Over the years we've seen many "I want to log everything" questions at LQ (one of the reasons we have search functionality ;-p) and your options include anything ranging from system call logging with the audit service, Inotify tools or FUSE LoggedFS to homebrewn kludges. See for instance this
. If in essence you want a kernel module for the purpose of on-access scanning
then kernel-2.4 LKM used Dazuko, developed by AVIRA (also see related
developments) and kernel-2.6 (no idea if it works with kernel 3.x now) uses RedirFS, developed by GRISOFT and used by Comodo, KAV, AVG and other AV vendors. So there's no reason why ClamAV shoudln't be able to use it too.