How ClamAV virus scanning protects your relay addresses
ClamAV is an open-source antivirus engine used by Cleanbox to scan inbound email for viruses, malware, and other threats. When enabled on a relay domain, every inbound email is scanned before any other processing takes place — before spam scoring, before contact state checks, before filters, and before Shield evaluation.
How it works
When an email arrives at a relay address with virus scanning enabled:
- The raw email content (headers, body, and all attachments) is streamed to the ClamAV daemon running on the Cleanbox server
- ClamAV analyzes the content against its signature database — a continuously updated collection of known virus, malware, trojan, and exploit patterns
- If a threat is detected, ClamAV returns the signature name (e.g.,
Win.Trojan.Agent-123456) - Cleanbox immediately rejects the email — it is never forwarded to your mail server
- The virus name is logged on the message record so you can see what was caught
The entire scan typically completes in under a second, even for emails with multiple attachments.
What ClamAV detects
ClamAV maintains a signature database that is updated multiple times per day. It detects:
| Threat type | Examples |
|---|---|
| Viruses | Traditional file-infecting viruses embedded in attachments |
| Trojans | Malicious executables disguised as documents (e.g., .pdf.exe, .docm with macros) |
| Ransomware | Known ransomware payloads in ZIP, Office, or PDF attachments |
| Exploit kits | Documents exploiting known vulnerabilities in PDF readers, Office, or browsers |
| Phishing kits | HTML attachments containing credential-harvesting forms |
| Malicious scripts | JavaScript, VBScript, or PowerShell payloads in attachments or HTML email bodies |
| Archive bombs | ZIP files designed to expand to enormous sizes and crash systems (zip bombs) |
| Potentially Unwanted Applications (PUA) | Adware, toolbars, and other unwanted software installers |
Where it sits in the processing chain
Virus scanning is the very first step in the inbound evaluation chain. The full order is:
- ClamAV virus scan (relay only) ← rejects immediately if virus found
- Contact state check (blocked contacts rejected)
- Shield evaluation (gatekeeper, rate limiter)
- Spam scoring and threshold check
- Filter rules
- Contact state effects (muted, prioritized)
- Quarantine intercept
- Snoozer check
By scanning first, infected emails never reach any other processing stage. A virus-laden email from a whitelisted contact is still rejected — virus scanning is not bypassed by any contact state.
Enabling virus scanning
- Go to Relay in the dashboard
- Select your relay domain
- Open the Virus scan tab
- Toggle the ClamAV switch on
Virus scanning is per-domain — when enabled, it applies to all relay addresses on that domain.
Relay only
ClamAV scanning is available for relay addresses only, not for regular aliases. This is because:
- Relay addresses protect existing mail servers (Google Workspace, Microsoft 365, your own Postfix/Exim) that may not have their own virus scanning
- Regular alias delivery goes to IMAP mailboxes where the email provider (Gmail, Outlook, etc.) already performs virus scanning on their end
- Virus scanning adds processing time — for relay (business use case), this trade-off is worthwhile. For aliases (personal use case), the provider's scanner handles it.
What happens when a virus is found
When ClamAV detects a threat:
- The email is immediately rejected with a bounce notification to the sender
- The message is not forwarded to your mail server under any circumstances
- A message record is created in your Cleanbox message log with status rejected and the virus signature name stored
- An activity log entry is created: "Message from [sender] rejected on [address] — virus detected: [signature name]"
- The raw email content is not stored in Cleanbox's object storage — infected messages are discarded immediately after scanning
You can see rejected virus messages in your message log by filtering on status "rejected". The virus signature name is visible in the message details.
Signature updates
ClamAV's signature database (freshclam) is updated automatically multiple times per day. New virus definitions are typically available within hours of discovery by the ClamAV community. Cleanbox runs the latest stable ClamAV release with automatic signature updates enabled.
Limitations
- Zero-day threats: ClamAV is signature-based. It cannot detect brand-new malware that has not yet been added to the signature database. For zero-day protection, combine ClamAV with user awareness and endpoint security on your devices.
- Password-protected archives: ClamAV cannot scan the contents of password-protected ZIP or RAR files. The archive itself is scanned but the encrypted contents are opaque.
- Encrypted email: If the email body is PGP or S/MIME encrypted, ClamAV scans the encrypted blob but cannot detect threats in the decrypted content.
- False positives: Occasionally, a legitimate file may match a virus signature. This is rare but possible. If a legitimate email is rejected, check the message log for the signature name and contact us if you believe it is a false positive.
Recommended setup
For relay addresses, we recommend always enabling ClamAV. There is no meaningful downside:
- Scanning adds less than a second to processing time
- False positive rates are very low
- The protection against actual malware is significant
Combine ClamAV with spam symbol rules and IP blacklist checking for comprehensive relay protection.
