I asked about the permissions on the directories, not on files.  In
your 'find' command there you specifically limit the search to files
and not directories with "-type f".  See 'man find' for more (but IMO
'find' is a bit like a cornered rat and I'm starting to think it might
not be the best tool in the box for you to be playing with).  Just use

ls -l / | grep var

to see the permissions on /var and

ls -l / | grep var
lrwxrwxrwx    1 root root      19 Aug 31  2020 snap -> /var/lib/snapd/snap
drwxr-xr-x.  23 root root    4096 Jan 11 14:49 var
  
ls -l /var | grep lib

to see the permissions on /var/lib.

ls -l /var | grep lib
drwxr-xr-x. 95 root root 4096 Mar 20 08:00 lib 

>> But I'd still want to see that log.
>
> The log from the cronjob, freshclam or eXtremeSHOK.com ClamAV Unofficial
> Signature Updater?

The cron job which I suggested.  From a root shell prompt, to edit the
crontab give the command

crontab -e

which will fire up the default editor or the one you've configured.
Just paste these two lines (I tweaked it a bit from last October's
version) right at at the bottom:

FILE=/var/log/clam_perms.log
* * * * * /bin/date >> $FILE ; /bin/ls -l /var/lib/clamav >> $FILE

That will write a time/date stamp and a directory listing to the file
every minute until further notice.  Yes, there will be quite a lot of
output, but (by the standards of the 21st century) it won't be a huge
file, and you'll get what I'm looking for which is when (to about the
nearest minute) the permissions were changed.  If you know to within
the same sort of precision when things are run, that should give you
some clue to what changed the permissions.

I had * * * * *  /bin/echo -n "$(/bin/date) " >> /var/log/clam_perms.log && /bin/ls -l /var/lib/clamav >> /var/log/clam_perms.log so it's been populating for a couple of hours. 

> grep 981 /etc/group
> clamav:x:981:clamscan,clamilt,clamupdate

Hmmm.  So group ID 981 is 'clamav'.  What's the numeric ID for the
'clamupdate' group (and 'clamilt' for completeness)?  To me it seems
just a little excessive to have separate users (and maybe groups) for
clamd, clamav-milter and freshclam.  I think somebody (probably this
was somebody at Red Hat) lost the plot there, but I suppose you're
stuck with that unless you junk the ClamAV packages and build it all
from source.  IMO there's a lot to recommend that.
 
grep clam /etc/passwd
clamilt:x:989:985:Clamav Milter User:/var/run/clamav-milter:/sbin/nologin
clamav:x:985:981::/var/run/clamav:/sbin/nologin
clamupdate:x:983:979:Clamav database update user:/var/lib/clamav:/sbin/nologin
clamscan:x:982:978:Clamav scanner user:/:/sbin/nologin