savdid vs. savscan vs. savscand with varying scan results

Question

I've recently installed the free sav version on a linux server to evaluate as a potential solution for scanning emails for malware. 
 I did notice a few "interesting" behavior differences though and I hope someone could explain those to me: 
 If sav-protect.service is stopped, scanning a known malware file ( https://www.virustotal.com/#/file/82ca635333f13e229a0b4562b1c9daab9c3ba6bd932c334940ef7ca1ad66afbb/detection) does tell me that the file is clean: 
 
 # savscan --no-reset-atime --stay-on-filesystem --stay-on-machine --show-file-details -archive /tmp/v/DOC\ 47520_IMG.zip SAVScan virus detection utility Version 5.47.0 [Linux/AMD64] Virus data version 5.55, September 2018 Includes detection for 25679169 viruses, Trojans and worms Copyright (c) 1989-2018 Sophos Limited. All rights reserved. System time 03:55:32 AM, System date 23 September 2018 Command line qualifiers are: --no-reset-atime --stay-on-filesystem --stay-on-machine --show-file-details -archive IDE directory is: /opt/sophos-av/lib/sav [IDE messages removed] 
 Quick Scanning 1 file scanned in 16 seconds. No viruses were discovered. End of Scan. # 
 
 Running the same scan with the sav-protect.service running, tells a different story: 
 
 # systemctl start sav-protect.service # savscan --no-reset-atime --stay-on-filesystem --stay-on-machine --show-file-details -archive /tmp/v/DOC\ 47520_IMG.zip SAVScan virus detection utility Version 5.47.0 [Linux/AMD64] Virus data version 5.55, September 2018 Includes detection for 25679169 viruses, Trojans and worms Copyright (c) 1989-2018 Sophos Limited. All rights reserved. System time 03:57:20 AM, System date 23 September 2018 Command line qualifiers are: --no-reset-atime --stay-on-filesystem --stay-on-machine --show-file-details -archive IDE directory is: /opt/sophos-av/lib/sav [IDE messages removed] Quick Scanning >>> Virus 'Mal/Generic-S' found in file /tmp/v/DOC 47520_IMG.zip/DOC 47520_IMG.exe [root,root,644] >>> Virus 'Mal/Generic-S' found in file /tmp/v/DOC 47520_IMG.zip [root,root,644] 1 file scanned in 16 seconds. 2 viruses were discovered. 1 file out of 1 was infected. If you need further advice regarding any detections please visit our Threat Center at: www.sophos.com/.../threat-center.aspx End of Scan. # 
 
 So this is better. But why does the savscan tool need the savscand running for this file to be detected as a virus? The eicar.com testfile is detected regardless of the savscand running or not. 
 The second question now is, why does the sav direct interface _not_ recognize the virus in the same file? 
 
 # socat stdio unix-connect:/var/run/savdi/sssp.sock OK SSSP/1.0 SSSP/1.0 ACC 5BA6ED9E/1 SCANFILE /tmp/v/eicar.com ACC 5BA6ED9E/2 VIRUS EICAR-AV-Test /tmp/v/eicar.com OK 0203 /tmp/v/eicar.com DONE OK 0203 Virus found during virus scan SCANFILE /tmp/v/DOC%2047520_IMG.zip ACC 5BA6ED9E/3 DONE OK 0000 The function call succeeded BYE BYE # 
 
 So what gives? eicar found, but a real virus isn't? Savdi is configures to scan in archives and all other files using the GrpSuper configuration, so it shouldn't be that. 
 QUERY SAVI gives the following options that a scan is running with: 
 
