Reducing memory usage: antivirus recommendations

Hi,

I'm currently running an ISPConfig3 setup on a linode with 1.5GB RAM, and it's working pretty good.

However, I'd like to optimise it with an aim of running it on a 1GB linode.

I only have about half a dozen websites with associated email accounts, etc. The websites are mainly Wordpress ones.

If I reboot the node and leave it for a few minutes to settle down, it takes about 1GB RAM, but this often rises to around 1.3 - 1.4GB in use.

Looking at the memory usage, the greediest one seems to be ClamAV running with Amavis-new for scanning email: they seem to eat up to around 400MB between them which seems rather excessivee to me!

Name        Count   CPU     Memory
amavis      3       0%      280 MB
clamd       1       0%      245 MB
apache2     11      0.01%   152 MB
mysqld      1       0.14%   48 MB

So I'm trying to decide what my options are and would really appreciate your thoughts / recommendations.

Do I:

  • Remove all av / amavis packages to free up the ram (but take a risk on virused an wormed emails?

  • Keep what I have but "tune" it. If so, are there many parameters to reduce RAM usage?

  • Change from ClamAV to something else, if so which AV? BTW, ClamAV is currently running as the daemon (clamavd)

  • Something else?

So any ideas on where to go from here?

Thanks in advance,

Xav

6 Replies

I presume you need to handle incoming e-mail? If not (or if you can outsource this to Gmail or someone), then you have no reason to run AV at all. If you do, the best way to avoid content scanning consuming resources is not to do it.

If you are running Postfix, my personal generic recommendation is to set up configuration options (rejectnonfqdnhelohostname, rejectinvalidhelohostname, rejectnonfqdnsender, rejectunknownsenderdomain, rejectunauthpipelining, rejectnonfqdnrecipient, rejectunknownrecipientdomain, rejectunauthdestination, and rejectunlisted_recipient) first, then greylisting.

If that's not sufficient, next I would use a DNS block list (DNSBL), probably zen.spamhaus.org: make sure you read its terms of use first!

Employing content scanning like ClamAV/Amavis/SpamAssassin would be my last step. The fact that most spam is already dealt with by the other measures should reduce the load by itself.

See this thread for a bit more explanation of the above.

Do a quick google on ClamAV detection rates - and you'll be dropping that useless memory hog in a heartbeat.

Assuming you have anything at all AV-wise running at the client level, you won't be increasing your risk factor at all.

Thanks Vance and vonskippy.

After doing a little bit of research, it looks like clamav isn't that effective, or certainly doesn't give you value for memory!

I think amavis will go too as there's no point of having amavis if you don't have some form of AV.

Oh and to answer your questions, yes, the server is a mail server as well as a web server.

Will continue reading, but thanks again for your input. :)

Just a quick update: I've now removed it and have implemented stronger checks on postfix. I can now run it all on my 1GB Linode and swap file is rather small, so will stick to that for the time being.

Thanks again and happy new year :)

Could we limit the Clamav memory usage?

See man ulimit.

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct