clamav is updated following upstream releases. Independent of solving security
issues, clamav needs a current runtime to be able to parse all malware
signatures.
The security team updates clamav via {old,}stable-updates.
https://lists.debian.org/debian-lts/2018/03/msg00033.html