Well, I've only seen 1 virus come into my wife's machine via email.
It was on either 8.10 or 9.04.
Klam reported it immediately.
At one time I thought Clam/Klam was forensic only until this happened.
Am I missing something re: what "on the fly" is suppose to be.
I'm paraphrasing ... there are only a few ways for 'bad things' to hit your computer. Certain well defined ways, such as web browsing, or e-mail, have settings wherein clamav gets a peek at it before it actually lands on your FILE SYSTEM. There are many ways in which a bad thing can hit your file system - you could write a file with some app that does so, or you may put, or have put, a bad thing on your file system, a file system you use on another's machine, or they on yours.
Normally, unless you tell clamav to check your system, you'll never know when this last happens. So, clamav has a facility to schedule scans. (Problem is, when something is detected, well, it's already there. The damage has been done.)
On the fly interacts with the file system so that clamav gets a peek at it before anything lands from anywhere.
But clamav does not, and can not, do so by itself. Dazuko (compatibility?) is a kernel module that exposes an interface wherein things are allowed to have a peek before a file, from wherever, by whomever, actually gets to the disk. Clamav can take advantage of such a facility, but not until that facility is made available to it.
Here's a way to test ... turn off clamav web protection long enough to get the standard test virus (who's name and location escapes me at the moment), onto your system. [You can turn the web protection back on.] Now copy that file, anywhere, even to a different name in the same directory. It should not be able to land - if it can't, you have on the fly protection going. [In fact, you shouldn't be able to get the file in the first place - you only turned off web protection, not on the fly detection.]
If it lands, you are essentially unprotected. Until you run your next scan. And by then the damage has been done. (Suppose it only damages a little bit of a file ... how will you know what to fix?)
Now ... suppose it takes several days to complete a system scan ...
- how many bad things could have landed in the meantime?