 {'AS3': {'type': 'U32', 'value': 1}, 'ASPack': {'type': 'U32', 'value': 1}, 'AXml': {'type': 'U32', 'value': 1}, 'Access': {'type': 'U32', 'value': 1}, 'ActiveMimeHandling': {'type': 'U32', 'value': 1}, 'AllowPartialVirusData': {'type': 'U32', 'value': 0}, 'AppleSingle': {'type': 'U32', 'value': 1}, 'ApplicationControl': {'type': 'U32', 'value': 0}, 'ArjDecompression': {'type': 'U32', 'value': 1}, 'Base64': {'type': 'U32', 'value': 1}, 'BehaviourMalware': {'type': 'U32', 'value': 1}, 'BehaviourSuspicious': {'type': 'U32', 'value': 0}, 'Block': {'type': 'U32', 'value': 1}, 'Brotli': {'type': 'U32', 'value': 1}, 'BuffCacheSize': {'type': 'U16', 'value': 4}, 'Bzip2': {'type': 'U32', 'value': 1}, 'CleanBmp': {'type': 'U32', 'value': 1}, 'CleanGif': {'type': 'U32', 'value': 1}, 'CleanJpeg': {'type': 'U32', 'value': 1}, 'CleanMp3': {'type': 'U32', 'value': 1}, 'CleanMpeg': {'type': 'U32', 'value': 1}, 'CleanPng': {'type': 'U32', 'value': 1}, 'CleanRiff': {'type': 'U32', 'value': 1}, 'CleanTiff': {'type': 'U32', 'value': 1}, 'CloudSandbox': {'type': 'U32', 'value': 0}, 'CmzDecompression': {'type': 'U32', 'value': 1}, 'ConcatenatedArchives': {'type': 'U32', 'value': 0}, 'CustomExtract': {'type': 'U32', 'value': 1}, 'DecomprSizeCb': {'type': 'U32', 'value': 0}, 'DecompressVBA5': {'type': 'U32', 'value': 1}, 'Deflate': {'type': 'U32', 'value': 1}, 'DelVBA5Project': {'type': 'U32', 'value': 1}, 'DetectSecondaries': {'type': 'U32', 'value': 0}, 'Dex': {'type': 'U32', 'value': 1}, 'Dmg': {'type': 'U32', 'value': 0}, 'DynamicDecompression': {'type': 'U32', 'value': 1}, 'Elf': {'type': 'U32', 'value': 1}, 'Emulation': {'type': 'U32', 'value': 1}, 'EnableAllowedLists': {'type': 'U32', 'value': 0}, 'EnableAutoStop': {'type': 'U32', 'value': 0}, 'EnableOSSpecificLoad': {'type': 'U32', 'value': 0}, 'EnablePdfAutoStop': {'type': 'U32', 'value': 0}, 'Epoc': {'type': 'U32', 'value': 1}, 'ExcelFormulaHandling': {'type': 'U32', 'value': 1}, 'ExecFileDisinfection': {'type': 'U32', 'value': 1}, 'ExtensiveScan': {'type': 'U32', 'value': 0}, 'Fsg': {'type': 'U32', 'value': 1}, 'FullMacroSweep': {'type': 'U32', 'value': 0}, 'FullPdf': {'type': 'U32', 'value': 0}, 'FullSweep': {'type': 'U32', 'value': 0}, 'GZipDecompression': {'type': 'U32', 'value': 1}, 'GrpArchiveUnpack': {'type': 'OPTION_GROUP', 'value': '2'}, 'GrpClean': {'type': 'OPTION_GROUP', 'value': '2'}, 'GrpDisinfect': {'type': 'OPTION_GROUP', 'value': '2'}, 'GrpExecutable': {'type': 'OPTION_GROUP', 'value': '2'}, 'GrpInternet': {'type': 'OPTION_GROUP', 'value': '2'}, 'GrpMSOffice': {'type': 'OPTION_GROUP', 'value': '2'}, 'GrpMisc': {'type': 'OPTION_GROUP', 'value': '2'}, 'GrpSelfExtract': {'type': 'OPTION_GROUP', 'value': '2'}, 'GrpSuper': {'type': 'OPTION_GROUP', 'value': '2'}, 'GrpWebArchive': {'type': 'OPTION_GROUP', 