Hi,
thanks for your interest. We'll consider your feedback.
1. The idea is that the daemon runs with unprivileged user whenever possible. This is good enough for scaning blobs via REST API or for scanning files under your control (e.g. something you upload for scanning).
The `scan` tool currently passes just the path to the scan service, which walks directories and reads the files, so it needs to run as root to be able to scan other user's files. The same applies for `avast-fss`, which actually switches the service to root when installed.
We're aware this is not ideal. We plan to change this, so both FSS and scan tool would pass open files to the service, so only those would read files and possibly require root. The service, which contains the scanning engine, should run as unprivileged user, because it doesn't need higher privileges for the scanning logic.
Your workaround (switching daemon to root) is the best way for now.
2. This is theoretically possible, the drawback of such fat scan tool would be that it would take some time to start (loading the engine + virus definitions takes up to few seconds). So it would need to be an alternative, and it would be very inefficient to run in a batch on individual files. We currently don't have plan to implement this.