What is Guardimesh?
Guardimesh is a runtime container malware scanning platform for Kubernetes and OpenShift. It deploys as a DaemonSet on every node in your cluster, continuously scanning running containers for malware, suspicious binaries, fileless payloads, and unauthorized changes — without modifying your application code.
Why Runtime Scanning?
Traditional container security tools scan images at build time or in registries. This catches known threats before deployment, but misses:
- Supply-chain attacks that inject malware after the image is pulled
- Fileless malware that exists only in memory (
memfd_createpayloads) - Runtime drift where executables appear that weren't in the original image
- Deleted binary attacks where malware runs from
/proc/[pid]/exeafter unlinking itself from disk - Shared library injection via deleted
.sofiles loaded into running processes
Guardimesh detects all of these at runtime, inside your running cluster.
How It Works
- Deploy — A single Helm command installs the Guardimesh operator, which deploys a scanner DaemonSet across all nodes.
- Scan — New containers are scanned automatically on creation. Scheduled re-scans cover long-running workloads. Optional real-time file monitoring (fanotify) catches threats as files are written.
- Detect — ClamAV signatures (official, third-party, and custom), drift detection, memfd scanning, deleted binary detection, and obfuscation analysis work together.
- Alert — Findings appear in the web console and trigger notifications via webhooks, Slack, PagerDuty, Jira, or ServiceNow.
Detection Capabilities
| Capability | Description |
|---|---|
| ClamAV signature scanning | Detects known malware using official and third-party signature databases |
| Runtime upperdir scanning | Scans the container writable layer (overlay filesystem) for new or modified files |
| Executable drift detection | Identifies executables that were not present in the original container image |
| Deleted binary scanning | Finds running processes whose binaries have been deleted from disk |
| memfd fileless payload scanning | Detects in-memory-only executables created via memfd_create |
| Deleted shared library scanning | Identifies loaded .so files that have been removed from the filesystem |
| Obfuscation detection | ML-based analysis of packed, encrypted, or obfuscated binaries (YARA + entropy + Random Forest) |
| Real-time file monitoring | Continuous monitoring of container writable layers via Linux fanotify (Startup tier and above) |
Supported Platforms
Kubernetes Distributions
- Kubernetes 1.24+
- Red Hat OpenShift 4.10+
- Google Kubernetes Engine (GKE)
- Amazon EKS
- Azure AKS
Container Runtimes
- Docker (containerd)
- CRI-O
- Podman
Architectures
- AMD64 (x86_64)
- ARM64 (aarch64)
Deployment Model
Guardimesh runs entirely within your cluster as a privileged DaemonSet. Each node gets a scanner pod containing:
| Container | Role |
|---|---|
| guardimesh-scanner | Watches for new pods, triggers scans, ships results |
| guardimesh-antivirus | ClamAV daemon for signature-based detection |
| guardimesh-inspector | Collects system and container metadata |
| guardimesh-puller | Keeps signature databases up to date |
| guardimesh-obfuscation-scanner | Analyzes binaries for obfuscation techniques |
Scan results are sent to the Guardimesh SaaS backend over TLS, stored in BigQuery, and made available through the web console and notification integrations.
For air-gapped environments, an enterprise on-premise deployment option runs the entire stack — including the web console, API, and database — inside your cluster with no external connectivity.
Compliance
Guardimesh is designed to support compliance with:
- FedRAMP
- SOC 2 Type II
- ISO 27001
The platform provides audit trails, scan coverage reports, and data retention controls aligned with these frameworks.
What Data Leaves Your Cluster
Only scan metadata is transmitted to the Guardimesh backend:
- Pod name, namespace, container ID, image name
- Scan results (signature name, file path, timestamp)
- Node and cluster identifiers
No application data, environment variables, secrets, or file contents are ever transmitted. The scanner reads files on disk only to pass them to the local ClamAV daemon via Unix socket. File content never leaves the node.
Next Steps
- Getting Started — Deploy Guardimesh in 5 minutes
- Architecture — Understand the technical design
- Subscription Tiers — Choose the right plan