If we had stackable LSMs then the required functionality could simply be built into the LSM interface. Then the anti-malware would simply stack itself with other LSMs. In my opinion this is a perfect example for the argument of stackable LSMs.
So far we mainly have LSMs which provide an extra access control mechanism (in addition to DAC).
IMHO, Ideally DAC could be another stackable LSM (enabled by default).
Other security schemes such as intrusion detection, firewalls/netfilter, anti-malware, and application restrictions (sandboxes such as jails or finer grained restrictions such as AppArmor) could all register LSMs onto the stack.
Additional infrastructure would be necessary. Permissible security remains a item of contention. Perhaps I am naive but I think most LSMs could work based on accept/reject. Where every LSM must accept an action in order for it to be carried out.
MHO,