I’m in doubt about how to scan my Linux system with Clamav: do I just scan the places where users can upload files (homedirs, their webroots) or do I scan the whole system?
The various sites I’ve read vary in opinion, some say you needn’t scan the Linux-only parts, some say to not scan at all. The latter I’ve already discarded as I think it sensible to at least scan webroots for hosted viruses, but scanning the whole system is still something I am in doubt about.
ClamAV doesn’t do well in many tests of antivirus (percentage detected) – better to find a commercial antivirus with Linux version that has good ratings on independent tests. See http://www.av-comparatives.org/en/comparativesreviews – however http://www.shadowserver.org/wiki/pmwiki.php/Stats/VirusYearlyStats shows it’s in about the middle of the pack.
ClamAV won’t find the most common sort of malware present on Linux web servers, namely web-based malware that compromises the website, rather than the web server itself. You can use LMD to find such malware typically: http://www.rfxn.com/projects/linux-malware-detect/
Since viruses affecting the Linux OS are rare to non-existent I would focus antivirus scans (ClamAV or other) on areas where Mac/Windows files could be uploaded, and run LMD over all web roots.
You might want to also set chkrootkit and rkhunter to scan the whole system for known rootkits.