I have been recently working on virus scanning functionality improvement in Moodle, see MDL-50886 meta issue for details. I can see some advantages of having antiviruses implemented as plugins rather than being "hardcoded" in function as it is now.
- First, it would allow people to use something different than ClamAV. While ClamAV will remain a core-plugin, it will not stop people implementing plugins for different virus scanning engines they may have in their environment, thus making antivirus functionality scalable and multi-platform. This is implemented in MDL-50887.
- Second, this will make improvement of ClamAV itself more simpler. For example there is a way to use unix-sockets instead of command-line utility execution to scan files, that is on avearage about 10 times faster (for statistical analysis and implemetation see MDL-50888). Extending the existing code with functionality above will make it more bulky and logically incorrect to mix it with repository class.
- Third, the plugin infrastructure will allow to differentiate the scanning data type. Each antivirus plugin could declare what it is able to do, e.g. whether it can scan "file" only or support "data stream" scan as well (in the latter case there will be no need to make extra steps and create files from string just to scan it, sockets implementation of ClamAV has funtionality to work with data streams directly). This can be extended even further to differentiate between actual content that antivirus is able to scan. For example, if plugin decalres it supports html scan for malicoius content, it could be used by editor to scan html before recording it in the database (this is particulary important for editing teachers, whose content is not html-purified, we had a real case when some virus was embedding the malicious js code in TinyMCE and teacher was blindly submitted it without realising that the form contains something else than they see on the screen).
I suggest to discuss the genaral idea here and to hear people opinion about this improvement. If you want to mention something related to the actual patch code, please do that in the corresponding tracker issue comments, you will find them all at MDL-50886 subtasks.