Malware Scanning for Cloudflare R2: How to Detect Viruses in Your Object Storage

Companies storing files in the cloud face a common challenge: how do you ensure uploaded files are free of malware and viruses before they reach your application or your users? Whether driven by compliance requirements or security best practices, antivirus scanning for cloud storage is essential.

Antivirus for Cloudflare R2

Cloudflare R2 is a fast and affordable object storage solution. However, R2 does not include built-in malware scanning. That’s where the attachmentAV API comes in.

We just published an open-source example that wires up Cloudflare R2, Queues, and Workers to automatically scan every newly uploaded object for malware.

How It Works

The setup is fully serverless and uses only Cloudflare-native services alongside the attachmentAV API:

┌───────────┐    ┌───────┐    ┌─────────┐    ┌───────────────┐
│ R2 Bucket │───>│ Queue │───>│ Scanner │───>│ attachmentAV  │
└───────────┘    └───────┘    └─────────┘    └───────┬───────┘
                                                     │
                                                     v
                                               ┌──────────┐
                                               │ Callback │
                                               └──────────┘
  1. A file is uploaded to an R2 bucket.
  2. An R2 event notification sends a message to a Cloudflare Queue.
  3. A Scanner Worker picks up the message and calls the attachmentAV API. Small files (<10MB) are sent directly, large files (up to 5GB) are scanned via presigned URL.
  4. A Callback Worker receives the scan result, logs it, and optionally deletes infected files.

Deploy in Minutes

Get the code at GitHub.

The example includes a deploy script that sets up everything: the queue, both workers, secrets, and the R2 event notification.

export CLOUDFLARE_ACCOUNT_ID=your-account-id
export BUCKET_NAME=my-r2-bucket
export WORKERS_SUBDOMAIN=your-subdomain
bash deploy.sh

The script prompts you for your attachmentAV API key, R2 credentials, and tenant ID.

Try It Out

Upload a file to your R2 bucket and watch the scan happen in real time:

npx wrangler r2 object put "$BUCKET_NAME/test.txt" --file test.txt --remote
npx wrangler tail -c workers/scanner/wrangler.toml

To verify that malware detection works, upload the EICAR test file (it’s a harmless file recognized as infected by all antivirus scanners):

echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar.txt
npx wrangler r2 object put "$BUCKET_NAME/eicar.txt" --file /tmp/eicar.txt --remote

The worker logs will show the file detected as infected.

Monitoring and Scan Results

Every scan produces a structured JSON log entry with the file’s status, detected threat (if any), file type, and scan time:

{
  "status": "clean",
  "finding": "none",
  "size": 1024576,
  "realFileType": "Adobe Portable Document Format (PDF)",
  "scanTime": 0.1
}

Each file receives one of three statuses: clean (no threats found), infected (malware or virus detected), or no (unable to determine). You can stream these logs in real time with npx wrangler tail or forward them to a persistent store like a SIEM using Cloudflare Logpush for long-term retention and alerting.

Automatic Deletion of Infected Files

Want infected files removed from your bucket immediately? Set DELETE_INFECTED to true in the worker configuration and redeploy. Any file flagged as malware is deleted from R2 right after the scan completes.

Cost Considerations

This solution is built entirely on pay-as-you-go services, so you only pay for what you use. There are no fixed infrastructure costs or idle servers. Cloudflare Workers, Queues, and R2 all offer generous free tiers that cover low-volume workloads. The attachmentAV API is priced per scan, see attachmentAV pricing for details. For most workloads, the combined cost of Cloudflare services and attachmentAV scans is a fraction of what self-hosted antivirus infrastructure would require.

Real-World Use Cases

This Cloudflare R2 malware scanning solution is ideal for:

  • User-uploaded content: SaaS platforms, forums, or collaboration tools that accept file uploads from users need to scan every file before it is shared with others or processed further.
  • Document management: Legal, healthcare, or financial applications storing sensitive documents in R2 can ensure compliance by scanning files for malware on ingest.
  • Media pipelines: Platforms that accept images, videos, or audio files can scan uploads before encoding or serving them to end users.
  • Data ingestion: ETL pipelines that receive files from external partners or customers can use R2 as a landing zone with automatic virus scanning before downstream processing.
  • Backup verification: Verify that backup files written to R2 are free of malware before they are archived or restored.

Get Started

The full source code, configuration reference, and detailed setup instructions are available on GitHub:

attachmentav-cloudflare-r2-malware-scanning on GitHub

To get your attachmentAV API key, sign up here. Check the API documentation for more details on the scanning endpoints.

Published on February 17, 2026 | Written by Sebastian

Stay up-to-date

Monthly digest of security updates, new capabilities, and best practices.