diff --git a/clamd/clamav-daemon.service.in b/clamd/clamav-daemon.service.in
index d4391a1cf9..e1505429b6 100644
--- a/clamd/clamav-daemon.service.in
+++ b/clamd/clamav-daemon.service.in
@@ -7,6 +7,12 @@ ConditionPathExistsGlob=@DATADIR@/main.{c[vl]d,inc}
 ConditionPathExistsGlob=@DATADIR@/daily.{c[vl]d,inc}
 
 [Service]
+Type=simple
+# WARNING: Must match clamd.conf directive
+User=clamav
+Group=clamav
+;DynamicUser=yes
+;ExecStartPre=/usr/bin/install --owner=root --group=root --mode=640 --directory /var/local/quarantine
 ExecStart=@prefix@/sbin/clamd --foreground=true
 # Reload the database
 ExecReload=/bin/kill -USR2 $MAINPID
@@ -14,30 +20,52 @@ TimeoutStartSec=420
 LogsDirectory=clamav
 ConfigurationDirectory=clamav
 
-##
-## Security Hardening Options
-##
+#============================#
+# Security Hardening Options #
+#============================#
+NoNewPrivileges=yes
+;PrivateUsers=no
 
 # Remove `ProtectSystem`, `ProtectHome`, and `ReadWritePaths`
-# if you want ClamAV to be able to remove infected files.
+# if you want ClamAV to be able to quarantine (`--move`) infected files.
 ProtectSystem=strict
 ProtectHome=read-only
-ReadWritePaths=/var/log/clamav /run /var/run
+PrivateTmp=yes
+PrivateDevices=yes
+ReadWritePaths=/var/log/clamav /run/clamav /var/run/clamav
 
 NoExecPaths=/
-# If you want to run commands or execute binaries on event,
-# append the full path of the binary or executable to `ExecPaths`
-# Commonly, this is used for `VirusEvent` in clamd.conf or `VirusAction`
-# in clamav-milter.conf.The binaries must be space separated like so:
-;ExecPaths=@prefix@/sbin/clamd /bin/kill /usr/local/bin/send_sms /usr/local/bin/my_infected_message_handler
-ExecPaths=@prefix@/sbin/clamd @CMAKE_INSTALL_FULL_LIBDIR@ /bin/kill
+# WARNING: To execute targets of `VirusEvent` and `VirusAction` directives
+# in the configuration, whitelist them in ExecPaths.
+;ExecPaths=@prefix@/sbin/clamd /usr/local/bin/send_sms /usr/local/bin/my_infected_message_handler
+ExecPaths=@prefix@/sbin/clamd @CMAKE_INSTALL_FULL_LIBDIR@ /bin/kill /usr/bin/install
 
 ProtectClock=yes
+ProtectHostname=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 ProtectKernelLogs=yes
 ProtectControlGroups=yes
-PrivateTmp=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+
+PrivateNetwork=yes
+IPAddressDeny=any
+RestrictAddressFamilies=none
+
+# ProtectProc is only effective if:
+# (1) Service is a system service and not a user service.
+# (2) CAP_SYS_PTRACE is restricted and
+# (3) Service user is non-root.
+ProtectProc=invisible
+ProcSubset=pid
+
+CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_MKNOD
+RestrictNamespaces=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap
 
 [Install]
 WantedBy=multi-user.target
diff --git a/clamonacc/clamav-clamonacc.service.in b/clamonacc/clamav-clamonacc.service.in
index e0d4b73de5..519758f732 100644
--- a/clamonacc/clamav-clamonacc.service.in
+++ b/clamonacc/clamav-clamonacc.service.in
@@ -9,31 +9,63 @@ After=clamav-daemon.service syslog.target network.target
 
 [Service]
 Type=simple
+# WARNING: Must match clamd.conf directive
 User=root
-ExecStartPre=/usr/bin/install --owner=root --group=root --directory /var/local/quarantine
+Group=root
+;DynamicUser=yes
+ExecStartPre=/usr/bin/install --owner=root --group=root --mode=640 --directory /var/local/quarantine
 ExecStart=@prefix@/sbin/clamonacc --foreground --log=/var/log/clamav/clamonacc.log --move=/var/local/quarantine --ping 120 --wait
 ExecReload=/bin/kill -SIGHUP $MAINPID
 ExecStop=/bin/kill -SIGTERM $MAINPID
 LogsDirectory=clamav
 ConfigurationDirectory=clamav
 
