How to Add Malware Scanning to Your Java Spring Boot File Upload Application

File uploads are essential for modern web applications, but they also pose a significant security risk. When users upload files to your Spring Boot application, you need to scan them for malware and viruses before processing or storing them. In this guide, we’ll show you how to integrate real-time antivirus scanning into your Java Spring Boot application using the attachmentAV API.

Antivirus for Java Spring Boot forms

Why Malware Scanning Matters for File Uploads

File uploads are one of the most common attack vectors for malware distribution. Without proper virus detection, infected files can:

  • Compromise your server infrastructure
  • Spread malware to other users
  • Violate compliance requirements (GDPR, HIPAA, etc.)
  • Damage your company’s reputation

Many companies have strict requirements to scan files received from external sources before processing them in their applications. This is where an API-based antivirus solution like attachmentAV becomes essential.

The Solution: Spring Boot + attachmentAV API

attachmentAV provides a REST API for real-time malware scanning that integrates seamlessly with Java Spring Boot applications. Instead of managing antivirus software on your servers, you simply send files to the API and receive instant scan results.

Here’s how the integration works:

  1. User uploads a file through your Spring Boot application
  2. Your application sends the file to the attachmentAV API
  3. The API scans the file for viruses and malware
  4. Your application receives the scan result (clean, infected, or failed)
  5. You process or reject the file based on the result

Implementing Virus Scanning in Spring Boot

Let’s walk through a simple implementation for scanning uploaded files in a Java Spring Boot application.

Step 1: Create the attachmentAV Service

First, create a service that handles API communication with attachmentAV:

@Service
public class AttachmentAVService {

  private final RestClient restClient;
  private final String apiKey;

  public AttachmentAVService(
      RestClient.Builder restClientBuilder,
      @Value("${attachmentav.api-key}") String apiKey) {
    this.restClient = restClientBuilder
        .baseUrl("https://eu.developer.attachmentav.com")
        .build();
    this.apiKey = apiKey;
  }

  public ScanResult scanFile(MultipartFile file) throws IOException {
    byte[] fileBytes = file.getBytes();

    ScanResponse response = restClient.post()
        .uri("/v1/scan/sync/binary")
        .header("x-api-key", apiKey)
        .header("Content-Length", String.valueOf(fileBytes.length))
        .contentType(MediaType.APPLICATION_OCTET_STREAM)
        .body(fileBytes)
        .retrieve()
        .body(ScanResponse.class);

    if (response == null) {
      throw new AttachmentAVException("No response received from attachmentAV API");
    }

    return new ScanResult(response.status(), response.finding());
  }

  public record ScanResult(String status, String finding) {
    public boolean isInfected() {
      return "infected".equals(status);
    }

    public boolean isClean() {
      return "clean".equals(status);
    }
  }
}

This service uses Spring’s RestClient to send files as binary data to the attachmentAV API endpoint. The API returns a JSON response indicating whether the file is clean or infected.

Step 2: Create the File Upload Controller

Next, create a controller that handles file uploads and integrates malware scanning:

@Controller
public class FileUploadController {

  private final AttachmentAVService attachmentAVService;

  @Autowired
  public FileUploadController(AttachmentAVService attachmentAVService) {
    this.attachmentAVService = attachmentAVService;
  }

  @PostMapping("/")
  public String handleFileUpload(@RequestParam("file") MultipartFile file,
      RedirectAttributes redirectAttributes) {

    try {
      ScanResult scanResult = attachmentAVService.scanFile(file);

      if (scanResult.isInfected()) {
        redirectAttributes.addFlashAttribute("message",
            "File " + file.getOriginalFilename() + " is infected: " + scanResult.finding());
        redirectAttributes.addFlashAttribute("error", true);
        return "redirect:/";
      }

      redirectAttributes.addFlashAttribute("message",
          "File " + file.getOriginalFilename() + " has been scanned and is clean!");

      return "redirect:/";

    } catch (IOException e) {
      redirectAttributes.addFlashAttribute("message",
          "Failed to read file: " + e.getMessage());
      redirectAttributes.addFlashAttribute("error", true);
      return "redirect:/";
    }
  }
}

The controller receives uploaded files, sends them to the AttachmentAVService for scanning, and displays appropriate messages based on the scan results. If a virus is detected, the file is rejected and the user is notified of the specific malware found.

Step 3: Configure Your Application

Add your attachmentAV API key to application.properties:

# attachmentAV API Configuration
attachmentav.api-key=${ATTACHMENTAV_API_KEY:your-api-key-here}

# File upload limits
spring.servlet.multipart.max-file-size=10MB
spring.servlet.multipart.max-request-size=50MB

Set the API key as an environment variable:

export ATTACHMENTAV_API_KEY=your-api-key-here

Scanning Multiple Files

While this example focuses on single file uploads, the same approach can be extended to handle multiple files. For batch file uploads, you can use Java’s CompletableFuture and ExecutorService to scan multiple files concurrently, limiting the number of concurrent API requests based on your attachmentAV subscription.

For a complete implementation with multi-file upload support and concurrent scanning, check out the full example on GitHub.

Testing Your Malware Scanner

You can test your antivirus integration using the EICAR test file, a harmless file specifically designed to test antivirus software:

  1. Download the EICAR test file
  2. Upload it through your Spring Boot application
  3. Verify that it’s detected as infected with the name “EICAR-Test-File”

Benefits of API-Based Virus Scanning

Using an API like attachmentAV for malware detection in your Java Spring Boot application provides several advantages:

  • No infrastructure maintenance: No need to install and update antivirus software on your servers
  • Always up-to-date: The API uses the latest virus definitions automatically
  • Scalable: Handle any number of file uploads without managing antivirus licenses
  • Fast integration: Add virus scanning to your Spring Boot app in under an hour
  • Reliable detection: Professional malware scanning with enterprise-grade antivirus engines

Conclusion

Adding malware and virus scanning to your Java Spring Boot file upload application is straightforward with the AttachmentAV API. By integrating real-time antivirus scanning, you protect your application, your infrastructure, and your users from infected files.

The implementation requires just two main components: a service class to communicate with the AttachmentAV API and a controller to handle file uploads. With this setup, every file uploaded to your Spring Boot application is automatically scanned for viruses and malware before processing.

Ready to add malware scanning to your Spring Boot application? Get started with attachmentAV today and secure your file uploads in minutes.

Published on February 17, 2026 | Written by Sebastian

Stay up-to-date

Monthly digest of security updates, new capabilities, and best practices.