Show HN: An AI-native, offline malware scanner for Linux (it's free)

Gateway to SemanticsAV Platform:
CLI, daemon, and API servers for AI-native malware detection and threat intelligence.

Offline Zero-Day Detection • Real-Time Cloud Intelligence • Privacy-by-Design

SemanticsAV Platform delivers AI-native malware detection that analyzes what code means, not what it looks like. By understanding semantic context and design intent—rather than matching syntactic patterns—it detects zero-day threats that evade traditional signature-based and sandbox approaches.

Currently, the platform consists of three core components:

🧬 From Syntax to Semantics (Core Philosophy)

Traditional security tools analyze what code looks like—matching byte patterns, following expert-defined rules, or observing predefined behaviors. SemanticsAV fundamentally redefines detection by analyzing what code means.

• End-to-end AI learning from file structures with zero human-defined rules or signatures
• Contextual pattern discovery beyond human comprehension—not which API is called, but what appears together with what
• Eliminates predictable detection logic that attackers can study and evade
• Transcends fundamental limitations of both static signature matching and dynamic sandbox observation

🚀 On-Device Excellence (SemanticsAV SDK)

Ultra-lightweight AI engine delivering production-grade malware verdicts without any network dependency—same detection accuracy as cloud, optimized for instant response and air-gapped deployment.

• Blazing fast detection with minimal memory footprint—enabling deployment at scale without infrastructure overhead
• Zero network dependency during scanning—complete offline operation with no cloud requirements
• Continuous evolution through periodic model updates adapting to emerging threat landscapes
• Free unlimited scanning for all uses on Linux—personal, commercial services, and product integration

🌐 Optional Cloud Intelligence (SemanticsAV Intelligence)

Real-time cloud API transforming instant verdicts into actionable forensic intelligence—delivering comprehensive analysis in seconds.

• Real-time threat intelligence responding in seconds—enabling immediate incident response unlike traditional sandboxes requiring extended observation
• Genetic neighborhood mapping revealing where samples cluster in malware landscape—distinguishing isolated threats from campaign-linked variants
• Multi-family attribution connecting samples to known signatures (RATs, infostealers, ransomware) through geometric similarity
• Attribute-level evidence with visual comparison matrices proving polymorphism cannot hide fundamental design DNA
• Independent geometric verification providing mathematical proof of positioning—validating verdicts or revealing critical alerts
• Actionable forensic reports with natural language synthesis for executive summaries and response strategies

🔒 Privacy-by-Design (Transparent Architecture)

All network communication occurs through MIT-licensed open-source code you can audit—proving file originals never leave your system.

• File originals never transmitted—SDK has zero network capability during scanning
• Minimal data extraction transmitting only a proprietary analytical payload required for cloud analysis
• Deterministic processing producing identical payloads for identical files across all environments—enabling indirect verification
• No file size restrictions for cloud analysis with minimal network resource consumption
• Complete transparency through auditable open-source wrapper code handling all network communication

⚡ Production Ready (SemanticsAV CLI)

Production-grade integration tools built for enterprise security workflows and automation pipelines.

• Daemon mode with HTTP and Unix socket APIs for system-wide integration
• Multiple output formats (JSON, HTML, Markdown) for automation and reporting
• Multi-threaded scanning optimized for high-throughput environments
• CI/CD integration ready for security orchestration and DevSecOps workflows

Currently Supported:

• PE (Portable Executable) — Windows executables (.exe, .dll, .sys)
• ELF (Executable and Linkable Format) — Linux/Unix executables and shared objects

Expanding Coverage:

The platform is actively expanding to cover all file formats capable of carrying malicious payloads, prioritized by real-world threat landscape:

• Document formats (Office, PDF, RTF)
• Script languages (JavaScript, PowerShell, Python, bash)
• Mobile executables (APK, IPA)
• Specialized binary formats (Mach-O, Java bytecode, .NET assemblies)

Both Community and Commercial editions receive production-ready detection models.

