We're looking for "cost effective" mechanism to provide 'scan on write' access for some NSS volumes that will be based on OES2 SP1 (SLES10SP2) NCS nodes.

I see that in days gone by (OES1 (SLES9)) people have used clamav with the dazoku module to provide this type of access.

So, it looks like the dazuko's default mechanism (i.e. to use the LSM API) is thwarted by AppArmor, so they suggest using 'syscall hooking'...

Has anyone got this up and running?
What's the performance hit?
Also, if we're not actually using AppArmor should we be able get dazuko to work in default config? Is this (LSM API) 'better' than syscall hooking?

Any other alternatives (in the "cost effective" category ;-) We were disappointed that our 'Enterprise' agreement from McAfee didn't cover our increasing number of SLE servers and nodes.... :-(