Heads up for fellow clamed users:
I got an alert this morning that my Linode was using lots of CPU. Investigation of the logs showed clamd constantly restarting, which causes it to re-parse its AV database and use a lot of memory. Some investigation revealed that there's a new feature to reload new virus definitions in parallel to avoid stopping the scanner but it takes twice as much memory. I'm now fixing my clamd config to use the new setting to disable this. Details here:
Short answer: Add "ConcurrentDatabaseReload no" to your config file.
(For RH-based systems, look in /usr/share/doc/clamd-*/clamd.conf for the latest sample config with comments. Your old config in /etc/clamd.d may be missing important new settings.)
Thanks for taking the time to investigate this and then post your findings here, @scratchmonkey. This is certainly something I could see affecting customers using some of the smaller Linode plans that have only 1 core of memory. Gonna go check all of my Nanodes that have ClamAV running on cron jobs.