Antivirus & Virus Scan API for Developers — Malware Scanning as JSON

How it works

From zero to scanning in three steps.

Start a 14-day free trial, no card required. Your API token is waiting in the dashboard.

$ export API_TOKEN=as_live_…

POST a file or URL

Send the bytes directly, or point at a URL we can fetch. Works with any language that speaks HTTP.

curl -F "file=@upload.pdf" \
  https://api.attachmentscanner.com/v1.0/scans

Get a JSON verdict

Every scan returns a clear status and matches array, scored by multiple commercial engines in parallel.

{ "status": "ok", "matches": [] }

Multi-engine detection

One antivirus API.
A jury of engines.

Most virus scan APIs run a single engine. We run multiple commercial antivirus engines in parallel on every request — and include them all on every plan. A second and third opinion on every upload, for the price of one.

Simple, predictable plans

Fixed monthly scan allowance, fixed price. No per-engine add-ons, no enterprise-sales gate just to scan production traffic.

Heuristic & signature-based

We combine signature matching with heuristic detection, so novel malware has more surfaces to trip on before it reaches your users.

One verdict in your JSON

You get a single status and a flat matches array. If any engine flagged it, it shows up.

POST /v1.0/scans MALWARE

{
  "status": "found",
  "filename": "eicar.com",
  "content_length": 68,
  "matches": [
    "Eicar-Test-Signature",
    "EICAR_Test_File",
    "Win.Test.EICAR_HDB-1"
  ]
}

Three engines, three signature names, one consolidated matches array.

Developer experience

Antivirus as a JSON API.
That's it.

No SDK. No signature database. No scanner cluster to run. One REST endpoint for virus and malware scanning — from file uploads and S3 objects to email attachments.

POST /v1.0/scans · scan a file, URL or S3 object

Multiple commercial antivirus engines per request

Synchronous verdict or async via callback URL

Official examples: Node.js, Ruby, Python, Go, PHP, .NET, Elixir, Salesforce Apex

Browse all examples →

curl -X POST $SCANNER_URL/v1.0/scans \
  -H "Authorization: Bearer $API_TOKEN" \
  -F "file=@user-upload.pdf"

const response = await fetch(`${SCANNER_URL}/v1.0/scans`, {
  method: "POST",
  headers: {
    Authorization: `Bearer ${API_TOKEN}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({ url: fileUrl }),
});

const result = await response.json();
if (result.status === "found") reject(result.matches);

conn = Faraday.new(SCANNER_URL) do |f|
  f.request :authorization, "Bearer", API_TOKEN
  f.request :json
  f.response :json
end

scan = conn.post("/v1.0/scans", { url: file_url }).body
raise VirusFound, scan["matches"] if scan["status"] == "found"

response = requests.post(
    f"{SCANNER_URL}/v1.0/scans",
    headers={"Authorization": f"Bearer {API_TOKEN}"},
    json={"url": file_url},
)

scan = response.json()
if scan["status"] == "found":
    raise VirusFound(scan["matches"])

payload, _ := json.Marshal(map[string]string{"url": fileURL})
req, _ := http.NewRequest("POST", scannerURL+"/v1.0/scans", bytes.NewReader(payload))
req.Header.Set("Authorization", "Bearer "+apiToken)
req.Header.Set("Content-Type", "application/json")

resp, _ := http.DefaultClient.Do(req)
defer resp.Body.Close()

var scan map[string]interface{}
json.NewDecoder(resp.Body).Decode(&scan)
if scan["status"] == "found" { /* reject */ }

$client = new GuzzleHttp\Client();
$response = $client->post($scannerUrl . '/v1.0/scans', [
    'headers' => ['Authorization' => 'Bearer ' . $apiToken],
    'json'    => ['url' => $fileUrl],
]);

$scan = json_decode($response->getBody(), true);
if ($scan['status'] === 'found') { /* reject */ }

using var client = new HttpClient();
client.DefaultRequestHeaders.Authorization =
    new AuthenticationHeaderValue("Bearer", apiToken);

var body = JsonContent.Create(new { url = fileUrl });
var response = await client.PostAsync($"{scannerUrl}/v1.0/scans", body);
var scan = await response.Content.ReadFromJsonAsync();
if (scan.Status == "found") { /* reject */ }

response =
  Req.post!(scanner_url <> "/v1.0/scans",
    headers: [authorization: "Bearer " <> api_token],
    json: %{url: file_url}
  )

if response.body["status"] == "found" do
  raise VirusFound, response.body["matches"]
end

Use cases

File upload virus scanning, wherever files live.