'value': '2'}, 'GrpWebEncoding': {'type': 'OPTION_GROUP', 'value': '2'}, 'Guid': {'type': 'U32', 'value': 1}, 'HelpHandling': {'type': 'U32', 'value': 1}, 'Hfs': {'type': 'U32', 'value': 0}, 'HqxDecompression': {'type': 'U32', 'value': 1}, 'Html': {'type': 'U32', 'value': 1}, 'Http': {'type': 'U32', 'value': 1}, 'ISCabinet': {'type': 'U32', 'value': 1}, 'ISCabinetFull': {'type': 'U32', 'value': 0}, 'ISO9660': {'type': 'U32', 'value': 0}, 'ITSS': {'type': 'U32', 'value': 1}, 'IdeDir': {'type': 'OPTION_STRING', 'value': '/opt/sophos-av/lib/sav'}, 'IgnoreTemplateBit': {'type': 'U32', 'value': 1}, 'JSEmul': {'type': 'U32', 'value': 1}, 'Java': {'type': 'U32', 'value': 1}, 'LZMAAlone': {'type': 'U32', 'value': 1}, 'Lha': {'type': 'U32', 'value': 1}, 'LoopBackEnabled': {'type': 'U32', 'value': 1}, 'MLEnabled': {'type': 'U32', 'value': 0}, 'MSCabinet': {'type': 'U32', 'value': 1}, 'MSCompress': {'type': 'U32', 'value': 1}, 'MachO': {'type': 'U32', 'value': 1}, 'MarkTampered': {'type': 'U32', 'value': 1}, 'MaxIntRecDepth': {'type': 'U16', 'value': 25}, 'MaxRecursionDepth': {'type': 'U16', 'value': 16}, 'MaxSampleSubmitSize': {'type': 'U16', 'value': 10240}, 'MbinDecompression': {'type': 'U32', 'value': 1}, 'Mbox': {'type': 'U32', 'value': 1}, 'Mime': {'type': 'U32', 'value': 1}, 'MimeEmbedLimit': {'type': 'U16', 'value': 25}, 'MimeEmbedLines': {'type': 'U16', 'value': 500}, 'MimeEmbedded': {'type': 'U32', 'value': 1}, 'MimeReScan': {'type': 'U32', 'value': 2}, 'Msi': {'type': 'U32', 'value': 0}, 'NamespaceSupport': {'type': 'U32', 'value': 0}, 'OF95DecryptHandling': {'type': 'U32', 'value': 1}, 'OLE2Handling': {'type': 'U32', 'value': 1}, 'Odoc': {'type': 'U32', 'value': 1}, 'Office2001Handling': {'type': 'U32', 'value': 1}, 'Office97Decrypt': {'type': 'U32', 'value': 1}, 'Ole2FileDisinfection': {'type': 'U32', 'value': 1}, 'OleDataMsoHandling': {'type': 'U32', 'value': 1}, 'OleRawHandling': {'type': 'U32', 'value': 1}, 'OleScriptHandling': {'type': 'U32', 'value': 1}, 'OpenMacRf': {'type': 'U32', 'value': 1}, 'OutlookExpress': {'type': 'U32', 'value': 1}, 'Oxml': {'type': 'U32', 'value': 1}, 'PECompact': {'type': 'U32', 'value': 1}, 'PEHandling': {'type': 'U32', 'value': 1}, 'PalmPilotHandling': {'type': 'U32', 'value': 1}, 'Pdf': {'type': 'U32', 'value': 1}, 'PeEmulator': {'type': 'U32', 'value': 1}, 'Plist': {'type': 'U32', 'value': 1}, 'PowerPointEmbeddedHandling': {'type': 'U32', 'value': 1}, 'PowerPointMacroHandling': {'type': 'U32', 'value': 1}, 'ProductCLI': {'type': 'U32', 'value': 0}, 'ProductDesktop': {'type': 'U32', 'value': 0}, 'ProductGateway': {'type': 'U32', 'value': 0}, 'ProductMobile': {'type': 'U32', 'value': 1}, 'ProductUnspecified': {'type': 'U32', 'value': 1}, 'ProductWeb': {'type': 'U32', 'value': 0}, 'ProjectHandling': {'type': 'U32', 