Lately, I noticed that I always had a clamav.inoc.net connection. I was wondering why... I did install clamav but I did not recall changing anything in Apache where I'd get requests from the outside that would look like clamav.

The fact is I also installed freshclam. By default, that gives you a line like this in your netstat -a64 listing:

    tcp   383     0 halk:38272       clamav.inoc.net:www     CLOSE_WAIT

Most of the time you won't catch it when it is still connected and sending/receiving data. The deamon that accepts the connections is freshclam and it will save the new data on your hard drive for clamav to use. That way you can fend off any new virus within (by default) 1 hour you received them.

Since I'm under Linux and most viruses are for MS-Windows, I simply reduced the number of checks from 1 per hour to 1 every 12 hours. Frankly, looks like most people don't even use clamav under Linux anyway...

More info: http://sial.org/howto/clamav/freshclam/