Antivirus as a thing is mostly dead, or has morphed into more aggressive endpoint protection. In that sense ClamAV is mostly to scan for known malware in things like mail servers. Make sure people aren’t sending malicious stuff, albeit mostly low hanging fruit.
Nextcloud, wikis, or other similar aggregation sites are also a usecase, but again low hanging fruit.
Set up a cron job and have it run periodically, like once an hour / day / week, whatever. Make sure you set up something that alerts you if/when it hits on something.
As someone in IT Security Architecture, most of colleagues are fucking morons. It’s entirely possible she did just as well as they do.
Like, I had to teach one architect how NAT works. Dude at 10 years experience.