File uploads

Scan every user upload before it hits storage. Reject on found, store on clean.

S3 & Azure blob scanning

Event-trigger scans on new objects. Quarantine infected blobs; tag clean ones.

Email attachments

Inline scan of every inbound attachment. From the team behind CloudMailin — we’ve been scanning email since 2010.

UGC & marketplaces

Keep malware out of avatars, listings and shared files. Protect your users and your reputation.

Global infrastructure

99.9% uptime.
Close to your users.

Multi-region virus and malware scanning across three continents, with real-time status on every region. Need something specific? Dedicated clusters and AWS PrivateLink available for compliance and data residency.

operational

United States

us-east-1

30-day uptime

99.9%+

operational

Europe

eu-west-1

30-day uptime

99.9%+

operational

Asia-Pacific

ap-southeast-2

30-day uptime

99.9%+

View live status page → · Request a dedicated region →

Security

Built for file upload security.

We handle user-uploaded content by default-hostile assumption. Regional data isolation, no persistent file storage, full encryption in transit and at rest.

Regional data isolation

Every scan stays in its region. Each cluster runs its own database — your file data never crosses borders just to be scanned. Maps cleanly onto GDPR and data-residency requirements.

Files deleted after scan

File contents are discarded immediately after scanning. We keep metadata (filename, hash, verdict) for your scan history, and nothing else. Nothing you uploaded lingers on our disk.

Encrypted in transit & at rest

HTTPS / TLS 1.2+ for every request, AES at rest for metadata. Optional AWS PrivateLink keeps scanning traffic off the public internet entirely.

Read the full security overview →

Customers

Teams shipping with AttachmentScanner.

CloudMailin

Email infrastructure

Scans outbound email attachments as they leave the CloudMailin relay, so no virus ever gets forwarded downstream.

Groove

Customer support platform

Keeps malware out of support ticket attachments before they land in agents’ inboxes.

ProFinda

Talent & skills platform

Scans document uploads at scale, running multi-region so tenants get low-latency scanning wherever they are.

Pricing

Simple monthly plans.

Every paid plan includes multi-engine scanning, all three regions, and the same REST API. Pick an allowance and upgrade when you grow.

See pricing → Start free trial

Questions

A few things worth knowing.

01 Why not self-host an open-source scanner? +

A single open-source engine catches a fraction of what a commercial engine stack does. We run multiple commercial antivirus engines in parallel on every request, with signature updates and infrastructure fully managed. You skip the cluster, the patching, and the signature sync — and you get more detections on day one.

02 Do you retain our data? +

No file contents. Uploaded bytes are discarded as soon as the scan completes. We keep metadata — filename, hash, size, verdict, timestamp — for your scan history and audit trail. Each region holds its own database, so data never crosses borders just to get scanned.

03 Can I keep scanning traffic off the public internet? +

Yes. For compliance use cases we offer dedicated scanning clusters in an isolated region, plus AWS PrivateLink so your application reaches us over a private endpoint. Maps cleanly onto SOC 2 and data-residency requirements.

04 How do I handle a positive result? +

You get status: "found" and a list of signature matches. Synchronous flow: reject the upload before it hits storage. Async flow (async: true + callback URL): the file is already stored by the time the verdict lands, so quarantine or delete the object, revoke any access links, and notify affected users.

The antivirus API
for developers.

From zero to scanning in three steps.

One antivirus API.
A jury of engines.

Simple, predictable plans

Heuristic & signature-based

One verdict in your JSON

Antivirus as a JSON API.
That's it.

File upload virus scanning, wherever files live.

99.9% uptime.
Close to your users.

Built for file upload security.

Teams shipping with AttachmentScanner.

Simple monthly plans.

A few things worth knowing.

Guides, write-ups, and behind-the-scenes.

Ship safer uploads
by lunchtime.

The antivirus API for developers.

From zero to scanning in three steps.

One antivirus API. A jury of engines.

Simple, predictable plans

Heuristic & signature-based

One verdict in your JSON

Antivirus as a JSON API. That's it.

File upload virus scanning, wherever files live.

99.9% uptime. Close to your users.

Built for file upload security.

Teams shipping with AttachmentScanner.

Simple monthly plans.

A few things worth knowing.

Guides, write-ups, and behind-the-scenes.

Ship safer uploads by lunchtime.

The antivirus API
for developers.

One antivirus API.
A jury of engines.

Antivirus as a JSON API.
That's it.

99.9% uptime.
Close to your users.

Ship safer uploads
by lunchtime.