-##
-## Security Hardening Options
-##
-ProtectClock=yes
-ProtectKernelTunables=yes
-ProtectKernelModules=yes
-ProtectKernelLogs=yes
-ProtectControlGroups=yes
-NoExecPaths=/
-ExecPaths=@prefix@/sbin/clamonacc @CMAKE_INSTALL_FULL_LIBDIR@ /bin/kill /usr/bin/install
+#============================#
+# Security Hardening Options #
+#============================#
+NoNewPrivileges=yes
+;PrivateUsers=no
 
 # Remove `ProtectSystem`, `ProtectHome`, and `ReadWritePaths` if you
 # want ClamAV to be able to quarantine or remove infected files.
 ProtectSystem=strict
 ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
 ReadWritePaths=/var/log/clamav /var/local/quarantine
 
+NoExecPaths=/
+# WARNING: To execute targets of `VirusEvent` and `VirusAction` directives
+# in the cofiguration, whitelist them in ExecPaths.
+ExecPaths=@prefix@/sbin/clamonacc @CMAKE_INSTALL_FULL_LIBDIR@ /bin/kill /usr/bin/install
+
+ProtectClock=yes
+ProtectHostname=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+
+PrivateNetwork=yes
+IPAddressDeny=any
+RestrictAddressFamilies=none
+
+# ProtectProc is only effective if:
+# (1) Service is a system service and not a user service.
+# (2) CAP_SYS_PTRACE is restricted and
+# (3) Service user is non-root.
+ProtectProc=invisible
+ProcSubset=pid
+
+CapabilityBoundingset=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_MKNOD
+RestrictNamespaces=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap
+
 [Install]
 WantedBy=multi-user.target
 Alias=clamonacc.service
diff --git a/freshclam/clamav-freshclam.service.in b/freshclam/clamav-freshclam.service.in
index 1b353ffd4e..a52ae16fbb 100644
--- a/freshclam/clamav-freshclam.service.in
+++ b/freshclam/clamav-freshclam.service.in
@@ -7,29 +7,55 @@ Wants=network-online.target
 After=network-online.target
 
 [Service]
+Type=simple
+# WARNING: Must match clamd.conf directive
+User=clamav
+Group=clamav
+;DynamicUser=yes
 ExecStart=@prefix@/bin/freshclam -d --foreground=true
 LogsDirectory=clamav
 ConfigurationDirectory=clamav
 
-##
-## Security Hardening Options
-##
+#============================#
+# Security Hardening Options #
+#============================#
+NoNewPrivileges=yes
+;PrivateUsers=no
+
 ProtectSystem=full
 ProtectHome=tmpfs
+PrivateTmp=yes
+PrivateDevices=yes
+ReadWritePaths=@DATADIR@ /var/log/clamav
+
+NoExecPaths=/
+# WARNING: To execute targets of `OnUpdateExecute`, `OnErrorExecute` and `OnOutdatedExecute`
+# directives in freshclam.conf, whitelist them in ExecPaths.
+;ExecPaths=@prefix@/sbin/freshclam /usr/local/bin/OnOutdated.sh /usr/local/bin/OnErrorExecute.sh
+ExecPaths=@prefix@/bin/freshclam
+
 ProtectClock=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 ProtectKernelLogs=yes
 ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
 
-NoExecPaths=/
-# If you want to run commands on event, append the full path of the command or
-# executable to `ExecPaths`. Commonly, this is used for `OnUpdateExecute`,
-# `OnErrorExecute`, and `OnOutdatedExecute` options in freshclam.conf. Make sure
-# there is only one `ExecPaths` option. The binaries must be space separated like so:
-;ExecPaths=@prefix@/sbin/freshclam /usr/local/bin/OnOutdated.sh /usr/local/bin/OnErrorExecute.sh
-ExecPaths=@prefix@/bin/freshclam
-ReadWritePaths=@DATADIR@ /var/log/clamav
+PrivateNetwork=no
+IPAddressAllow=any
+RestrictAddressFamilies=AF_INET AF_INET6
+
+ProtectProc=noaccess
+ProcSubset=pid
+
+CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_MKNOD
+RestrictNamespaces=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap
 
 [Install]
 WantedBy=multi-user.target
+Alias=freshclam.service