Testing virus scanning with EICAR

What is EICAR?

The EICAR test file is a standard antivirus test signature designed by the European Institute for Computer Antivirus Research. It is not actual malware — it is a safe, 68-character string that every major antivirus engine recognises and flags as a threat.

Because every compliant scanner treats this string as malicious, the EICAR test file is the industry-standard way to verify that virus scanning is working correctly — without introducing any real risk to your systems.

This makes it perfect for testing EmailConnect's attachment scanning on your Business+ plan. You can confirm that infected files are detected, flagged, and excluded from webhook payloads before going into production.

You can download the official test files from eicar.org.

How to test

What the payload looks like

When EmailConnect processes an email with attachments on a Business+ plan, each attachment includes a virusScan object. Here is the difference between a clean file and an infected one:

{
  "filename": "invoice-1042.pdf",
  "contentType": "application/pdf",
  "size": 48210,
  "downloadUrl": "https://app.emailconnect.eu/attachments/.../download",
  "virusScan": {
    "status": "clean"
  }
}

{
  "filename": "eicar_com.zip",
  "contentType": "application/x-zip-compressed",
  "size": 184,
  "excluded": true,
  "excludeReason": "virus-detected",
  "status": "rejected",
  "virusScan": {
    "status": "infected",
    "threat": "Eicar-Test-Signature"
  }
}

Notice that the infected attachment has no downloadUrl. The file is excluded from the payload entirely — your application never receives the malicious content.

The security summary

Every Business+ webhook payload includes a top-level security.virusScan object that summarises the scan results for the entire email. This gives you a single place to check whether any threats were found:

{
  "security": {
    "virusScan": {
      "scanned": true,
      "engine": "clamav",
      "engineVersion": "1.5.1",
      "attachmentsScanned": 1,
      "threatsFound": 1
    }
  }
}

• scanned — whether virus scanning was performed (always true on Business+ plans)
• engine — the antivirus engine used (clamav)
• engineVersion — the ClamAV version at the time of the scan
• attachmentsScanned — total number of attachments that were scanned
• threatsFound — number of attachments that tested positive for malware

Handling rejected attachments in your webhook

Your webhook handler should check for rejected attachments and handle them appropriately.

// Express webhook handler
app.post('/webhook', (req, res) => {
  const { message, security } = req.body

  if (security?.virusScan?.threatsFound > 0) {
    console.warn('Threats detected:', security.virusScan.threatsFound)
  }

  for (const attachment of message.attachments) {
    if (attachment.excluded && attachment.excludeReason === 'virus-detected') {
      console.warn(`Rejected: ${attachment.filename} — ${attachment.virusScan.threat}`)
      continue
    }
    // Process clean attachment
    processFile(attachment)
  }

  res.sendStatus(200)
})

# Flask webhook handler
@app.route('/webhook', methods=['POST'])
def handle_webhook():
    data = request.get_json()
    security = data.get('security', {})

    if security.get('virusScan', {}).get('threatsFound', 0) > 0:
        logger.warning(f"Threats detected: {security['virusScan']['threatsFound']}")

    for attachment in data['message']['attachments']:
        if attachment.get('excluded') and attachment.get('excludeReason') == 'virus-detected':
            logger.warning(f"Rejected: {attachment['filename']} — {attachment['virusScan']['threat']}")
            continue
        process_file(attachment)

    return '', 200

Need help setting up virus scanning? Get in touch at hello@emailconnect.eu.