I’ve never even considered ClamAV. I have the idea that it’s just a malware signature DB (changing the signature of a binary is almost as simple as recompiling it with a bit different variables)

Am I incorrect? does it have heruistics/active scanning?