Virus Scan for JavaScript Made Simple

File uploads are everywhere in modern JavaScript applications. Users submit profile photos, attach documents to support tickets, import spreadsheets, and share files through collaborative tools. Each of those files is a potential entry point for viruses and malware. A disguised trojan in a PDF, ransomware hidden inside a ZIP archive, or a macro-laden spreadsheet can compromise your server, infect other users who download the file later, or put you on the wrong side of compliance audits under GDPR, HIPAA, or SOC 2. Developers who handle user-uploaded files need a virus scanning layer that is easy to integrate and reliable enough to trust in production.

Virus Scan for JavaScript Made Simple

This guide shows you how to add virus scanning to a JavaScript application in under five minutes using the attachmentAV Virus and Malware Scan API. The API is powered by the Sophos detection engine, runs entirely in the cloud, and requires zero local infrastructure. You install one npm package, write a few lines of code, and start rejecting malicious files.

One Package, Full Malware Protection

Install the SDK from npm. It works with both ESM and CommonJS modules.

npm i @attachmentav/virus-scan-sdk-ts

Grab an API key from the subscription page—plans start at 10,000 virus scans per month—and you are ready to go.

Virus Scan a Local File

The most common scenario: a user uploads a file, and you need to check it for malware before storing it. Read the file into a Blob and pass it to the synchronous binary scan endpoint. The Sophos-powered API inspects the content and returns a verdict within seconds.

import { AttachmentAVApi, Configuration } from '@attachmentav/virus-scan-sdk-ts';
import { readFileSync } from 'node:fs';
import { Blob } from 'node:buffer';

const config = new Configuration({
  apiKey: '<API_KEY_PLACEHOLDER>'
});

const api = new AttachmentAVApi(config);

const scanResult = await api.scanSyncBinaryPost({
  body: new Blob([readFileSync('/path/to/file')])
});
console.log('Sync binary scan result:', scanResult);

Check the status field in the response: clean means the file is safe, infected means the virus scan detected malware, and no means the file could not be processed. When status is infected, the finding field tells you exactly what was found—for example, a specific ransomware variant or trojan family.

Virus Scan a URL Without Downloading It Yourself

Need to verify a file that lives at a remote URL? Instead of pulling it to your server first, let attachmentAV download and scan it directly. This is perfect for validating user-provided links, webhook payloads, or third-party export URLs—the untrusted content never touches your infrastructure.

import { AttachmentAVApi, Configuration } from '@attachmentav/virus-scan-sdk-ts';

const config = new Configuration({
  apiKey: '<API_KEY_PLACEHOLDER>'
});

const api = new AttachmentAVApi(config);

const scanResult = await api.scanSyncDownloadPost({
  syncDownloadScanRequest: {
    downloadUrl: 'https://www.w3.org/WAI/ER/tests/xhtml/testfiles/resources/pdf/dummy.pdf'
  }
});
console.log('Sync download scan result:', scanResult);

The URL scan supports files up to 200 MB with a 60-second timeout—more than enough for documents, images, and archives that users typically share.

Async Virus Scanning for Large Files

When files exceed the synchronous limits or when you want to run the virus scan outside of your request cycle, switch to the asynchronous mode. Submit a scan job with a callback URL, and attachmentAV will POST the result to your server once scanning finishes. Async mode handles files up to 5 GB.

import { AttachmentAVApi, Configuration } from '@attachmentav/virus-scan-sdk-ts';

const config = new Configuration({
  apiKey: '<API_KEY_PLACEHOLDER>'
});

const api = new AttachmentAVApi(config);

await api.scanAsyncDownloadPost({
  asyncDownloadScanRequest: {
    downloadUrl: 'https://www.w3.org/WAI/ER/tests/xhtml/testfiles/resources/pdf/dummy.pdf',
    callbackUrl: 'https://api.yourcompany.com/attachmentav/callback'
  }
});
console.log('Async download submitted');

Alternatively, pass a traceId instead of a callback and poll the result endpoint. Both approaches are documented in the API definition.

Regional API Endpoints

The attachmentAV API runs in four regions. Pick the one closest to your servers for minimum latency:

  • https://eu.developer.attachmentav.com/v1/ (Europe, default)
  • https://us.developer.attachmentav.com/v1/ (United States)
  • https://canada.developer.attachmentav.com/v1/ (Canada)
  • https://india.developer.attachmentav.com/v1/ (India)

To switch regions, set the basePath when creating the Configuration:

const config = new Configuration({
  accessToken: '<API_KEY_PLACEHOLDER>',
  basePath: 'https://us.developer.attachmentav.com/v1'
});

Self-Hosted on AWS

For teams that need to keep all file data within their own cloud account, attachmentAV also provides a self-hosted version for AWS. It delivers the same Sophos-powered virus and malware scanning while giving you full control over the infrastructure.

Start Virus Scanning in Your JavaScript App

Adding virus and malware protection to a JavaScript application does not have to be complicated. One npm package, a few lines of code, and the Sophos-powered attachmentAV API does the rest—detecting viruses, malware, ransomware, and trojans so you do not have to build that capability yourself.

Subscribe to the attachmentAV API and start scanning files today.

Published on April 7, 2026 | Written by Andreas

Stay up-to-date

Monthly digest of security updates, new capabilities, and best practices.