HowTo run ClamAV Anti Virus on a low memory system

 

Since spring 2007 startup time for clamscan jumped from less than a second to over a minute. Thus with current spam rate no live system will be able to run with this recipe successfully. This could be mitigated by running clamdscan instead of clamscan. But then you need to have the clamd running in the background - which runs against the very idea of an on-demand-only scanning.

So this article is kept for historical reasons. For a better but still (moderately) low-impcat system nowadays use some small wrapper like ClamSMTP. Perl-based systems like Amavis, Spamassassin or like need more memory and performance.


One well documented, well running combination for defeating viruses on a mail system using Postfix MTA is to use ClamAV and ClamSMTP or Amavisd-new.

Unfortunately that setup will permanently cost you some 20-40MB of memory, which is preciously low if you're being hosted on a shared server environment like User-mode Linux. Try to run Apache and MySQL alongside, and you'll encounter resource problems.

One way to mitigate these problems is to run ClamScan each time a mail gets delivered instead permanently. If no mail is being delivered, there is no AV software in memory, leaving it free for an occasional peak in LAMP usage.

A clean approach (again using Postfix) with one single, central config is to use ENSITA/clamfilter (beware: there are two programs called CLAMFILTER) configured to call clamscan instead of clamdscan. The single problem is that it could try to run multiple instances of the virus scanner when delivering multiple mails simultaneoursly - and thus might run into ressource problems.

 

The solution described here works for basically any MTD/MDA and limits the number of simultaneous scans to 1, further reducing the probability of memory exhaustion.

Problems with this approach:

Ergo: do use this recipe only if you are really low on memory and you do not have many users getting mail.

Install ClamScan

ClamScan is the online / on-demand scanner version of the ClamAV suite. There are source and a number of binary packets available as well as a good handbook.

To preserve even more memory, don't run FreshClam as daemon (~900k), but from cron. For this

	# /etc/cron.d/clamav-freshclam
	# freshen signatures every 4 hours
	23 0,4,8,12,16,20  * * *  clamav  /etc/init.d/clamav-freshclam no-daemon

Depending on your system setup now proceed with a procmail- or maildrop-based installation.