The whole approach of virus scanning is reactive and incomplete. This is because, except for some uncertain guesswork using "heuristics", it depends upon vendor analysis of submitted malware infection samples after it's already happened to determine specific malware file/process signatures. This doesn't and cannot catch all possible malware that has ever happened, especially if it's new, not widespread, or evaded analysis from ever being noticed. Thus, a fraction of malware will always slip and will always remain undetectable.

After a machine is compromised by malware, there's rarely-to-never a trustworthy way to ever fix it with 100% certainty. And especially worrisome is "repair" from the host itself which maybe infected with a rootkit that hides and repairs the malware. Thus, the only correct solution is to completely reimage/reinstall from trusted sources. Deviate from this path at one's own extreme cost/risk.

There also exist a tiny amount of even worse, specialized malware, usually deployed by state actors, that infect hardware in such a way that makes them difficult and sometimes uneconomical to repair.

PSA: Never run untrustworthy shit on any machine that matters. This also includes FOSS projects that don't have their shit together.

PSA?: How to establish trust?