We're investigating applications that seem to use large amounts of memory, one of those being clamav. We noticed that there are lots of av definitions for windows, osx, xls, doc, rtf etc. in /var/lib/clamav/main.cld that we shouldn't need to load in since we are only scanning linux machines (sles15). We run clamscan hourly and each time it loads in the virus definitions into memory it's loading in all these ones that don't apply to our systems, eating up a bunch of memory and causing clamscan to eventually either be killed or kill a different process (working with limited RAM, 2GB). We tried removing all the lines in main.cld that contain Win|Osx|java|xls|doc|pdf|andr|rtf|swf but that caused the file to be malformed and clamscan threw an error message that looked like this.
Starting Clam AntiVirus Daemon: LibClamAV Error: cli_cvdload: Corrupted CVD header
LibClamAV Error: Can't load /var/lib/clamav/main.cvd: Malformed database
LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/main.cvd
Is there a way to get a linux only virus definitions set? (Something like this for Cisco AMP https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/214655-amp-for-endpoints-clamav-virus-definiti.pdf) or a way to properly edit those .cld files? I also saw that you can define your own set of definitions, but haven't found much info around that.