diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix
index 1f5d0d3b5a5..57ff1af2ff6 100644
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@@ -69,6 +69,7 @@ in
     unbound = 48;
     prayer = 49;
     mpd = 50;
+    clamav = 51;
 
     # When adding a uid, make sure it doesn't match an existing gid.
 
@@ -118,6 +119,7 @@ in
     dovecot2 = 46;
     prayer = 49;
     mpd = 50;
+    clamav = 51;
 
     # When adding a gid, make sure it doesn't match an existing uid.
 
diff --git a/modules/module-list.nix b/modules/module-list.nix
index 0b139c95141..a67f8c2f133 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -161,6 +161,7 @@
   ./services/scheduling/atd.nix
   ./services/scheduling/cron.nix
   ./services/scheduling/fcron.nix
+  ./services/security/clamav.nix
   ./services/security/frandom.nix
   ./services/security/tor.nix
   ./services/security/torsocks.nix
diff --git a/modules/services/security/clamav.nix b/modules/services/security/clamav.nix
new file mode 100644
index 00000000000..5ccb4927fcb
--- /dev/null
+++ b/modules/services/security/clamav.nix
@@ -0,0 +1,80 @@
+{ config, pkgs, ... }:
+with pkgs.lib;
+let
+  clamavUser = "clamav";
+  stateDir = "/var/lib/clamav";
+  clamavGroup = clamavUser;
+  cfg = config.services.clamav;
+in
+{
+  ###### interface
+
+  options = {
+
+    services.clamav = {
+      updater = {
+	enable = mkOption {
+	  default = false;
+	  description = ''
+	    Whether to enable automatic ClamAV virus definitions database updates.
+	  '';
+	};
+
+	frequency = mkOption {
+	  default = 12;
+	  description = ''
+	    Number of database checks per day.
+	  '';
+	};
+
+	config = mkOption {
+	  default = "";
+	  description = ''
+	    Extra configuration for freshclam. Contents will be added verbatim to the
+	    configuration file.
+	  '';
+	};
+      };
+    };
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.updater.enable {
+    environment.systemPackages = [ pkgs.clamav ];
+    users.extraUsers = singleton
+      { name = clamavUser;
+        uid = config.ids.uids.clamav;
+        description = "ClamAV daemon user";
+        home = stateDir;
+      };
+
+    users.extraGroups = singleton
+      { name = clamavGroup;
+        gid = config.ids.gids.clamav;
+      };
+
+    services.clamav.updater.config = ''
+      DatabaseDirectory ${stateDir}
+      Foreground yes
+      Checks ${toString cfg.updater.frequency}
+      DatabaseMirror database.clamav.net
+    '';
+
+    jobs = {
+      clamav_updater = {
+	name = "clamav-updater";
+          startOn = "started network-interfaces";
+          stopOn = "stopping network-interfaces";
+
+          preStart = ''
+            mkdir -m 0755 -p ${stateDir}
+            chown ${clamavUser}:${clamavGroup} ${stateDir}
+          '';
+          exec = "${pkgs.clamav}/bin/freshclam --config-file=${pkgs.writeText "freshclam.conf" cfg.updater.config}";
+      }; 
+    };
+
+  };
+
+}
\ No newline at end of file