When you install things the first time you get the current packages from the archive and they will start updating definitions in the background. You'd see something like this in the log Jan 02 12:01:24 f freshclam[3128]: Tue Jan 2 12:01:24 2024 -> ^Your ClamAV installation is OUTDATED! Jan 02 12:01:24 f freshclam[3128]: Tue Jan 2 12:01:24 2024 -> ^Local version: 0.103.9 Recommended version: 0.103.11 Jan 02 12:01:24 f freshclam[3128]: Tue Jan 2 12:01:24 2024 -> DON'T PANIC! Read https://docs.clamav.net/manual/Installing.html Two things can be updated: #1 The program version This is regularly updated, usually when there is a real problem (SRU) or security issue. You can see that in [1] and e.g. as this is for focal see how it changed over the years from 0.102.2+dfsg-2ubuntu1 to 0.103.9+dfsg-0ubuntu0.20.04.1. This will continue to happen, but as I said not just for fun but on real issues (users appreciate stability as well). #2 the definitions This is exactly what freshclam does ... $ systemctl status clamav-freshclam.service ... Jan 02 12:01:24 f freshclam[3128]: Tue Jan 2 12:01:24 2024 -> daily database available for download (remote version: 27142) Jan 02 12:01:33 f freshclam[3128]: Tue Jan 2 12:01:33 2024 -> Testing database: '/var/lib/clamav/tmp.4e9c5b0713/clamav-9207ebd076a9f486650f6f56e16e2946.tmp-daily.cvd' ... Jan 02 12:01:39 f freshclam[3128]: Tue Jan 2 12:01:39 2024 -> Database test passed. Jan 02 12:01:39 f freshclam[3128]: Tue Jan 2 12:01:39 2024 -> daily.cvd updated (version: 27142, sigs: 2050085, f-level: 90, builder: raynman) Jan 02 12:01:39 f freshclam[3128]: Tue Jan 2 12:01:39 2024 -> main database available for download (remote version: 62) Jan 02 12:02:03 f freshclam[3128]: Tue Jan 2 12:02:03 2024 -> Testing database: '/var/lib/clamav/tmp.4e9c5b0713/clamav-1136c9f80d7afd14a1faaf58bea4ac66.tmp-main.cvd' ... Jan 02 12:02:10 f freshclam[3128]: Tue Jan 2 12:02:10 2024 -> Database test passed. Jan 02 12:02:10 f freshclam[3128]: Tue Jan 2 12:02:10 2024 -> main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) Jan 02 12:02:10 f freshclam[3128]: Tue Jan 2 12:02:10 2024 -> bytecode database available for download (remote version: 334) Jan 02 12:02:10 f freshclam[3128]: Tue Jan 2 12:02:10 2024 -> Testing database: '/var/lib/clamav/tmp.4e9c5b0713/clamav-5166218e129a54860e985aa9ae7009e1.tmp-bytecode.cvd' ... Jan 02 12:02:10 f freshclam[3128]: Tue Jan 2 12:02:10 2024 -> Database test passed. Jan 02 12:02:10 f freshclam[3128]: Tue Jan 2 12:02:10 2024 -> bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg) And it does so regularly ~24 times a day in the default config. After this update nothing complains anymore. I can run e.g. clamscan without any notions of not being up to date. root@f:~# clamscan /tmp/ ----------- SCAN SUMMARY ----------- Known viruses: 8681833 Engine version: 0.103.9 Scanned directories: 1 Scanned files: 0 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 18.811 sec (0 m 18 s) Start Date: 2024:01:02 12:07:13 End Date: 2024:01:02 12:07:32 And as shown in the freshclam log it started with old content as expected and automatically updated it. And it would continue to do so. The only thing left not on the very most recent version are the program binaries, but as I said those are only updated for real issues and not on any version that appears. Functional updates have to follow the SRU policy [2] and CVE related fixes usually bump to the latest version as you can see in [1] and you could check individual CVE from being created to triage to fixes at [3] (Link configured for focal as this was how the bug was opened) [1]: https://launchpad.net/ubuntu/+source/clamav/+publishinghistory [2]: https://wiki.ubuntu.com/StableReleaseUpdates [3]: https://ubuntu.com/security/cves?q=&package=clamav&priority=&version=focal&status=