What is a virus scanner in email gateways?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
A virus scanner is a security filter inside an email gateway that checks every attachment and embedded link for malware before the message reaches an inbox. It compares files against known threat databases (signature-based detection) and watches for suspicious behavior patterns (heuristic detection). If the scanner flags something as dangerous, it quarantines or blocks the message entirely.
You probably don't think about virus scanners much if you're sending email, but you should care for two reasons. First, if your message gets flagged by a virus scanner (even incorrectly), it never makes it to the recipient. Second, if a virus scanner blocks your emails often enough, your domain or IP can get a reputation hit with mailbox providers who track pattern abuse.
How virus scanning actually works: The scanner opens attachments (PDFs, Word docs, Excel files, ZIP archives) and inspects their contents against known malware signatures. If the file matches a signature in the scanner's threat database, it's blocked. For brand-new threats that don't have signatures yet, heuristics analyze file behavior, looking for things like hidden code execution, suspicious macros, or unusual system calls. Modern scanners also check embedded URLs in email bodies and attachments to see if they point to known malware distribution sites.
But Here's where senders get tripped up: password-protected ZIPs and encrypted attachments can't be scanned. Some gateways block them by default. If you're sending financial reports or legal documents in encrypted files, you might see your emails silently disappearing into quarantine queues. Barracuda and similar enterprise email security gateways are especially strict about this.
False positives happen. A Word doc with macros enabled (even if it's totally safe) might trigger heuristic flags. A PDF with embedded JavaScript (common in interactive forms) can get blocked. If your transactional emails include downloadable invoices or shipping labels as attachments, test them with actual recipients before sending at scale. We've seen companies lose an entire week of invoice delivery because their new PDF generator added a feature that tripped virus scanners.
And if you're seeing delivery issues with attachment-heavy emails, check VirusTotal (free tool) to scan your attachment against dozens of virus engines at once. If even one engine flags it, some recipient gateways will block it. You can also use our free header analyzer to see if virus scanning added any metadata to delivered messages.
Virus scanning sits alongside phishing detection and spam filtering in most email gateways. All three run in parallel. A message can pass spam filters but still get blocked by virus scanning, or vice versa.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.