Pomai Scan

Pomai Scan is a deterministic, static-only malware scanning engine and C++ library.

Threat model and non-goals

• Static-only inspection; no execution/emulation.
• Deterministic output ordering and stable JSON.
• Non-goals: behavior sandboxing and runtime detonation.

Quick start

cmake -S . -B build
cmake --build build -j
ctest --test-dir build --output-on-failure
./build/pomai_scan scan examples --format json --out report.json
./build/pomai_scan scan-repo . --format json --out repo_report.json

CLI

• pomai_scan scan <path> [--format json|text|both] [--out report.json] [--stream jsonl]
• pomai_scan scan-repo <path> [--format json|text|both] [--out report.json] [--stream jsonl]
• pomai_scan rules list
• pomai_scan rules validate <rulepack.json>
• pomai_scan inspect <file>

Scoring

Deterministic signal-fusion scoring is loaded from configs/scoring_v1.yaml.

Evidence graph

Reports include graph[] with stable node IDs and parent references. Findings reference graph nodes via graph_node_id.

Desktop forensic workstation (Tauri + React)

Pomai Scan Desktop lives in desktop/.

Build and run

cd desktop
npm install
npm run tauri dev

Key capabilities

• Single static scan with explainable score reasons.
• Persistent local scan history/timeline.
• Diff mode (scan A vs B) with score and finding deltas.
• Interactive evidence graph + right-side inspector.
• Raw JSON and findings explorer for forensic review.

Local data storage

~/.pomai_scan/
  scans/
    <scan_id>/
      report.json
      metadata.json
  baselines/
  rulepacks/

See:

• docs/UI_ARCHITECTURE.md
• docs/DESKTOP_SECURITY.md