I looked at the documentation and can't seem to find the answer to this question anywhere. When syscheck runs on the client and performs the file integrity (md5 & sha1) checks does it utilize the md5 & sha1 binaries on the client? If it does, doesn't that go against the main security priciple that a server being monitored should always be considered compromised. In other words , you should only be using binaries from a trusted source (read-only media or the actual master server) when peforming client scans.
-Leo
