HowTo run ClamAV Anti Virus on a low memory system

Since spring 2007 startup time for clamscan jumped from less than a second to over a minute. Thus with current spam rate no live system will be able to run with this recipe successfully. This could be mitigated by running clamdscan instead of clamscan. But then you need to have the clamd running in the background - which runs against the very idea of an on-demand-only scanning.

So this article is kept for historical reasons. For a better but still (moderately) low-impcat system nowadays use some small wrapper like ClamSMTP. Perl-based systems like Amavis, Spamassassin or like need more memory and performance.

One well documented, well running combination for defeating viruses on a mail system using Postfix MTA is to use ClamAV and ClamSMTP or Amavisd-new.

Unfortunately that setup will permanently cost you some 20-40MB of memory, which is preciously low if you're being hosted on a shared server environment like User-mode Linux. Try to run Apache and MySQL alongside, and you'll encounter resource problems.

One way to mitigate these problems is to run ClamScan each time a mail gets delivered instead permanently. If no mail is being delivered, there is no AV software in memory, leaving it free for an occasional peak in LAMP usage.

A clean approach (again using Postfix) with one single, central config is to use ENSITA/clamfilter (beware: there are two programs called CLAMFILTER) configured to call clamscan instead of clamdscan. The single problem is that it could try to run multiple instances of the virus scanner when delivering multiple mails simultaneoursly - and thus might run into ressource problems.

The solution described here works for basically any MTD/MDA and limits the number of simultaneous scans to 1, further reducing the probability of memory exhaustion.

Problems with this approach:

This is not as performant as with ClamD - a process will be forked each time instead of a permanent / resident one standing ready.
There may be delvery delays if multiple persons get mail simultaneously - the config an/or lock file will disallow delivery for more than one person a time to avoid resource problems. This means this setup is not suitable for high-traffic mail servers as the queue might grow faster than scanning!
Depending on your permission model you might need to set the single mails temporarily world-readable. This is a NO-NO on servers where users log in. OTOH a server with so few memory that it can't spare some MB for permanent Amavis/ClamD installation probably is not used for interactive shells either...
No central configuration. You'll need to configure (or at least copy or symlink) .procmailrc or .mailfilter for each single user. Tip: use the /etc/skel directory.
Mails forwarded by /etc/aliases or similar mechanisms won't get scanned at all.
The sender and in one case neither the recipient will get a notification on that the mail contained a virus. The infected mail gets forwarded to a configurable account, which should be read from a "safe" computer system.

Ergo: do use this recipe only if you are really low on memory and you do not have many users getting mail.

Install ClamScan

ClamScan is the online / on-demand scanner version of the ClamAV suite. There are source and a number of binary packets available as well as a good handbook.

To preserve even more memory, don't run FreshClam as daemon (~900k), but from cron. For this

remove /etc/rc2.d/S20clamav-freshclam
create the file /etc/cron.d/clamav-freshclam as listed below

	# /etc/cron.d/clamav-freshclam
	# freshen signatures every 4 hours
	23 0,4,8,12,16,20  * * *  clamav  /etc/init.d/clamav-freshclam no-daemon

Depending on your system setup now proceed with a procmail- or maildrop-based installation.