diff --git a/rspamd/README.md b/rspamd/README.md
index 8699a5bc..344738f7 100644
--- a/rspamd/README.md
+++ b/rspamd/README.md
@@ -35,6 +35,9 @@ Well-known ports
 - `RSPAMD_bypass_score` If undefined (default) bypass rules are applied as
   an accept prefilter. Set to a negative number to turn the rules to ham
   score and run antivirus checks (e.g. `RSPAMD_bypass_score=-5.000`)
+- `RSPAMD_clamavscansize` sets the maximum size (default 2 MB) for
+  email attachments scanned by ClamAV in Rspamd.
+  Attachments larger than this value are skipped to optimize performance.
 
 ## Volumes
 
diff --git a/rspamd/etc/rspamd/local.d/options.inc b/rspamd/etc/rspamd/local.d/options.inc
index 6f993b04..d4813c11 100644
--- a/rspamd/etc/rspamd/local.d/options.inc
+++ b/rspamd/etc/rspamd/local.d/options.inc
@@ -7,3 +7,4 @@ dns {
     retransmits = 5;
     nameserver = ["127.0.0.1:11336:1"]; # local unbound instance
 }
+max_message = 104857600;
diff --git a/rspamd/usr/local/templates/antivirus.conf.j2 b/rspamd/usr/local/templates/antivirus.conf.j2
index bfbabfe5..cfce182f 100644
--- a/rspamd/usr/local/templates/antivirus.conf.j2
+++ b/rspamd/usr/local/templates/antivirus.conf.j2
@@ -7,6 +7,8 @@ clamav {
     servers = "{= env.clamav_endpoint =}";
 
     action = "reject";
+    # If `max_size` is set, messages > n bytes in size are not scanned
+    max_size = {= env.clamavscansize | default(2000000) =};
 
     scan_mime_parts = false;