea48f9885340ba2fca6baf",
    "job": "nfs_mounter/4630a72f08ebe6713e58a4abda6d5f2085b344a0",
    "job": "nsync/c4797cf095591a331edb6758ecec36fae9e6e5ca",
    "job": "stager/0a4acf28fd0efc15c3d700546f2caabb8ab777b3",
    "job": "tps/2564bcef539310142d0878c8ab2286c84c7ddd87",

For example:

Here is the BOSH ClamAV manifest file you can use (with focus on the excludes section):

ubuntu@pivotal-ops-manager:~$ bosh runtime-config
Acting as user 'director' on 'p-bosh'
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
  releases:
  - name: clamav
    version: 1.2.7
  addons:
  - name: clamav
    jobs:
    - name: clamav
      release: clamav
      properties:
        clamav:
          database_mirror: pivotal-clamav-mirror.s3.amazonaws.com
    on_access: false
    scheduled: true
    include:
      stemcell:
      - os: ubuntu-trusty
    exclude:
      jobs:
      - name: blobstore
        release: capi

In some cases, you may want to exclude other jobs. In other words, Errand VMs, smoke-tests, etc. 

 - {name: push-apps-manager, release: push-apps-manager-release}
      - {name: deploy-notifications, release: notifications}
      - {name: deploy-notifications-ui, release: notifications-ui}
      - {name: push-pivotal-account, release: pivotal-account}
      - {name: deploy-autoscaling, release: cf-autoscaling}
      - {name: register-broker, release: cf-autoscaling}
      - {name: nfsbrokerpush, release: nfs-volume}
      - {name: bootstrap, release: cf-mysql}
      - {name: rejoin-unsafe, release: cf-mysql}
      - {name: broker-registrar, release: cf-mysql}
      - {name: deregister-and-purge-instances, release: cf-mysql}
      - {name: smoke-tests, release: cf-mysql}
      - {name: install-hwc-buildpack, release: hwc-buildpack}

Note: Please check with Pivotal Support before proceeding as you could leave the PCF vulnerable.