Skip to content

The Security Engine is Vloud’s always-on watcher. Every file that lands on the host — uploads, git clones, package installs — is scanned before the app can read it.

Subsystems

The Security Engine ships with twelve coordinated subsystems, all off by default behind feature flags:

  • Malware scanner — ClamAV via local Unix socket; scans single files or full filesystems on schedule.
  • YARA rules — signature-based detection. Ships with 400+ rules from the open-source YARA-Rules community, plus Vloud’s own curated set for common webshells.
  • Signature feeds — daily-refreshed hash lists of known-bad files.
  • Real-time watcher — inotify-driven scans on any write under a watched path.
  • Upload gateway — every HTTP upload through the engine’s reverse proxy lands in a sandbox volume first; released only after the scan clears.
  • Quarantine manager — anything flagged moves to /var/vloud/quarantine/ (non-executable, restore-guarded) with its metadata preserved for forensic review.
  • Threat-intel service — pulls hash / URL / IP / domain feeds you configure; enriches every threat finding.
  • Process monitor/proc + ss heuristics catch cryptominers, reverse shells, and runaway worker processes.
  • Container scan — scans running Docker images / containers, not just the host filesystem.
  • Quarantine retention — age-based purge with configurable TTL.
  • Daily digest — 24-hour summary across every subsystem, delivered via your configured notification channel.
  • Prometheus metrics — counters and timers for every module, scrapable from any external monitor.

Flags

Everything off by default. The master switch is security.engine_enabled in the engine dashboard. Individual subsystems (YARA, upload gateway, real-time watcher) flip independently so you can roll out gradually.

Tuning

  • Allowlist — hosts or paths the watcher should skip (e.g. /var/vloud/backups where the engine itself writes).
  • Quarantine retention — default 30 days; configurable.
  • Scan concurrency — default 2 workers; raise on beefier boxes.

Metrics

Exposed at /api/security/metrics (engine-local) and surfaced on the Security Engine tab of your dashboard:

  • Files scanned per second.
  • Quarantine queue depth.
  • YARA rule-hit counters.
  • Upload gateway release vs block ratio.

See the operator runbook for incident response and rule-update workflow.