'value': 1}, 'PuaDetection': {'type': 'U32', 'value': 0}, 'RarDecompression': {'type': 'U32', 'value': 1}, 'Rpm': {'type': 'U32', 'value': 1}, 'Rtf': {'type': 'U32', 'value': 1}, 'SXLAsynchDelay': {'type': 'U16', 'value': 0}, 'SXLAsynchQueueSize': {'type': 'U16', 'value': 200}, 'SXLAsynchThreadCount': {'type': 'U16', 'value': 1}, 'SXLCacheEnable': {'type': 'U32', 'value': 0}, 'SXLCacheFileStub': {'type': 'OPTION_STRING', 'value': ''}, 'SXLCacheSize': {'type': 'U16', 'value': 20}, 'SXLLiveProtection': {'type': 'U32', 'value': 0}, 'SXLTimeout': {'type': 'U16', 'value': 250}, 'SampleSubmit': {'type': 'U32', 'value': 0}, 'Saveset': {'type': 'U32', 'value': 0}, 'ScrapObjectHandling': {'type': 'U32', 'value': 1}, 'Sdoc': {'type': 'U32', 'value': 1}, 'SfxArchives': {'type': 'U32', 'value': 1}, 'Sis': {'type': 'U32', 'value': 1}, 'Skip': {'type': 'U32', 'value': 1}, 'SrpStreamHandling': {'type': 'U32', 'value': 1}, 'StorageDetOnly': {'type': 'U32', 'value': 0}, 'StorageReport': {'type': 'U32', 'value': 0}, 'StorageReportAddtolist': {'type': 'U32', 'value': 0}, 'StorageReportAll': {'type': 'U32', 'value': 0}, 'StrictPdf': {'type': 'U32', 'value': 0}, 'StrongPdf': {'type': 'U32', 'value': 0}, 'Stuffit': {'type': 'U32', 'value': 0}, 'Swf': {'type': 'U32', 'value': 1}, 'Szip': {'type': 'U32', 'value': 1}, 'TarDecompression': {'type': 'U32', 'value': 1}, 'ThreatAccumulation': {'type': 'U32', 'value': 0}, 'TnefAttachmentHandling': {'type': 'U32', 'value': 1}, 'TnefEmbedHandling': {'type': 'U32', 'value': 0}, 'TrueFileTypeDetection': {'type': 'U32', 'value': 0}, 'TrueFileTypeDetectionLevel': {'type': 'U16', 'value': 1}, 'UTF16': {'type': 'U32', 'value': 1}, 'UnixArchive': {'type': 'U32', 'value': 1}, 'Upx': {'type': 'U32', 'value': 1}, 'UueDecompression': {'type': 'U32', 'value': 1}, 'VBA3Handling': {'type': 'U32', 'value': 1}, 'VBA5Handling': {'type': 'U32', 'value': 1}, 'VbFiltering': {'type': 'U32', 'value': 1}, 'Vba5Dir': {'type': 'U32', 'value': 0}, 'Vba5p': {'type': 'U32', 'value': 1}, 'VbaOnly': {'type': 'U32', 'value': 1}, 'VbaTable': {'type': 'U32', 'value': 1}, 'Vbe': {'type': 'U32', 'value': 1}, 'VirusDataDir': {'type': 'OPTION_STRING', 'value': '/opt/sophos-av/lib/sav'}, 'VirusDataIntegrityChecking': {'type': 'U32', 'value': 0}, 'VirusDataName': {'type': 'OPTION_STRING', 'value': 'vdl'}, 'VisioEmbedHandling': {'type': 'U32', 'value': 0}, 'VisioFileHandling': {'type': 'U32', 'value': 1}, 'WordB': {'type': 'U32', 'value': 1}, 'Xar': {'type': 'U32', 'value': 1}, 'Xml': {'type': 'U32', 'value': 0}, 'XmlMaxExtStrCnt': {'type': 'TYPE11', 'value': '1000000'}, 'XmlOdoc': {'type': 'U32', 'value': 1}, 'XsumOnDiskPath': {'type': 'OPTION_STRING', 'value': ''}, 'ZipDecompression': {'type': 'U32', 'value': 1}, 'ZipUseChd': {'type': 'U32', 'value': 1}} 
 
 Any ideas?