ClamAV is a decent anti virus scanner for Linux. Unfortunately it does not run every well on low memory systems (<1GB).

Running it’s database update tool freshclam can cause OOM. You will notice this if getting daily cdiff’s keeps failing (see ‘dmesg’ and /var/log/clamdb). These are db differences only instead of full files. The problem is processing these to create whole cvd’s.

If there’s close to enough RAM you could try using cgroups (or systemd) – if thats available, or good old ulimit:

Edit /etc/cron.d/clamav-freshclam and replace whats there with:

29 */1 * * *    clamav [ -x /usr/bin/freshclam ] && { ulimit -Sm 512000; ulimit -Sv 512000; ulimit -Hm 1024000; ulimit -Hv 1024000; /usr/bin/freshclam --quiet; } > /dev/null

But what if you’re on an embedded system or small vps and there’s not even close to 1GB memory available?

Simple, just get the full cvd files instead:

29 */1 * * *     clamav { for i in bytecode.cvd daily.cvd main.cvd; do wget -N -q "http://db.local.clamav.net/$i" -O /var/lib/clamav/$i; done; }  > /dev/null