Fennec Forms

Friendly forms for teams, orgs, and solo builders

Help/Responses and exports

Understand upload virus scanning

See how ClamAV evaluates respondent uploads, what each scan state means, and what creators are told when a file is blocked.

Last updated March 15, 2026

Understand upload virus scanning

Files uploaded through respondent-facing forms are scanned with ClamAV after the submission is accepted. This keeps the form fast for the respondent while still blocking suspicious files before anyone downloads them.

What gets scanned

Upload scanning applies to files submitted through hosted public forms, embedded forms, and kiosk submissions. Files are stored first, then queued for scanning on the dedicated files worker.

How a file is flagged

Fennec streams each stored file to ClamAV and uses ClamAV's verdict directly.

  • If ClamAV returns OK, the file is marked clean.
  • If ClamAV returns a FOUND result, the file is marked infected.
  • The detection signature returned by ClamAV is saved with the upload metadata so the creator can see what was flagged.

Fennec does not add its own custom malware scoring on top of ClamAV. The harmful-file decision comes from the scanner result.

What creators see in submissions

Each uploaded file shows a scan state in the submissions area:

  • Pending scan: the file was accepted but is still waiting for the scanner to finish.
  • Clean: the file passed scanning and can be downloaded.
  • Infected: ClamAV flagged the file and the download stays blocked.
  • Scan failed: the scanner could not complete the check, so the download stays blocked.

In environments that are explicitly configured to fail open during scanner outages, creators may instead see a bypass message recorded with the file. That is an operational exception, not the default launch behavior.

What happens when a file is infected

When ClamAV flags a file:

  1. The upload is marked infected.
  2. The stored detection signature is attached to the submission metadata.
  3. Download access remains blocked in the submissions view.
  4. The workspace owner receives an email notification that names the form, submission, file, and detected signature.

The submission itself is still recorded. Only the flagged file stays unavailable.

What happens when scanning fails

If ClamAV cannot be reached or returns an unusable response, the file is marked failed in the default fail-closed setup. The file remains unavailable until the issue is resolved or the upload is handled through support processes.

Notes for testing

The EICAR test file is appropriate for staging verification only. Do not use the EICAR file in production.

If the upload field only accepts images, renaming the EICAR file to .jpg or .png will usually be rejected before scanning because it is not a real image. For staging verification, use a file-upload field that allows a compatible file type or use the mock-feedback command to simulate an infected result after a clean submission is stored.

Related guides

  • export submissions
  • create your first form

Related articles

Responses and exports

Export submissions

Download submissions for analysis, reporting, or sharing outside Fennec.

Getting started

Create your first form

Walk through the fastest path from a new account to a live form.