I agree with tariquesani. A malware scanner does not need to be a plugin. If I could run a scanner at CLI manually or via cron, I can configure log files and email notifications as I like and I can run it against the database directly. Moreover, if WordPress ever becomes compromised, then the plugin may be disabled or compromised as well.
