> Oct 09 04:15:56 Checking for urlhaus updates...
> Oct 09 04:15:56 Checking for updated urlhaus database file: urlhaus.ndb
> Oct 09 04:15:56 Testing updated urlhaus database file: urlhaus.ndb
> Oct 09 04:15:56 Clamscan reports urlhaus urlhaus.ndb database integrity tested good
> Oct 09 04:15:56 Successfully updated urlhaus production database file: urlhaus.ndb
> Oct 09 04:15:56 Update(s) detected, reloading ClamAV databases
> Oct 09 04:15:56 ClamAV databases reloading
> Oct 09 04:15:56 Issue tracker : https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_extremeshok_clamav-2Dunofficial-2Dsigs_issues&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=WaUuzrJtD_PKZ2pBpU-pfAEoxGBj-_rNdSJwvcK9NiI&s=mMxE841bG6uyKmN8KcULOvoeE948yxFA9Mo2udC0y_U&e=
> Oct 09 04:15:56       Powered By https://urldefense.proofpoint.com/v2/url?u=https-3A__eXtremeSHOK.com&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=WaUuzrJtD_PKZ2pBpU-pfAEoxGBj-_rNdSJwvcK9NiI&s=7LlLO6tKn_1eYqKp_e8nViWQ6BAjCFkMgYzNFvigtfs&e=
>*Oct 09 05:14:02 ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav*

Looks clear that the urlhaus db was updated OK.  Does the unofficial
update script normally take an hour to run on your system?!  The one
we use usually takes just a few minutes.

My bad in trying to economize my post here's the entire update-related entry:
Oct 09 04:14:01 Preparing Databases
Oct 09 04:14:01 Fri 09 Oct 2020 04:14:01 AM EDT - Pausing database file updates for 114 seconds...
Oct 09 04:15:55 Fri 09 Oct 2020 04:15:55 AM EDT - Pause complete, checking for new database files...
Oct 09 04:15:55 Sanesecurity Database File Updates
Oct 09 04:15:55 2 hours have not yet elapsed since the last Sanesecurity update check
Oct 09 04:15:55 No update check was performed at this time
Oct 09 04:15:55 Next check will be performed in approximately 1 hour(s), 6 minute(s)
Oct 09 04:15:55 SecuriteInfo Database File Updates
Oct 09 04:15:55 4 hours have not yet elapsed since the last SecuriteInfo update check
Oct 09 04:15:55 No update check was performed at this time
Oct 09 04:15:55 Next check will be performed in approximately 3 hour(s), 6 minute(s)
Oct 09 04:15:55 LinuxMalwareDetect Database File Updates
Oct 09 04:15:55 Checking for LinuxMalwareDetect updates...
Oct 09 04:15:56 No LinuxMalwareDetect database file updates found
Oct 09 04:15:56 MalwarePatrol Database File Updates
Oct 09 04:15:56 24 hours have not yet elapsed since the last malwarepatrol update check
Oct 09 04:15:56 No update check was performed at this time
Oct 09 04:15:56 Next check will be performed in approximately 7 hour(s), 0 minute(s)
Oct 09 04:15:56 Yara-Rules Database File Updates
Oct 09 04:15:56 Checking for urlhaus updates...
Oct 09 04:15:56 Checking for updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Testing updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Clamscan reports urlhaus urlhaus.ndb database integrity tested good
Oct 09 04:15:56 Successfully updated urlhaus production database file: urlhaus.ndb
Oct 09 04:15:56 Update(s) detected, reloading ClamAV databases
Oct 09 04:15:56 ClamAV databases reloading
 
> ... perhaps I should contact the ExtremeSHOK contributors ...

I'd have said so, yes.

well they may have an idea but I'm starting to think it's not related to their script. After all the username clamupdate does not come from their script. 

> perhaps there's some debug option that I'm not aware of?

It's just a shell script, you could edit it to put debugging things in
there if you're comfortable with hacking shell scripts.  Does it give
usage help if run with no arguments?  Does it have the '-i' option?