Differences may occur due to:

• Update timing: Critical threats may receive priority commercial updates
• Confidential data: Models trained on NDA-protected samples
• Specialized threats: Industry-specific or deployment-specific requirements

Choose your installation type:

User Installation (recommended for personal use):

• Installs to ~/.local
• No sudo required
• Easy to uninstall

System Installation (for server/multi-user environments):

• Installs to /usr/local
• Requires sudo privileges
• Runs as system service

Optional: Enable daemon for background services

Why use daemon? (Optional)

• HTTP API for remote integration
• Automatic model updates in background
• System service integration
• Always-on availability for instant responses

For detailed forensic analysis and threat attribution:

SemanticsAV SDK Binary Compatibility:

Verify your system compatibility:

For advanced users who prefer manual control:

Quick setup:

View configuration:

Set specific values:

Configuration locations:

• System mode: /etc/semantics-av/semantics-av.conf
• User mode: ~/.config/semantics-av/config.conf

Required for cloud analysis features. Obtain your API key from SemanticsAV Console.

Basic scanning:

Generate forensic intelligence reports:

Start/stop daemon:

When daemon is running, REST API is available at http://127.0.0.1:9216 (configurable).

Scan file:

Response:

Additional endpoints:

• POST /api/v1/analyze - Cloud analysis
• POST /api/v1/models/update - Update models
• GET /api/v1/status - Daemon status
• GET /api/v1/health - Health check

For high-performance local integration:

• System: /var/run/semantics-av/semantics-av.sock
• User: ~/.local/state/semantics-av/semantics-av.sock

Binary protocol with zero-copy file descriptor passing. Specification in include/semantics_av/daemon/protocol.hpp.

The uninstaller automatically detects installation type and optionally removes configuration/data files.

SemanticsAV operates in two modes: offline malware detection and optional cloud intelligence.

Privacy-First Architecture

Offline Detection (Free)
The SemanticsAV SDK performs complete AI-based malware analysis locally without any network dependency. Your files never leave your system during scanning—perfect for air-gapped environments and zero-trust architectures.

Cloud Intelligence (Optional)
When using the Intelligence API, only an encrypted, proprietary analysis payload is transmitted—the original file is never uploaded and cannot be reconstructed from the payload. All network communication occurs through the open-source CLI wrapper, enabling you to audit exactly what data is transmitted.

Privacy Details: See PRIVACY_POLICY.md for complete data handling practices and architectural transparency guarantees.

We exist to democratize access to AI-powered threat detection and make advanced security capabilities foundational infrastructure for the open-source ecosystem.

Traditional enterprise-grade malware detection remains locked behind commercial licensing, creating a security divide where well-funded organizations deploy sophisticated AI-driven defenses while open-source projects, security researchers, and Linux-native organizations rely on signature-based approaches decades behind the threat landscape.

By making SemanticsAV freely available on Linux for all commercial uses, we enable:

• Linux distributions to ship with zero-day detection capabilities built-in, not bolted-on
• Open-source security projects to integrate semantic analysis without licensing barriers
• Security service providers to deliver AI-powered protection to underserved markets
• Research communities to advance defensive capabilities through unrestricted access to production-grade technology

We believe security technology evolves fastest when foundational tools are accessible. Commercial licensing for cross-platform deployment and premium Intelligence services sustains continued innovation while keeping Linux deployments perpetually free—ensuring the open ecosystem that drives global infrastructure remains protected by the same advanced capabilities available to enterprise environments.

The SemanticsAV SDK for Linux is provided under a perpetual, royalty-free EULA. All commercial uses are permitted—including service delivery, product integration, and redistribution—subject only to the terms specified in the EULA (no reverse engineering, no competitive development, mandatory attribution).

Full details: EULA.md

Commercial licenses are available for:

• Cross-Platform Deployment — Windows, macOS, and other non-Linux platforms
• Customized Advanced Features — Tailored detection models and specialized deployments
• Commercial Intelligence Integration — Services that redistribute Intelligence analysis to customers
• Enterprise Support — Dedicated technical support, custom SLAs, professional services

Licensing inquiries: [email protected]

Contributions welcome to MIT-licensed wrapper code:

• CLI commands and features
• Daemon optimizations and protocols
• Output formatters and report generators
• Build system and packaging improvements
• Documentation and examples

Not modifiable: SemanticsAV SDK (proprietary binary)

Process: Fork → Feature branch → Pull request

Legal Documents:

• SDK EULA: EULA.md
• Intelligence ToS: INTELLIGENCE_TOS.md
• Privacy Policy: PRIVACY_POLICY.md
• Third-Party Licenses: ThirdPartyNotices.txt