I have a number of questions regarding usage of ClamAV to investigate to ensure it meets our security, alerting and incident requirements for use in our AMI builds and greatly appreciate feedback on this:

How virus definitions are applied?
Is Internet access required to receive update?
How is the lifecycle of the AMI managed for AV / Malware?
How are detected events received and where are they sent?
Is there a list of OS that it covers?

Regards,