Scan whole system or just user dirs with clamav
I’m in doubt about how to scan my Linux system with Clamav: do I just scan the places where users can upload files (homedirs, their webroots) or do I scan the whole system?
The various sites I’ve read vary in opinion, some say you needn’t scan the Linux-only parts, some say to not scan at all. The latter I’ve already discarded as I think it sensible to at least scan webroots for hosted viruses, but scanning the whole system is still something I am in doubt about.
ClamAV doesn’t do well in many tests of antivirus (percentage detected) – better to find a commercial antivirus with Linux version that has good ratings on independent tests. See http://www.av-comparatives.org/en/comparativesreviews – however http://www.shadowserver.org/wiki/pmwiki.php/Stats/VirusYearlyStats shows it’s in about the middle of the pack.
ClamAV won’t find the most common sort of malware present on Linux web servers, namely web-based malware that compromises the website, rather than the web server itself. You can use LMD to find such malware typically: http://www.rfxn.com/projects/linux-malware-detect/
Since viruses affecting the Linux OS are rare to non-existent I would focus antivirus scans (ClamAV or other) on areas where Mac/Windows files could be uploaded, and run LMD over all web roots.
You might want to also set chkrootkit and rkhunter to scan the whole system for known rootkits.
Check more discussion of this question.
