Symptoms
clamd will not start:
# /scripts/restartsrv_clamd --status
(XID c76xrv) The “clamd” service is down.
Description
clamd requires a lot of RAM to start. cPanel recommends that your server has at least 3 GB of RAM if you intend to use clamd. In most cases, if clamd will not start, it's due to not having enough RAM allocated to the server. If the Linux kernel runs out of memory, it will begin killing processes to prevent the server from crashing.
You can determine if this is happening by checking the system logs.
CentOS 6
# grep OOM /var/log/messages
Jun 21 02:05:47 test.example.com kernel: OOM killed process 16782 (clamd) total-vm:1075256kB, anon-rss:946176kB, file-rss:8kB
CentOS 7
You can use the method above to check for the OOM messages; however, if you suspect this is happening, but it's not logged in the system log, you should check the kernel log using journalctl:
# journalctl -k | grep OOM
Jun 21 02:05:47 test.example.com kernel: OOM killed process 16782 (clamd) total-vm:1075256kB, anon-rss:946176kB, file-rss:8kB
If you're not using persistent logging in journald, you will only see kernel entries from the latest boot.
You can also enable clamd logging following this article: How can I enable logging for ClamAV?
In the logs, you will see the following when there's not enough RAM available:
+++ Started at Tue Jun 22 13:25:44 2021 Received 0 file descriptor(s) from systemd. clamd daemon 0.101.5 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Log file size limited to 2097152 bytes. Reading databases from /usr/local/cpanel/3rdparty/share/clamav Not loading PUA signatures. Not loading phishing signatures. Bytecode: Security mode set to "TrustSigned". Disabling URL based phishing detection. Loaded 8540474 signatures. LOCAL: Unix socket file /var/clamd LOCAL: Setting connection queue length to 200 ERROR: daemonize() failed: Cannot allocate memory Socket file removed.
Workaround
Increase the amount of RAM allocated to your server.