I'm in doubt about how to scan my Linux system with Clamav: do I just scan the places where users can upload files (homedirs, their webroots) or do I scan the whole system?
The various sites I've read vary in opinion, some say you needn't scan the Linux-only parts, some say to not scan at all. The latter I've already discarded as I think it sensible to at least scan webroots for hosted viruses, but scanning the whole system is still something I am in doubt about.
ClamAV doesn't do well in many tests of antivirus (percentage detected) - better to find a commercial antivirus with Linux version that has good ratings on independent tests. See http://www.av-comparatives.org/en/comparativesreviews - however http://www.shadowserver.org/wiki/pmwiki.php/Stats/VirusYearlyStats shows it's in about the middle of the pack.
ClamAV won't find the most common sort of malware present on Linux web servers, namely web-based malware that compromises the website, rather than the web server itself. You can use LMD to find such malware typically: http://www.rfxn.com/projects/linux-malware-detect/
Since viruses affecting the Linux OS are rare to non-existent I would focus antivirus scans (ClamAV or other) on areas where Mac/Windows files could be uploaded, and run LMD over all web roots.
You might want to also set rkhunter to scan the whole system for known rootkits. (chkrootkit project appears to be dormant since 2009)
I'd scan my whole system, you never know what you contracted. Sure it will take a bit longer, but do you really want to take that chance?
What would it hurt to scan the whole system? Your system installation is probably very tiny compared to what you have in user home directories, at least if you have any serious amounts of users. Are you scared of performance issues? Why the doubt?
