How do antivirus engines scan emails?

Email antivirus operates at gateway or client level, scanning attachments and sometimes message content. Scanning uses: signature matching (known malware patterns), heuristic analysis (suspicious behaviors), and reputation checking (known malicious hashes).

Gateway scanning checks messages in transit before delivery. Client scanning checks when users open attachments. Both provide protection; gateway scanning is more effective as it blocks before user exposure.

Limitations: new malware may lack signatures, sophisticated evasion defeats heuristics, and encrypted attachments can't be scanned without passwords. Multiple scanning engines improve detection but can't catch everything.