The ClamAV Active Malware Report that was introduced in ClamAV 0.94.1 uses
freshclam to send summary data to our server about the malware that has
been detected. This data is then used to generate real-time reports on
active malware. These reports, along with geographical and historic trends,
will be published on http://www.clamav.net/.
The more data that we receive from ClamAV users, the more reports, and the better the quality of the reports, will be. To enable the submission of data to us for use in the Active Malware Report, enable SubmitDetectionStats in freshclam.conf, and LogTime and LogFile in clamd.conf. You should only enable this feature if you're running clamd to scan incoming data in your environment.
The only private data that is transferred is an IP address, which is used to create the geographical data. The size of the data that is sent is small; it contains just the filename, malware name and time of detection. The data is sent in sets of 10 records, up to 50 records per session. For example, if you have 45 new records, then freshclam will submit 40; if 78 then it will submit the latest 50 entries; and if you have 9 records no statistics will be sent.