Couldn't the people who design viruses and spyware exploit ClamWin's open source license and modify the source code so that their particular malware isn't caught by scanning?

No security product is immune from being "cracked," exploited or compromised. Last year Kaspersky have about 12 such "problems," which they promptly corrected. Clam had less than that. I firmly believe that most open source software is as quick, if not quicker, to correct their software than the commercial products. They are certainly more "open" about their problems.

I was recently disappointed about the way the developers of my other virus scanner, Nod32, released a correction to prevent it from being exploited. There were very quiet about it. The correction would have gotten in just like a regular "update," but I saw they had a potential exploit problem according to the Secunia site--never would have known it otherwise.

Software is software--even if it is security software. It is all subject to buffer overflows and other exploits if it is not carefully written, checked, and tested. The developers really can't think of everything. The ClamWin team (as small as it is) has been thinking of ways to "harden" their product. I'm sure they will do a good job.

Regards,

Nobody except ClamWin developers can modify the original installation files which you download from this site, so the answer is no. Being open source does not mean that someone can easily tamper with the software.

Someone could potentially modify the code and distribute it on another site, so make sure you download your ClamWin setup files from the official download page linked from https://www.clamwin.com
Although I must add the same goes for any software open source or not. A hacker can disassemble and modify any code and then distribute it. However it won't be from the official download site.