clamav is updated following upstream releases. Independent of solving security
issues, clamav needs a current runtime to be able to parse all malware
signatures.

The security team updates clamav via {old,}stable-updates.

https://lists.debian.org/debian-lts/2018/03/msg00033.html