just for sake of completeness: how about enhancing ClamAV so that it takes a fd (instead of a filename) as its input ?
It looks like as if fd are already supported somehow. Need to have a closer look at that ...
But I found an even better alternative: ClamAV supports a STREAM command which allows a client to send a string to the scanner. This allows to scan a string even before it is written to disk.
I think that this will totally kill performance. Many programs can create temporary files that later get deleted. There's no point in monitoring writes to those.
The only way to tell is to wait until the handle gets closed by wine. Then I imagine you'd use fstat on a copy of the handle and see if there are any hard links (i.e. directory entries) pointing to that inode, and if there are (i.e. if the file is still acessible), only then you'd scan it. You'd also need to keep track of any handle copies that wine holds, if there are any -- I don't know offhand if wine itself duplicates "user" file handles, nor whether there's a windows API to do so.
Similarly, programs such as databases may reorganize huge swaths of file(s), writing a lot of stuff that has no relevance to a virus scanner.
I think that no-brainer approaches will result in exactly the same performance-robbing solution as McAffe and Symantec products evolved to.
I think there needs to be some more serious thinking done before implementing your project.
Cheers, Kuba