Goodbye, clamav

Today I removed clamav from my VPS, which was built into the mail service I run. There are a small number of users and a few thousand messages a week - I liked that I was probably offering some small protection to those people. However all have endpoint anti-virus and most are wise enough to know about malicious email attachments.

I have been using clamav a number of years and when I first started the VPS had only 384MB RAM. Over time the memory available has increased (to 1GB currently) but unfortunately so has the memory consumed by the clamav daemon.

I was encouraged to sort out memory usage after the OOM killer emailed me a few times to say it had kicked in and reaped some unlucky processes. Microsoft Security Essentials had also quarantined a few emails that made it to my spam folder, suggesting that clamav was missing dodgy emails.

Below is a graph from munin showing memory usage before and after I disabled clamav.

Memory usage after disabling clamav

The important bit is the solid green area at the bottom, which represents memory used by applications. That’s over 300MB saved by stopping clamav, by far the biggest memory hog ahead of other daemons like Apache2 and MySQL.

After some digging I found that 580 messages had been blocked in the past week solely by clamav. Of these 534 were the rule Suspect.DoubleExtension-zippwd-15, two were actual trojans and the rest rules from Sanesecurity or ScamNailer.

In excess of three hundred megabytes to look inside ZIP files and check for two extensions is unimpressive, especially as I also run SpamAssassin and dspam which should be handling some of the scam mails.

I will look to implement some other form of scanning for ZIP files containing unusual extensions (such as .doc.exe) but, unless the daemon massively reduces in size, this won’t involve clamav.

David Cannings
David Cannings
Cyber Security

My interests include computer security, digital electronics and writing tools to help analysis of cyber attacks.