Getting Started
This guide takes you from zero to your first malware detection in under 5 minutes. You need a Kubernetes cluster with cluster-admin access.
Prerequisites
- Kubernetes 1.24+ or OpenShift 4.10+ cluster
kubectlconfigured with cluster-admin permissionshelmv3.8+ installed- Outbound HTTPS access from cluster nodes to
api.guardimesh.io
Step 1: Create an Account
Sign up at guardimesh.com/register using email, Google, or GitHub authentication.
New accounts start with a 7-day free trial — no credit card required. The trial includes 2 nodes and full scanning capabilities (except fanotify real-time monitoring).
Step 2: Generate an API Key
- Log in to the web console
- Navigate to API Keys in the sidebar
- Click Create API Key
- Copy the key — it is only shown once
Step 3: Install with Helm
helm install guardimesh-operator \
oci://quay.io/guardimesh/guardimesh-operator \
--namespace guardimesh-system \
--create-namespace \
--set apiKey=YOUR_API_KEY_HERE
This deploys:
- The Guardimesh operator (manages the scanner lifecycle)
- A
GuardimeshScannercustom resource - A scanner DaemonSet (one pod per node)
Step 4: Verify the Installation
Wait for all pods to reach Running status:
kubectl get pods -n guardimesh-system -w
Expected output (for a 2-node cluster):
NAME READY STATUS RESTARTS AGE
guardimesh-operator-7d8f9c6b4-x2k9p 1/1 Running 0 30s
guardimeshscanner-scanner-node1-abc12 5/5 Running 0 25s
guardimeshscanner-scanner-node2-def34 5/5 Running 0 25s
Each scanner pod runs 5 containers (scanner, antivirus, inspector, puller, obfuscation-scanner). All 5 must be ready.
Check the DaemonSet:
kubectl get daemonset -n guardimesh-system
The DESIRED count should match the number of schedulable nodes in your cluster (minus any skipped namespaces like kube-system).
Step 5: Trigger a Test Detection
Deploy a test pod containing the EICAR test file (a harmless file universally recognized as a malware test signature):
kubectl run guardimesh-test \
--image=quay.io/guardimesh/test-container:latest \
--restart=Never \
--namespace=default
The scanner will detect the test file within seconds. You should see a finding in the web console under Scan Results with signature Eicar-Test-Signature.
Step 6: View Results
- Open the web console
- Navigate to Scan Results
- You should see the EICAR detection with details:
- Pod name:
guardimesh-test - Namespace:
default - Signature:
Eicar-Test-Signature - File path and timestamp
- Pod name:
Step 7: Clean Up the Test
kubectl delete pod guardimesh-test --namespace=default
What Happens Next
With Guardimesh installed, your cluster is now continuously protected:
- New pods are scanned automatically when they start (active scanning)
- Signature databases are updated every 12 hours from the Guardimesh SaaS
- Scan configuration can be managed from the web console without redeploying
Optional: Configure Notifications
Set up alerts so you are notified immediately when malware is detected:
- Go to Notifications in the web console
- Click Add Channel
- Choose your integration (Email, Webhook, Slack, PagerDuty, Jira, or ServiceNow)
- Configure the endpoint and optional filters
- Click Test to verify delivery
See the Integrations Guide for detailed setup instructions.
Optional: Enable Scheduled Scanning
By default, only newly-created pods are scanned. To periodically re-scan long-running containers:
- Go to Scan Configuration in the web console
- Enable Scheduled Scanning
- Set your preferred scan schedule (e.g., daily at 02:00)
- Set a minimum container age (e.g., 1 day) to avoid scanning pods that were just created
Uninstalling
To remove Guardimesh from your cluster:
helm uninstall guardimesh-operator --namespace guardimesh-system
kubectl delete namespace guardimesh-system
Next Steps
- Configuration Reference — Fine-tune scanning behavior
- Architecture — Understand what runs on your nodes
- Troubleshooting — Common issues and solutions