Comment 5 for bug 1930393

Another problem is that the systemd service definition (on 20.04) defaults to "Type=simple", so clamav-daemon.service appears as active even though it's not ready to accept connections yet.

That can be fixed with:

--- /lib/systemd/system/clamav-daemon.service 2021-06-04 15:05:34.272466670 +0100
+++ /etc/systemd/system/clamav-daemon.service 2021-06-04 15:05:36.072489235 +0100
@@ -6,11 +6,11 @@
 ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}

 [Service]
-ExecStart=/usr/sbin/clamd --foreground=true
+Type=forking
+ExecStart=/usr/sbin/clamd
 # Reload the database
 ExecReload=/bin/kill -USR2 $MAINPID
-StandardOutput=syslog
-TimeoutStartSec=420
+TimeoutStartSec=7min

 [Install]
 WantedBy=multi-user.target

after which I can add a:

--- /dev/null 2021-06-04 15:21:19.232000000 +0100
+++ /etc/systemd/system/clamav-daemon.service.d/amavis.conf 2021-06-04 15:19:37.335686866 +0100
@@ -0,0 +1,10 @@
+[Unit]
+Before=amavis.service
+
+[Service]
+# clamd allows its clients to shut it down! So access to /run/clamav/clamd.ctl
+# is restricted to a strict minimum. That's only members of the clamav group.
+# The amavis process can only be in one group. It also doesn't need access to
+# any of clamav's private resources. So we're only granting it access to the
+# socket.
+ExecStartPost=/usr/bin/setfacl -m u:amavis:rw /run/clamav/clamd.ctl

(needs the "acl" package).

To grant access to the socket to amavis.