How do antivirus engines scan emails?

Email antivirus operates at gateway or client level, scanning attachments and sometimes message content. Scanning uses: signature matching (known **malware** patterns), heuristic analysis (suspicious behaviors), and reputation checking (known malicious hashes).

Gateway scanning checks messages in transit before delivery. Client scanning checks when users open attachments. Both provide protection; gateway scanning is more effective as it blocks before user exposure.

Limitations: new **malware** may lack signatures, sophisticated evasion defeats heuristics, and encrypted attachments can't be scanned without passwords. Multiple scanning engines improve detection but can't catch everything.