Traditional anti-virus approaches such as on-access scanning via ICAP or proprietary integrations are not available in Qumulo environments. Does this create a gap for organizations that need reliable malware detection on large-scale file systems?
The Yuzuy Anti-Virus Integration addresses this gap with a different approach: event-driven, post-change scanning combined with horizontal scalability and full AV vendor independence.
Instead of intercepting file access, the system reacts to change events and orchestrates scans externally. This keeps the storage system performant while still ensuring that newly created and modified files are inspected.
How It Works in Practice
At the core of the solution is a simple idea:
scan files when they change—quickly, reliably, and at scale.
When a file is created or modified on a protected Qumulo path, the platform emits a change notification. Yuzuy consumes this event, maps it to a configured protection scope, and creates a scan job.
These jobs are queued and distributed across one or more scan servers (Protection Clients). Each scan server retrieves the file directly via SMB and invokes the locally installed anti-virus engine via CLI.
There is no file transfer, no proxying, and no deep coupling to a specific AV product.
The anti-virus engine performs the scan and executes any configured action—such as quarantine or deletion—independently.
A Decoupled Architecture by Design
The architecture intentionally separates responsibilities:
- Yuzuy handles orchestration, event processing, and job distribution
- Protection Clients execute scans
- The AV engine handles detection and remediation
This decoupling has two key advantages:
- Vendor flexibility – organizations can use their preferred AV solution
- Operational clarity – each component does exactly one job
There is no attempt to interpret scan results or enforce security policies centrally. Those remain fully under control of the anti-virus platform.
Event-Driven Instead of Inline
Unlike traditional on-access scanning, this solution follows a post-change model.
This means:
- No impact on file access latency
- No dependency on filesystem hooks
- No risk of blocking user operations
Instead, scans are triggered by Qumulo Change Notify events, making the system reactive rather than intrusive.
To avoid redundant scans during rapid file updates, events are consolidated within a short time window before a scan is initiated.
Built for Horizontal Scalability
Scanning performance is often the bottleneck in large environments. Yuzuy addresses this with a straightforward scaling model:
- Add more scan servers → increase throughput
- Each server processes scans in parallel
- Parallelism is tied to CPU cores (
cores - 2)
Jobs are distributed using a round-robin mechanism, ensuring balanced utilization across all available Protection Clients.
This makes the system suitable for environments ranging from a few thousand users to large-scale enterprise deployments.
Direct File Access, No Data Movement
A key design decision is that files are never copied or transferred for scanning.
Instead:
- Scan servers access files directly via SMB (UNC paths)
- Hidden shares are created automatically with minimal required permissions
- A dedicated service account is used for access
This approach minimizes overhead and keeps data locality intact.
Security and Communication
All communication between components is secured:
- AMQP over TLS (port 5671) for job distribution (RabbitMQ-based)
- HTTPS (port 443) for API communication and client registration
Protection Clients authenticate using tokens and certificates, with credentials stored in encrypted form locally.
Leveraging Existing AV Investments
Rather than introducing another security engine, the solution builds on what is already in place.
Any anti-virus solution that:
- supports CLI execution
- can scan UNC paths
can be integrated.
In practice, this includes widely used enterprise solutions such as Microsoft Defender, Sophos, CrowdStrike, ESET, WithSecure, and Bitdefender.
All detection logic, policies, and actions remain within the AV platform.
What This Approach Does : and Doesn’t Do
The design is intentionally focused.
It provides:
- Reliable scanning of new and modified files
- Scalable execution across distributed scan servers
- Seamless integration with existing AV tools
It does not provide:
- Inline blocking or on-access scanning
- Built-in malware detection
- Native alerting or XDR capabilities
This makes it a good fit for organizations that want to extend existing security controls into Qumulo environments, without introducing unnecessary complexity.
A Practical Alternative to ICAP/CAVA
In environments where ICAP or CAVA are not available, Yuzuy offers a pragmatic alternative:
- Event-driven instead of inline
- Externalized scanning instead of embedded engines
- Scalable infrastructure instead of fixed appliances
The result is a system that aligns well with modern, distributed storage architectures—without forcing compromises on security or performance.