We’re being hammered by loads of vicious email trojans, which mutate fast. I’ve resorted to adding manual blocks in Exim because ClamAV isn’t keeping up.
Just now I was very puzzled that freshclam wasn’t downloading the latest version of the virus database. It turns out that although I have told it to poll 100 times a day (about every 15 minutes), freshclam uses the DNS to check what is the latest version, and the TTL on the relevant DNS record is 30 minutes.