diff --git a/setup/install-modules.sh b/setup/install-modules.sh
index 9d0651b..e951132 100755
--- a/setup/install-modules.sh
+++ b/setup/install-modules.sh
@@ -93,6 +93,7 @@ count_steps() {
     [[ "$sel" == *"llama-cpp"*       ]] && TOTAL=$(( TOTAL + 1 ))
     [[ "$sel" == *"open-webui"*      ]] && TOTAL=$(( TOTAL + 1 ))
     [[ "$sel" == *"claude"*          ]] && TOTAL=$(( TOTAL + 1 ))
+    [[ "$sel" == *"anti-malware"*     ]] && TOTAL=$(( TOTAL + 1 ))
     [[ "$sel" == *"networking-cli"*  ]] && TOTAL=$(( TOTAL + 1 ))
     [[ "$sel" == *"disk-recovery"*   ]] && TOTAL=$(( TOTAL + 1 ))
     [[ "$sel" == *"himalaya"*        ]] && TOTAL=$(( TOTAL + 1 ))
@@ -176,6 +177,7 @@ SELECTED=$(dialog --backtitle "$BACKTITLE" \
     "llama-cpp"       "llama.cpp         standalone inference CLI + server"      off \
     "open-webui"      "Open WebUI        browser UI for Ollama / LLM backends"  off \
     "claude"          "Claude Code       Anthropic CLI via npm"                 off \
+    "anti-malware"    "Anti-Malware      clamav · clamtk · rkhunter · chkrootkit" off \
     "networking-cli"  "Networking CLI    nmap · nethogs · mitmproxy · httpie"  off \
     "disk-recovery"   "Disk Recovery     ddrescue · f3"                         off \
     "himalaya"        "Himalaya          terminal email client (AUR)"           off \
@@ -241,6 +243,7 @@ SUMMARY=""
 [[ "$SELECTED" == *"llama-cpp"*      ]] && SUMMARY+="  ✦ llama.cpp\n"
 [[ "$SELECTED" == *"open-webui"*     ]] && SUMMARY+="  ✦ Open WebUI\n"
 [[ "$SELECTED" == *"claude"*         ]] && SUMMARY+="  ✦ Claude Code\n"
+[[ "$SELECTED" == *"anti-malware"*   ]] && SUMMARY+="  ✦ Anti-Malware (clamav, clamtk, rkhunter, chkrootkit)\n"
 [[ "$SELECTED" == *"networking-cli"* ]] && SUMMARY+="  ✦ Networking CLI (nmap, nethogs, mitmproxy, httpie)\n"
 [[ "$SELECTED" == *"disk-recovery"*  ]] && SUMMARY+="  ✦ Disk Recovery (ddrescue, f3)\n"
 [[ "$SELECTED" == *"himalaya"*       ]] && SUMMARY+="  ✦ Himalaya\n"
@@ -307,6 +310,7 @@ DE_DIR="$MODULES/Desktop-Environments"
 [[ "$SELECTED" == *"llama-cpp"*      ]] && run_module "llama.cpp"         "$APPS/llama-cpp.sh"
 [[ "$SELECTED" == *"open-webui"*     ]] && run_module "Open WebUI"        "$APPS/open-webui.sh"
 [[ "$SELECTED" == *"claude"*         ]] && run_module "Claude Code"       "$APPS/claude.sh"
+[[ "$SELECTED" == *"anti-malware"*   ]] && run_module "Anti-Malware"      "$APPS/anti-malware.sh"
 [[ "$SELECTED" == *"networking-cli"* ]] && run_module "Networking CLI"    "$APPS/networking-cli.sh"
 [[ "$SELECTED" == *"disk-recovery"*  ]] && run_module "Disk Recovery"     "$APPS/disk-recovery.sh"
 [[ "$SELECTED" == *"himalaya"*       ]] && run_module "Himalaya"          "$APPS/himalaya.sh"
diff --git a/setup/modules/optional-Modules/apps/anti-malware.sh b/setup/modules/optional-Modules/apps/anti-malware.sh
new file mode 100644
index 0000000..07bae0a
--- /dev/null
+++ b/setup/modules/optional-Modules/apps/anti-malware.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+set -euo pipefail
+
+sudo pacman -S --noconfirm --needed \
+    clamav clamtk rkhunter
+
+yay -S --aur --noconfirm --needed chkrootkit
+
+# initialise ClamAV database (first run)
+if [[ ! -f /var/lib/clamav/main.cvd ]] && [[ ! -f /var/lib/clamav/main.cld ]]; then
+    echo "Running initial freshclam..."
+    sudo freshclam
+fi
+
+# cron job: update virus definitions twice a day
+CRON_FILE=/etc/cron.d/freshclam
+if [[ ! -f "$CRON_FILE" ]]; then
+    echo "Installing freshclam cron job..."
+    sudo tee "$CRON_FILE" > /dev/null <<'EOF'
+# Update ClamAV virus definitions twice a day
+0 */12 * * * root /usr/bin/freshclam --quiet 2>/dev/null
+EOF
+    sudo chmod 644 "$CRON_FILE"
+fi