Whilst I am a big fan of ClamAV, it is apparent from using tools like virustotal to analyse files, that ClamAV are consistently one of the last to include new (as in Zero Day) definitions to their lists, especially when the malware targets Microsoft™ software.
I recommend that all users apply a second AV scanner on their own device (yes....even if it is Scottish or an iSomething), and periodically rescan any mail that is stored on the server in order to benefit from definitions that have been released since the files were originally scanned.
In reality, my users never bother to scan their mail boxes on the server ....ever

and are quite convinced that their devices of whatever sort are immune to getting infected or compromise - because someone in the pub told them so, and it was absolutely what they preferred to hear !
Perhaps the answer is to configure a cron job to run scans daily as recommended in
Configure ClamAV Scanner - Version 74 Documentation - cPanel Documentation, but this can significantly add to your server memory and CPU overhead during the run, and since I am seeing the most ridiculously under powered servers being deployed on VMs these days, one would have to experiment very carefully to establish if a particular server could cope.
I have high expectations of the CloudLinux new ImunifyAV becoming an indispensable tool.
ImunifyAV: The Free, Powerful, Malware Scanner (now in Beta for cPanel and DirectAdmin) although this is still in Beta, it defiantly is worth watching. (Full Disclosure: I have
NOT tried it, as I rarely deploy Beta software on a production server - so proceed at your own risk)
If you can afford it (I can't, so again, I haven't tried it) the full featured Imunify360 product
Imunify360 - Keeps Your Linux Web Servers Safe would seem to be way to go.