-rw-r--r-- 1 clamav clamav   1438720 Mar 17 10:47 bytecode.cld
-rw-r--r-- 1 clamav clamav    293670 Apr  8 06:32 bytecode.cvd
-rw-r--r-- 1 clamav clamav 327757824 Jul 12 09:59 daily.cld
-rw-r--r-- 1 clamav clamav 117859675 Nov 25  2019 main.cvd

and a bunch of others which we're not concerned with.  Firstly, you
really don't want both a bytecode.cld *and* a bytecode.cvd, so you
should probably just delete the older one. 

Done.
 
Here's what happens just after 10AM on the 13th:

Tue Jul 13 10:01:01 AM EDT 2021
-rw-r--r-- 1 clamav clamav   1438720 Mar 17 10:47 bytecode.cld
-rw-r--r-- 1 clamav clamav    293670 Apr  8 06:32 bytecode.cvd
-rw-r--r-- 1 clamav clamav 327757824 Jul 12 09:59 daily.cld
-rw-r--r-- 1 clamav clamav 117859675 Nov 25  2019 main.cvd
Tue Jul 13 10:02:01 AM EDT 2021
-rw-r--r-- 1 clamav clamav   1438720 Mar 17 10:47 bytecode.cld
-rw-r--r-- 1 clamav clamav    293670 Apr  8 06:32 bytecode.cvd
-rw-r--r-- 1 clamav clamav 327797248 Jul 13 10:00 daily.cld
-rw-r--r-- 1 clamav clamav 117859675 Nov 25  2019 main.cvd

So daily.cld was updated, presumably by freshclam.  That's good, as
nothing seems to have broken.  Can you confirm that happened from the
freshclam log? 
 
here are the logs from 10:01 AM Jul 13:
Jul 13 10:01:02 storm freshclam[3930506]: Database test passed.
Jul 13 10:01:02 storm freshclam[3930506]: daily.cld updated (version: 26230, sigs: 3995778, f-level: 63, builder: raynman)
Jul 13 10:01:02 storm freshclam[3930506]: daily.cld updated (version: 26230, sigs: 3995778, f-level: 63, builder: raynman)
Jul 13 10:01:02 storm freshclam[3930506]: main.cvd database is up-to-date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Jul 13 10:01:02 storm freshclam[3930506]: main.cvd database is up-to-date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Jul 13 10:01:02 storm freshclam[3930506]: bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Jul 13 10:01:02 storm freshclam[3930506]: bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Jul 13 10:01:03 storm freshclam[3930506]: securiteinfo.hdb is up-to-date (version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: securiteinfo.hdb is up-to-date (version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: securiteinfo.ign2 is up-to-date (version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: securiteinfo.ign2 is up-to-date (version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: javascript.ndb is up-to-date (version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: javascript.ndb is up-to-date (version: custom database)
Jul 13 10:01:10 storm freshclam[3930506]: Testing database: '/var/lib/clamav/tmp.f9e1fecbc3/clamav-7b04ccc60e7adc16d356b3b689db8e0f.tmp-spam_marketing.ndb' ...
Jul 13 10:01:10  ourserver   freshclam[3930506]: Testing database: '/var/lib/clamav/tmp.f9e1fecbc3/clamav-7b04ccc60e7adc16d356b3b689db8e0f.tmp-spam_marketing.ndb' ...
Jul 13 10:01:10 ourserver freshclam[3930506]: Database test passed.
Jul 13 10:01:10  ourserver   freshclam[3930506]: Database test passed.
Jul 13 10:01:10  ourserver   freshclam[3930506]: spam_marketing.ndb updated (version: custom database, sigs: 31016)
Jul 13 10:01:10  ourserver   freshclam[3930506]: spam_marketing.ndb updated (version: custom database, sigs: 31016)
Jul 13 10:01:10  ourserver   freshclam[3930506]: securiteinfohtml.hdb is up-to-date (version: custom database)
Jul 13 10:01:10  ourserver   freshclam[3930506]: securiteinfohtml.hdb is up-to-date (version: custom database)
Jul 13 10:01:10  ourserver   freshclam[3930506]: securiteinfoascii.hdb is up-to-date (version: custom database)
Jul 13 10:01:10  ourserver   freshclam[3930506]: securiteinfoascii.hdb is up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfoandroid.hdb is up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfoandroid.hdb is up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfoold.hdb is up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfoold.hdb is up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfopdf.hdb is up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfopdf.hdb is up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: safebrowsing.gdb is up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: safebrowsing.gdb is up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: --------------------------------------
 
Is freshclam running from cron or as a daemon?

