Port 80 is a standard port ClamAV uses for specific AV updates.

CAS 

It's important to note that ClamAV defines this, for their updates, and not Symantec/Broadcom. ClamAV requires only HTTP access to update the signature database. Analysis is performed locally on the appliance. This is by ClamAV design.

As already shared above, there is no security issue here, since the analysis happens only locally on the appliance.

Ref. doc.: https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/content-analysis/3-1/ca_security.html 

Note: The same applies to the Symantec live updates, and other usages, as documented in the referenced Tech. doc. These are all by design, and there are no security issues, since the appliance does analysis only locally. The specific updates will work only with HTTP, and there are no other options.