An anti-malware tool must scan files that are attached to an email.
CIS Controls. 7.9 Block Unnecessary File Types. Block all email attachments entering the organization’s email gateway if the file types are unnecessary for the organization’s business.
CIS Controls. 7.10 Sandbox All Email Attachments. Use sandboxing to analyze and block inbound email attachments with malicious behavior.
CWE-509: Replicating Malicious Code (Virus or Worm). Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or software.
OWASP-ASVS v4.0.1 V10.1 Code Integrity Controls.(10.1.1) Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections.
OWASP-ASVS v4.0.1 V12.4 File Storage Requirements.(12.4.2) Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload of known malicious content.
PCI DSS v3.2.1 - Requirement 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.