I am not happy with The Utility of Antivirus Tools (my edit years ago didn’t prevail and than forgot about it). Quote as now:
Antivirus products and personal firewalls [archive] are not drop in solutions for a secure host. Malware can often stay undetected and evade scans, while application level personal firewalls are often circumvented.  Polymorphic code [archive] and rootkits [archive] essentially render antivirus products helpless.  
Antivirus tools are actually worse than useless. In the case of sophisticated and targeted attacks, the antivirus software can serve as a pathway to exploiting a system’s kernel, since they almost always run with administration level privileges.  Antivirus software also harms privacy by sending system files back to the company servers for analysis. The software also actively conducts man-in-the-middle attacks on secure SSL connections, enabling very sensitive information to be viewed. 
“Antivirus tools are actually worse than useless.” - Really? It’s a good argument but empirically true too? Perhaps people who wouldn’t fall for popular methods of infection wouldn’t benefit from antivirus, actually suffer from increased attack surface. But for most users I guess antivirus might help and increased attack surface is theoretic.
ClamAV nowadays does have a background scanner / guard.
Related Debian ClamAV feature request:
add init script / systemd unit for clamonacc background scanner
I might be able to develop activating the background scanner by default, refuse execution of malicious files and graphically notify the user about it.
ClamAV nowadays developed by Cisco and might have made huge progress since I checked ages ago.
We have LKRG, perhaps rootkit detection system - AIDE, then why not antivirus too? We’d be the first Open Source, public Linux distribution that installs Antivirus, rootkit scanner and kernel guard by default.