Leonardo Rodrigues wrote:

    the databases are digitally signed, and any modification, such in
a man-in-the-middle attack, would break the signature and freshclam
would refuse to run the files.

Sounds good. Can you please explain how this works in detail?

Apt places GPG keys in the system and uses them to verify downloaded data.

It doesn't seem that ClamAV placed any GPG keys in my system. So how is the verification happening?

The .cvd files have an internal cryptographic signature that's
checked by freshclam and clamd/clamscan.  If freshclam and/or clamd
accepts the files, you can be assured they are official and
unmodified.  This is built into clam; no external tools are called.

-- 
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois