ClamAV, a widely adopted free and open-source antivirus software developed by Cisco Talos, will undergo a substantial cleanup of its signature databases in December, marking its largest reduction effort since the project began more than two decades ago.
Cisco Talos, which maintains ClamAV, has evaluated the full signature set and identified large numbers of entries that no longer match any activity in current threat data. These signatures will be retired beginning December 16, 2025, resulting in smaller databases and lower resource usage for users.
The change will have an immediate and measurable impact. The main.cvd file, currently around 163 MB, will shrink to roughly 80 MB. The daily.cvd file, which is 62 MB today, will fall to about 22 MB, so that users will see it is nearly half their current size.
According to Cisco Talos, the goal is to ensure that ClamAV focuses on active threats rather than accumulating signatures that no longer provide meaningful protection. The team will continue monitoring global detection feeds and restoring any retired signatures if they become relevant again.
The signature cleanup is part of a broader effort to reduce infrastructure load. ClamAV will also remove large sets of outdated container images from Docker Hub to eliminate images built on vulnerable base layers and reduce the more than 300 GiB currently hosted there. Going forward, only supported versions will remain available, including 1.5, 1.4 LTS, and 1.0 LTS.
The shorter signature sets are expected to reduce download time, disk space requirements, and memory usage. Cisco anticipates up to a 25% reduction in RAM consumption for some ClamAV deployments—an important improvement for systems with limited resources or heavy scanning workloads.
While some users may wonder whether attackers could revive older malware, Talos notes that any previously retired signature will be reinstated if new activity is observed. Retired signatures will also be made available later for research and special cases.
For more information, see the announcement on ClamAV’s blog.
