AV Management Engine
Centralised, policy-driven antivirus deployment for ClamAV (Linux/BSD/macOS) and ClamWin (Windows). Adds reusable AV policies, scheduled scans, definition-update cadence control, and a fleet-wide commercial-AV detection report on top of the open-source basics.
Overview
The AV Management Engine generates server-side ClamAV / ClamWin configurations and ships them to agents as fully-baked deploy plans. The agent runs the plan via the generic apply_deployment_plan handler — no AV business logic lives on the agent. The engine layers an AvPolicy abstraction on top so an operator can define a single named policy (cadence + schedule + product) and apply it to any number of hosts.
Open Source vs Professional+
- Community Edition: per-host install / enable / disable / remove via
backend/services/av_plan_builder.py - Professional+: reusable named policies with cadence + scan schedule, applied to many hosts in one call
- Professional+: fleet-wide commercial-AV detection report (CrowdStrike, SentinelOne, Defender, etc.)
- Professional+: cron-style daily / weekly / monthly scheduled scans (Linux/FreeBSD via
/etc/cron.d; Windows viaschtasks)
Deploy Plan Shape
Every operation produces a declarative deploy plan that the agent executes step-by-step (install packages → write configs → run commands → start services). The plan is wire-compatible with the open-source planner so the same agent handler runs both:
{
"platform": "linux" | "windows" | "freebsd" | ...,
"av_product": "clamav" | "clamwin",
"packages": [str | {"manager": str, "name": str, "args": [str]}],
"files": [{"path", "content", "mode", "owner", "group", "backup"}],
"commands": [{"argv", "sudo", "elevated", "timeout", "ignore_errors", "description"}],
"service_actions": [{"service", "action": "enable|start|stop|disable"}],
"scan_schedule": {"frequency": "daily|weekly|monthly", "hour", "minute", "day_of_week"?, "day_of_month"?, "scan_paths": [str]}
}AV Policies
An AvPolicy bundles the AV product, definition-update cadence, and scan schedule into a named, reusable unit. Apply it across as many hosts as you like; the engine resolves the per-host build options and queues an APPLY_DEPLOYMENT_PLAN message for each.
Endpoints
GET /api/v1/av/policies— list registered policiesPOST /api/v1/av/policies— create or overwrite a policy by nameDELETE /api/v1/av/policies/{name}— remove a policyPOST /api/v1/av/policies/{name}/apply— resolve and queue the policy for a host list
Example
POST /api/v1/av/policies
{
"name": "production-tier",
"av_product": "clamav",
"checks_per_day": 12,
"scan_schedule": {
"frequency": "weekly",
"day_of_week": 0,
"hour": 2,
"minute": 0,
"scan_paths": ["/var/www", "/opt/app"]
}
}
POST /api/v1/av/policies/production-tier/apply
{ "host_ids": ["..uuid..", "..uuid.."] }Commercial AV Fleet Report
The agent's open-source commercial_antivirus_collection.py already detects CrowdStrike, SentinelOne, Defender, McAfee, Symantec, etc. and writes per-host status to the commercial_antivirus_status table. Professional+ adds a fleet aggregation endpoint that summarises which products are installed on how many hosts and surfaces hosts with realtime protection disabled.
GET /api/v1/av/commercial/fleet-report
{
"total_hosts": 142,
"hosts_with_commercial_av": 87,
"by_product": {
"Microsoft Defender": 54,
"CrowdStrike": 22,
"SentinelOne": 11
},
"realtime_protection_off_count": 3,
"entries": [...]
}Feature Codes
Endpoints in this engine are gated by these feature codes (returned 402 by the open-source server when the module isn't loaded):
av_install— deploy / policy-applyav_uninstall— removeav_status— per-host status readav_scan— on-demand scancommercial_av_detect— fleet commercial-AV report
Architecture
The engine is a Cython-compiled binary (av_management_engine.so) loaded by the open-source server's module_loader at startup. It exports the same get_module_info() + get_av_management_router() contract as the other Pro+ modules, so the open-source server's mount_av_management_routes() wrapper can mount it alongside the 402 stubs without conditionals.