Virus scanning

Every attachment on Business+ plans is scanned for malware before delivery. Infected files are rejected automatically — your webhook only receives clean, verified attachments.

Powered by ClamAV

EmailConnect uses ClamAV, the industry-standard open-source antivirus engine. ClamAV is maintained by Cisco's Talos Intelligence Group and is trusted by millions of deployments worldwide, from mail servers to enterprise gateways.

• Open source — fully auditable, no black-box scanning
• Battle-tested — used by major email providers, hosting companies, and enterprises
• Broad coverage — detects viruses, trojans, ransomware, phishing payloads, and other threats

Virus definition updates

Virus definitions are updated automatically via ClamAV's built-in freshclam daemon. Definitions are stored persistently, so restarts don't trigger a full re-download.

Updates are applied in the background without service interruption. To keep memory usage predictable during updates, new definitions are loaded sequentially rather than in parallel with the old set.

How scanning works

1. An email with attachments arrives at your alias
2. Each attachment is streamed to the ClamAV daemon for scanning
3. Clean files are delivered normally with scan metadata in the payload
4. Infected files are rejected and excluded — no download URL is provided

Scanning happens inline before your webhook fires. There is no separate queue or delay beyond the scan itself.

Clean file payload

Clean attachments include a virusScan object confirming the result:

{
  "filename": "report.pdf",
  "contentType": "application/pdf",
  "size": 48210,
  "downloadUrl": "https://app.emailconnect.eu/attachments/.../download",
  "virusScan": {
    "status": "clean"
  }
}

Infected file payload

Infected attachments are excluded from the payload. No download URL is provided, and the file is not stored:

{
  "filename": "eicar_com.zip",
  "contentType": "application/x-zip-compressed",
  "size": 184,
  "excluded": true,
  "excludeReason": "virus-detected",
  "status": "rejected",
  "virusScan": {
    "status": "infected",
    "threat": "Eicar-Test-Signature"
  }
}

A top-level security.virusScan summary is included in every webhook payload with scan statistics. See the webhook payload reference for full field documentation.

Testing virus scanning

Send an email with the EICAR test file attached. This is a harmless industry-standard test string that every antivirus engine detects. Your webhook payload will show the attachment as rejected with threat Eicar-Test-Signature.

Limits

Attachments up to 10 MB are scanned. This matches the maximum email size accepted by EmailConnect.

Availability

Virus scanning is available on Business and Platform plans. On lower plans, attachments are delivered without scanning.

Related topics

• Attachment processing — storage modes and attachment handling
• Webhook payload reference — full payload field documentation
• Alias rules — filter emails by attachment type