Daemon 
ps -auwx|grep freshclam
clamav      3818  0.0  0.0  28952 12864 ?        Ss   12:00   0:00 /usr/bin/freshclam -d --foreground=true
 

----------------------------------------------------------------------

The next thing that I see of interest is

Tue Jul 13 11:10:02 AM EDT 2021
-rw-r--r-- 1 clamav clamav   1438720 Mar 17 10:47 bytecode.cld
-rw-r--r-- 1 clamav clamav    293670 Apr  8 06:32 bytecode.cvd
-rw-r--r-- 1 clamav clamav 327797248 Jul 13 10:00 daily.cld
-rw-r--r-- 1 clamav clamav 117859675 Nov 25  2019 main.cvd
Tue Jul 13 12:02:01 PM EDT 2021
-rw-r--r-- 1 clamav     clamav       1438720 Mar 17 10:47 bytecode.cld
-rw-r--r-- 1 clamupdate clamupdate    293670 Apr  8 06:32 bytecode.cvd
-rw-r--r-- 1 clamav     clamav     327797248 Jul 13 10:00 daily.cld
-rw-r--r-- 1 clamupdate clamupdate 107169718 Jun 22 18:06 daily.cvd
-rw-r--r-- 1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd

There's a fifty minute gap in the log.  Why is that?  Presumably this
is about the time you updated and rebooted the system. 
correct
 
Are you sure
that the system time gets set correctly at boot?  We need to know that
we can rely on the timestamps in the logs.  All the logs.

systemctl status chronyd
● chronyd.service - NTP client/server
     Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-07-13 12:00:50 EDT; 2h 46min ago
       Docs: man:chronyd(8)
             man:chrony.conf(5)
    Process: 3171 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 3232 (chronyd)
      Tasks: 1 (limit: 154189)
     Memory: 4.6M
     CGroup: /system.slice/chronyd.service
             └─3232 /usr/sbin/chronyd

Jul 13 12:00:50 ourserver.edu systemd[1]: Starting NTP client/server...
Jul 13 12:00:50 ourserver.edu chronyd[3232]: chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG)
Jul 13 12:00:50 ourserver.edu chronyd[3232]: Frequency -34.655 +/- 0.141 ppm read from /var/lib/chrony/drift
Jul 13 12:00:50 ourserver.edu chronyd[3232]: Using right/UTC timezone to obtain leap second data
Jul 13 12:00:50 ourserver.edu systemd[1]: Started NTP client/server.
Jul 13 12:01:34 ourserver.edu chronyd[3232]: Selected source 50.205.57.38 (2.fedora.pool.ntp.org)
Jul 13 12:01:34 ourserver.edu chronyd[3232]: System clock TAI offset set to 37 seconds
 
Anyway, suddenly the owner/group IDs have changed and you have both a
daily.cld and a daily.cvd - which isn't good news, especially as one
of them is over three weeks old.  Where did it come from?

Right, that's the question. 
 
> From the cron log file:
> Jul 13 12:14:01 ourserver CROND[22349]: (clamav) CMD ([ -x
> /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
> /usr/local/sbin/clamav-unofficial-sigs.sh)
> Jul 13 12:14:03  ourserver CROND[22318]: (clamav) CMDEND ([ -x
> /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
> /usr/local/sbin/clamav-unofficial-sigs.sh)

Assuming that we can believe the timestamps, then any problems that
arose from ownership by the clamupdate user/group had already happened
at 12:02 so it was *not* the run of clamav-unofficial-sigs.sh at 12:14
which caused them.

Is this the first time that clamav-unofficial-sigs.sh ran?

No it's been running all the time. So are freshclam and  clamav-unofficial-sigs.sh not supposed to run as separate processes?

What's in the freshclam log about these times?

Nothing as the upgrade/reboot was still happening. The next freshclam is:
Jul 13 14:00:58 ourserver freshclam[3818]: Received signal: wake up
Jul 13 14:00:58  ourserver   freshclam[3818]: ClamAV update process started at Tue Jul 13 14:00:58 2021
Jul 13 14:00:58  ourserver   freshclam[3818]: Received signal: wake up
Jul 13 14:00:58  ourserver   freshclam[3818]: ClamAV update process started at Tue Jul 13 14:00:58 2021
Jul 13 14:00:58  ourserver   freshclam[3818]: ERROR: Can't create temporary directory /var/lib/clamav/tmp.21024dac47
Jul 13 14:00:58  ourserver   freshclam[3818]: Hint: The database directory must be writable for UID 985 or GID 981
Jul 13 14:00:58  ourserver    freshclam[3818]: ERROR: Update failed.
Jul 13 14:00:58  ourserver   freshclam[3818]: Can't create temporary directory /var/lib/clamav/tmp.21024dac47
Jul 13 14:00:58  ourserver   freshclam[3818]: Hint: The database directory must be writable for UID 985 or GID 981
Jul 13 14:00:58  ourserver   freshclam[3818]: Update failed.
Jul 13 14:00:58  ourserver   freshclam[3818]: --------------------------------------