Indeed I see some options here: https://github.com/extremeshok/clamav-unofficial-sigs

So next time it happens I can try some of these:
-v, --verbose Be verbose, enabled when not run under cron
-i, --information Output system and configuration information for viewing or possible debugging purposes
-t, --test-database Clamscan integrity test a specific database file eg: '-t filename.ext' (do not include file path)
--check-clamav If ClamD status check is enabled and the socket path is correctly specifiedthen (sic) test to see if clamd is running or not 

Here's what the -i option returns:
su - clamav -s /bin/bash -c '/usr/local/sbin/clamav-unofficial-sigs.sh -i'
################################################################################
 eXtremeSHOK.com ClamAV Unofficial Signature Updater
 Version: v7.0.1 (2020-01-25)
 Required Configuration Version: v91
 Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
################################################################################
Loading config: /etc/clamav-unofficial-sigs/master.conf
Loading config: /etc/clamav-unofficial-sigs/os.conf
Loading config: /etc/clamav-unofficial-sigs/user.conf

*** SCRIPT INFORMATION ***
clamav-unofficial-sigs.sh 7.0.1 (2020-01-25)
Master.conf Version: 91
Minimum required config: 91
*** SYSTEM INFORMATION ***
Linux ourserver 5.7.15-200.fc32.x86_64 #1 SMP Tue Aug 11 16:36:14 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
*** CLAMSCAN LOCATION & VERSION ***
/usr/bin/clamscan
ClamAV 0.103.0/25952/Fri Oct  9 09:52:40 2020
*** RSYNC LOCATION & VERSION ***
/usr/bin/rsync
rsync  version 3.2.3  protocol version 31
*** CURL LOCATION & VERSION ***
/usr/bin/curl
curl 7.69.1 (x86_64-redhat-linux-gnu) libcurl/7.69.1 OpenSSL/1.1.1g-fips zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh/0.9.5/openssl/zlib nghttp2/1.41.0
*** GPG LOCATION & VERSION ***
/usr/bin/gpg
gpg (GnuPG) 2.2.20
*** DIRECTORY INFORMATION ***
Working Directory: /var/lib/clamav-unofficial-sigs
Clam Database Directory: /var/lib/clamav
Configuration Directory: /etc/clamav-unofficial-sigs


> ... I do see:
> systemctl status clam
> clamav-clamonacc.service        clamav-unofficial-sigs.service
> clamd.service
> clamav-freshclam.service        clamav-unofficial-sigs.timer
> clam-freshclam.service
> clamav-milter.service           clamd@scan.service
> clamonacc.service

I don't use any of that stuff, I like to know what's going on.  It
might be worth disabling all the service frippery and starting the
daemons from the command line to see if it behaves any differently.

Well systemd is so ingrained in most Linux distributions and the convenience of starting on reboot is helpful, as all's I need is for our long-time professor who still has his non-Gmail related email address on various lists, have a problem getting to his email box, and contacting me on Xmas eve (like he did last year) as emails are held back as ClamAV isn't running properly.

Frippery! Ha another one you made me look up.
 

> I see Fangfrisch <https://urldefense.proofpoint.com/v2/url?u=https-3A__rseichter.github.io_fangfrisch_&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=WaUuzrJtD_PKZ2pBpU-pfAEoxGBj-_rNdSJwvcK9NiI&s=7eiHTwe_wlDQm90JBW-6Fudyd4iyBYqMk6hAJzxCDtM&e= >is being
> maintained as an alternative. Haven't tried it yet.

It might not be time to throw out the baby just yet, before swapping
one lot of unknowns for another lot of unknowns I'd definitely try a
bit of investigative work.  After all other people use this stuff.  If
extra logging, disabling services etc don't lead you anywhere it might
be worth purging and reinstalling all the implicated packages.

 Might be a good idea to purge if I can't figure this out. 

Thanks for all you do in this list!